Skip to main content
SpringerLink
Log in

HypTracker: A Hypervisor to Detect Malwares Through System Call Analysis on ARM

  • Conference paper
  • First Online:
Cyberspace Safety and Security (CSS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10581))

Included in the following conference series:

  • 2140 Accesses

Abstract

Mobile Security becomes increasingly important nowadays due to the widely use of mobile platforms. With the appearance of ARM virtualization extensions, using virtualization technology to protect system security has become a research hotspot. In this paper, we propose HypTracker to detect malicious behaviours by analyzing the system call sequences based on ARM virtualization extensions, which can intercept the system calls at thread level transparently with Android and generate the system call sequences. We put forward a sensitive-system-call-based feature extraction model using Relative Discrete Euclidean Distance and a greedy-like algorithm to generate the malicious behaviour models. At runtime, a sliding-window-based detection module is used to detect malicious behaviours. We have experimented with the samples of DroidKungfu and the result validates the effectiveness of the proposed methodology.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In fact, there are four kinds of instruction sets: ARM, Thumb, Jazelle, and ThumbEE. The latter two kinds of instructions sets are related to Java, which is out of our scope in this paper.

  2. 2.

    The choice of the sensitive system calls is based on the study of the malicious codes. Other sensitive system calls can also be added if necessary. But the performance and the complexity needs to be taken into account.

  3. 3.

    For simplicity, we hide the parameters of the system calls and suppose the parameters are the same. But in practical, the files needed to be opened in different malicious behaviours are different as a general rule.

References

  1. Architecture Reference Manual (ARMv7-A and ARMv7-R edition). ARM DDI C (2008)

    Google Scholar 

  2. Amamra, A., Robert, J., Talhi, C.: Enhancing malware detection for android systems using a system call filtering and abstraction process. Secur. Commun. Netw. 8(7), 1179–1192 (2015)

    Article  Google Scholar 

  3. Horsch, J., Wessel, S.: Transparent page-based kernel and user space execution tracing from a custom minimal ARM hypervsior. In: The IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pp. 408–417 (2015)

    Google Scholar 

  4. Li, Z., Shen, D., Su, X., Ma, J.: Security technology based on arm virtualization extension. J. Softw. 28(9), 2–20 (2016)

    Google Scholar 

  5. Lin, Y.D., Lai, Y.C., Chen, C.H., Tsai, H.C.: Identifying android malicious repackaged applications by thread-grained system call sequences. Comput. Secur. 39(39), 340–350 (2013)

    Article  Google Scholar 

  6. Peiravian, N., Zhu, X.: Machine learning for android malware detection using permission and API calls. In: IEEE International Conference on TOOLS with Artificial Intelligence, pp. 300–305 (2013)

    Google Scholar 

  7. Shen, D., Zhang, Z., Ding, X., Li, Z., Deng, R.: H-Binder: a hardened binder framework on Android systems. In: Deng, R., Weng, J., Ren, K., Yegneswaran, V. (eds.) SecureComm 2016. LNICSSITE, vol. 198, pp. 24–43. Springer, Cham (2017). doi:10.1007/978-3-319-59608-2_2

    Chapter  Google Scholar 

  8. Wahanggara, V., Prayudi, Y.: Malware detection through call system on android Smartphone using vector machine method. In: International Conference on Cyber Security, pp. 62–67 (2015)

    Google Scholar 

  9. Wu, D.J., Mao, C.H., Lee, H.M., Wu, K.P.: DroidMat: Android malware detection through manifest and API calls tracing. In: Information Security, pp. 62–69 (2012)

    Google Scholar 

  10. Yang, Y., Qian, Z., Huang, H.: A lightweight monitor for android kernel protection. Comput. Eng. 40(4), 48–52 (2014)

    Google Scholar 

  11. Yao, X., Han, X., Du, X., Zhou, X.: A lightweight multicast authentication mechanism for small scale iot applications. IEEE Sens. J. 13(10), 3693–3701 (2013)

    Article  Google Scholar 

  12. You, J.H., Lee, H.W.: Detection of malicious android mobile applications based on aggregated system call events. Int. J. Comput. Commun. Eng. 3(2), 149–154 (2014)

    Article  Google Scholar 

  13. You, J.H., Moon, D., Lee, H.W., Lim, J.D., Kim, J.N.: Android mobile application system call event pattern analysis for determination of malicious attack. Int. J. Secur. Appl. 8(1), 231–246 (2014)

    Google Scholar 

  14. Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware android malware classification using weighted contextual API dependency graphs, pp. 1105–1116 (2014)

    Google Scholar 

Download references

Acknowledgment

This research work is supported in part by the National High Technology Research and Development Program of China (No. 2015AA016004), and the National Natural Science Foundation of China (Grand Nos. U1636211, 61672081, 61602237, 61370126).

Author information

Authors and Affiliations

  1. School of Computer Science and Engineering, Beihang University, Beijing, 100191, China

    Dong Shen & Zhoujun Li

  2. Key Laboratory of Microelectronics Devices and Integrated Technology, Institute of Microelectronics, Chinese Academy of Sciences, Beijing, 100029, China

    Xiaojing Su

Authors
  1. Dong Shen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xiaojing Su
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zhoujun Li
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhoujun Li .

Editor information

Editors and Affiliations

  1. Deakin University , Geelong, China

    Sheng Wen

  2. Fujian Normal University, Fuzhou Shi, China

    Wei Wu

  3. University of Salerno, Fisciano, Italy

    Aniello Castiglione

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Shen, D., Su, X., Li, Z. (2017). HypTracker: A Hypervisor to Detect Malwares Through System Call Analysis on ARM. In: Wen, S., Wu, W., Castiglione, A. (eds) Cyberspace Safety and Security. CSS 2017. Lecture Notes in Computer Science(), vol 10581. Springer, Cham. https://doi.org/10.1007/978-3-319-69471-9_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-69471-9_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-69470-2

  • Online ISBN: 978-3-319-69471-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation