A System Call Analysis Method with MapReduce for Malware Detection
System calls have long been used to profile a program as a malware. As previous system call based malware detection approaches are often process-oriented, which determines a process as a malware only by its invoking system calls, they often miss the module-based malware such as DLL-based malware and...
Saved in:
| Published in | 2011 IEEE 17th International Conference on Parallel and Distributed Systems pp. 631 - 637 |
|---|---|
| Main Authors | , , |
| Format | Conference Proceeding |
| Language | English |
| Published |
IEEE
01.12.2011
|
| Subjects | |
| Online Access | Get full text |
| ISBN | 1457718758 9781457718755 |
| ISSN | 1521-9097 |
| DOI | 10.1109/ICPADS.2011.17 |
Cover
| Abstract | System calls have long been used to profile a program as a malware. As previous system call based malware detection approaches are often process-oriented, which determines a process as a malware only by its invoking system calls, they often miss the module-based malware such as DLL-based malware and the co-working malware that splits itself into several programs and co-works to complete their functions. To deal with this problem, the system calls should be collected and analyzed as richly as before. However, analyzing rich system calls will cause a significant performance impact on the clients. Fortunately, with the evolution of distributable computing techniques such as MapReduce, we can overcome this tradeoff by analyzing the system calls for malware detection on the servers and then reduce the performance impact on the clients. In this paper, we revise the previous malware persistent model to cover the module-based and co-working malware. We also propose a MapReduce-based system call analysis method to realize the new model. This method is implemented on a Hadoop platform and uses 50 read-world malware for effective and efficient tests. The experimental results show that the detection rate can improve by 28% and performance can improve by more than 30% in comparison to previous research. |
|---|---|
| AbstractList | System calls have long been used to profile a program as a malware. As previous system call based malware detection approaches are often process-oriented, which determines a process as a malware only by its invoking system calls, they often miss the module-based malware such as DLL-based malware and the co-working malware that splits itself into several programs and co-works to complete their functions. To deal with this problem, the system calls should be collected and analyzed as richly as before. However, analyzing rich system calls will cause a significant performance impact on the clients. Fortunately, with the evolution of distributable computing techniques such as MapReduce, we can overcome this tradeoff by analyzing the system calls for malware detection on the servers and then reduce the performance impact on the clients. In this paper, we revise the previous malware persistent model to cover the module-based and co-working malware. We also propose a MapReduce-based system call analysis method to realize the new model. This method is implemented on a Hadoop platform and uses 50 read-world malware for effective and efficient tests. The experimental results show that the detection rate can improve by 28% and performance can improve by more than 30% in comparison to previous research. |
| Author | Yi-Ming Chen Shun-Te Liu Hui-ching Huang |
| Author_xml | – sequence: 1 surname: Shun-Te Liu fullname: Shun-Te Liu email: rogerliu@cht.com.tw organization: Inf. & Commun. Security Lab., Chunghwa Telecom Co., Ltd., Taoyuan, Taiwan – sequence: 2 surname: Hui-ching Huang fullname: Hui-ching Huang email: hushpuppy@cht.com.tw organization: Inf. & Commun. Security Lab., Chunghwa Telecom Co., Ltd., Taoyuan, Taiwan – sequence: 3 surname: Yi-Ming Chen fullname: Yi-Ming Chen email: cym@cc.ncu.edu.tw organization: Dept. of Inf. Manage., Nat. Central Univ., Chungli, Taiwan |
| BookMark | eNotjstOwzAURI0oEk3plg0b_0CKrx-xvQxpgUqtQBTWleNeq0ZpUiVBVf6eSLCZObM5moRM6qZGQu6BLQCYfVwX7_lyt-AMYAH6isytNkxnVkk15jVJYAQNRiszIVNQHFLLrL4lSdd9M8aZUGxKnnK6G7oeT7RwVUXz2lVDFzu6xf7YHOgl9ke6decPPPx4pKFpx1VdXIt0iT36Pjb1HbkJrupw_t8z8vW8-ixe083by7rIN2kErfrU4ngBtNRBssxqDtx7zkUAzW0ojffWKM8tV96XGQajmCiZwFIGKUwohZiRhz9vRMT9uY0n1w77DDgIIcUvfgFMNQ |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IL CBEJK RIE RIL |
| DOI | 10.1109/ICPADS.2011.17 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE/IET Electronic Library (IEL) (UW System Shared) IEEE Proceedings Order Plans (POP All) 1998-Present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) url: https://proxy.k.utb.cz/login?url=https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 9780769545769 0769545769 |
| EndPage | 637 |
| ExternalDocumentID | 6121334 |
| Genre | orig-research |
| GroupedDBID | 23M 29O 6IE 6IF 6IH 6IK 6IL 6IM 6IN AAJGR AAWTH ABLEC ADZIZ ALMA_UNASSIGNED_HOLDINGS BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO IEGSK IPLJI OCL RIE RIL RNS |
| ID | FETCH-LOGICAL-i175t-9e5211747f40697212cc223f1729fb8cc985c2925ccb6ef8503b03eb4f438fb33 |
| IEDL.DBID | RIE |
| ISBN | 1457718758 9781457718755 |
| ISSN | 1521-9097 |
| IngestDate | Wed Aug 27 03:46:16 EDT 2025 |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-i175t-9e5211747f40697212cc223f1729fb8cc985c2925ccb6ef8503b03eb4f438fb33 |
| PageCount | 7 |
| ParticipantIDs | ieee_primary_6121334 |
| PublicationCentury | 2000 |
| PublicationDate | 2011-Dec. |
| PublicationDateYYYYMMDD | 2011-12-01 |
| PublicationDate_xml | – month: 12 year: 2011 text: 2011-Dec. |
| PublicationDecade | 2010 |
| PublicationTitle | 2011 IEEE 17th International Conference on Parallel and Distributed Systems |
| PublicationTitleAbbrev | icpads |
| PublicationYear | 2011 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| SSID | ssj0020350 ssib026767514 ssj0000669466 |
| Score | 1.9276085 |
| Snippet | System calls have long been used to profile a program as a malware. As previous system call based malware detection approaches are often process-oriented,... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 631 |
| SubjectTerms | behavior-based Computers malware detection mapreduce Monitoring Servers Software Sparse matrices Spyware system calls |
| Title | A System Call Analysis Method with MapReduce for Malware Detection |
| URI | https://ieeexplore.ieee.org/document/6121334 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjZ3PT8IwFMcb4MQJFYy_04NHB2Nbt_aIoEGTGaKScCNt95oYySBkxMS_3tduw2g8eFt32rru9fv63vs8Qq4BuJSQoZPDGPciHYMnheKeFr7kuOMx39iIbvoUT-fR44ItGuRmXwsDAC75DPr20sXys7Xe2aOygaVdhWHUJM0kEWWtVr12AgceqyKCpRWOLTp973zZCJpjp7qUBIsDbA8jlqBpRsVcs5-qMavojkNfDB7Gs9HkpWR9Dn_2YHFb0H2HpPXDl5kn7_1dofr68xfX8b9vd0B638V-dLbfxg5JA_Ij0qm7PdDq5--S2xEt8eZ0LFcrWtNMaOp6UFN7oEtTuXm2LFigqIVxtPqQW6ATKFzCV94j8_u71_HUqzoweG8oKwpPAE4X-iyJsQWy6CwGWqOeMKh6hFFca8GZDkTAtFYxGPyyofJDUJGJQm5UGB6TVr7O4YRQFqNlyDIhVWJjdYpHgUTxIJMEPSATm1PStVOy3JSQjWU1G2d_3z4nbXe46_JKLkir2O7gEtVBoa7csvgCJLKu1w |
| linkProvider | IEEE |
| linkToHtml | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjZ3PT8IwFMcbxIOcUMH42x48Ohjbuh9HBA0oI0Qh4Uba7jUxkkHIiIl_va_dhtF48LbutHXd6_f1vfd5hNwChJxDgk4OY6HlSR8sHonQkpHNQ9zxmK10RDce-4OZ9zRn8wq529XCAIBJPoOWvjSx_GQlt_qorK1pV67r7ZF9hl5FkFdrlavHMeixIiaY22Ffw9N37peOoRl6qklK0EDAWsdjARpn1Mwl_akYs4Lv2LGj9rA36fZfc9pn52cXFrMJPdZJXD5-nnvy3tpmoiU_f5Ed__t-h6T5Xe5HJ7uN7IhUID0m9bLfAy1-_wa579IccE57fLmkJc-ExqYLNdVHujTm6xdNgwWKahhHyw--AdqHzKR8pU0ye3yY9gZW0YPBekNhkVkR4HSh1xIoXSKL7qIjJSoKhbonUiKUMgqZdCKHSSl8UPhtXWG7IDzluaESrntCqukqhVNCmY-2IUkiLgIdrROh53CUDzwI0AdSvjojDT0li3WO2VgUs3H-9-0bcjCYxqPFaDh-viA1c9RrskwuSTXbbOEKtUImrs0S-QKRPrIo |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=2011+IEEE+17th+International+Conference+on+Parallel+and+Distributed+Systems&rft.atitle=A+System+Call+Analysis+Method+with+MapReduce+for+Malware+Detection&rft.au=Shun-Te+Liu&rft.au=Hui-ching+Huang&rft.au=Yi-Ming+Chen&rft.date=2011-12-01&rft.pub=IEEE&rft.isbn=9781457718755&rft.issn=1521-9097&rft.spage=631&rft.epage=637&rft_id=info:doi/10.1109%2FICPADS.2011.17&rft.externalDocID=6121334 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=1521-9097&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=1521-9097&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=1521-9097&client=summon |