Abstract
Mobile Security becomes increasingly important nowadays due to the widely use of mobile platforms. With the appearance of ARM virtualization extensions, using virtualization technology to protect system security has become a research hotspot. In this paper, we propose HypTracker to detect malicious behaviours by analyzing the system call sequences based on ARM virtualization extensions, which can intercept the system calls at thread level transparently with Android and generate the system call sequences. We put forward a sensitive-system-call-based feature extraction model using Relative Discrete Euclidean Distance and a greedy-like algorithm to generate the malicious behaviour models. At runtime, a sliding-window-based detection module is used to detect malicious behaviours. We have experimented with the samples of DroidKungfu and the result validates the effectiveness of the proposed methodology.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In fact, there are four kinds of instruction sets: ARM, Thumb, Jazelle, and ThumbEE. The latter two kinds of instructions sets are related to Java, which is out of our scope in this paper.
- 2.
The choice of the sensitive system calls is based on the study of the malicious codes. Other sensitive system calls can also be added if necessary. But the performance and the complexity needs to be taken into account.
- 3.
For simplicity, we hide the parameters of the system calls and suppose the parameters are the same. But in practical, the files needed to be opened in different malicious behaviours are different as a general rule.
References
Architecture Reference Manual (ARMv7-A and ARMv7-R edition). ARM DDI C (2008)
Amamra, A., Robert, J., Talhi, C.: Enhancing malware detection for android systems using a system call filtering and abstraction process. Secur. Commun. Netw. 8(7), 1179–1192 (2015)
Horsch, J., Wessel, S.: Transparent page-based kernel and user space execution tracing from a custom minimal ARM hypervsior. In: The IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pp. 408–417 (2015)
Li, Z., Shen, D., Su, X., Ma, J.: Security technology based on arm virtualization extension. J. Softw. 28(9), 2–20 (2016)
Lin, Y.D., Lai, Y.C., Chen, C.H., Tsai, H.C.: Identifying android malicious repackaged applications by thread-grained system call sequences. Comput. Secur. 39(39), 340–350 (2013)
Peiravian, N., Zhu, X.: Machine learning for android malware detection using permission and API calls. In: IEEE International Conference on TOOLS with Artificial Intelligence, pp. 300–305 (2013)
Shen, D., Zhang, Z., Ding, X., Li, Z., Deng, R.: H-Binder: a hardened binder framework on Android systems. In: Deng, R., Weng, J., Ren, K., Yegneswaran, V. (eds.) SecureComm 2016. LNICSSITE, vol. 198, pp. 24–43. Springer, Cham (2017). doi:10.1007/978-3-319-59608-2_2
Wahanggara, V., Prayudi, Y.: Malware detection through call system on android Smartphone using vector machine method. In: International Conference on Cyber Security, pp. 62–67 (2015)
Wu, D.J., Mao, C.H., Lee, H.M., Wu, K.P.: DroidMat: Android malware detection through manifest and API calls tracing. In: Information Security, pp. 62–69 (2012)
Yang, Y., Qian, Z., Huang, H.: A lightweight monitor for android kernel protection. Comput. Eng. 40(4), 48–52 (2014)
Yao, X., Han, X., Du, X., Zhou, X.: A lightweight multicast authentication mechanism for small scale iot applications. IEEE Sens. J. 13(10), 3693–3701 (2013)
You, J.H., Lee, H.W.: Detection of malicious android mobile applications based on aggregated system call events. Int. J. Comput. Commun. Eng. 3(2), 149–154 (2014)
You, J.H., Moon, D., Lee, H.W., Lim, J.D., Kim, J.N.: Android mobile application system call event pattern analysis for determination of malicious attack. Int. J. Secur. Appl. 8(1), 231–246 (2014)
Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware android malware classification using weighted contextual API dependency graphs, pp. 1105–1116 (2014)
Acknowledgment
This research work is supported in part by the National High Technology Research and Development Program of China (No. 2015AA016004), and the National Natural Science Foundation of China (Grand Nos. U1636211, 61672081, 61602237, 61370126).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Shen, D., Su, X., Li, Z. (2017). HypTracker: A Hypervisor to Detect Malwares Through System Call Analysis on ARM. In: Wen, S., Wu, W., Castiglione, A. (eds) Cyberspace Safety and Security. CSS 2017. Lecture Notes in Computer Science(), vol 10581. Springer, Cham. https://doi.org/10.1007/978-3-319-69471-9_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-69471-9_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-69470-2
Online ISBN: 978-3-319-69471-9
eBook Packages: Computer ScienceComputer Science (R0)