System calls have long been used to profile a program as a malware. As previous system call based malware detection approaches are often process-oriented, which determines a process as a malware only by its invoking system calls, they often miss the module-based malware such as DLL-based malware and the co-working malware that splits itself into several programs and co-works to complete their functions. To deal with this problem, the system calls should be collected and analyzed as richly as before. However, analyzing rich system calls will cause a significant performance impact on the clients. Fortunately, with the evolution of distributable computing techniques such as MapReduce, we can overcome this tradeoff by analyzing the system calls for malware detection on the servers and then reduce the performance impact on the clients. In this paper, we revise the previous malware persistent model to cover the module-based and co-working malware. We also propose a MapReduce-based system call analysis method to realize the new model. This method is implemented on a Hadoop platform and uses 50 readworld malware for effective and efficient tests. The experimental results show that the detection rate can improve by 28% and performance can improve by more than 30% in comparison to previous research.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.