Unknown Malware Detection Based on the Full Virtualization and SVM
Malware has become the centerpiece of security threats on the e-commercial business. The focus of malware research is shifting from using signature patterns to identifying the malicious behavior patterns. Many researcher extract behavior pattern from system call sequences to identify malware from benign programs with data mining techniques. Most system call tracing tools must run alongside the malware in the same system environment and could be easily detected by malware. In this paper, we propose a new system calls tracing system based on the full virtualization via Intel-VT technology. Malicious samples are running in a GuestOS and they can not detect the existence of system call tracing tool running in the HostOS. We collect a system call trace data set from 1226 malicious and 587 benign executables. An experiment based on the SVM model shows that the proposed method can detect malware with strong resilience and high accuracy.
malware full virtualization native API sequence SVM
Hengli Zhao Ning Zheng Jian Li Jingjing Yao Qiang Hou
Institute of Computer Application Technology HangZhou DianZi University Hangzhou,China The Third Research Institute of the Ministry of Public Security ShangHai,China
国际会议
南昌
英文
473-476
2009-09-01(万方平台首次上网日期,不代表论文的发表时间)