Malware Detection Based On System Calls

With the continuous development of the mobile Internet, mobile terminals gradually become an indispensable part of people life. At present, with the endless stream of malwares, Android based on the Linux kernel has become the mainstream operating system of mobile terminal. There are more and more malwares targetting to attack Android owing to the popularity of this operating system. Malware can not only eavesdrop user’s calls, steal user’s information, push advertisement or fraudulent information, but also order payments without the permission. The existence of malwares not merely damage the vital interests of users but also affect the healthy development of Android Market. Therefore, how to accurately and efficiently detect malwares becomes the primary task of Android terminal protection. Through the study of the traditional Android malware detection methods, this paper proposes a method of malware detection based on system calls. This method combining with string kernels and SVM can distinguish the benign and malware. The experimental results show that the proposed method can effectively detect malware. By comparison, string kernels have better detection effect comparing to the classical kernels.The work mainly includes the following aspects:(1) Using string kernels. In the system call sequences, every system call tends to have a successive relationship. RBF kernel or polynomial kernel is defined in the Euclidean space, but string kernels which have better performance on capturing the structured information are defined in the collection of strings. Thus, this paper introduces three kinds of string kernels and SVM to classify the system calls. Different calculation methods of core values will lead to different classification of SVM. The gap-weighted kernel penalized the longer sequences. But in the length-weighted once kernel in which all sequences will be considered only once regardless of whether they occur once or many times in a string, the longer sequences can contribute more to the kernel value. The Markov kernel which is a probability-based string kernel can consider the dependence of characters. The experimental results show that the string kernels can efficiently process sequences comprising structured informations.(2) Constructing the library of system call sequences. We have collected 4000 normal softwares and 1000 malwares and programed to automatically collect the system calls of every application to construct the library.(3) Screening the system calls. Discarding the common and charactless system calls can obtain the streamlined and effective sequences. The experimental results show that using the screened sequences for testing can have little impact on the detection rate and false rate but reduce the calculation time and improve the overall performance of the experiments.