A System Call Analysis Method with MapReduce for Malware Detection

Abstract

System calls have long been used to profile a program as a malware. As previous system call based malware detection approaches are often process-oriented, which determines a process as a malware only by its invoking system calls, they often miss the module-based malware such as DLL-based malware and the co-working malware that splits itself into several programs and co-works to complete their functions. To deal with this problem, the system calls should be collected and analyzed as richly as before. However, analyzing rich system calls will cause a significant performance impact on the clients. Fortunately, with the evolution of distributable computing techniques such as MapReduce, we can overcome this tradeoff by analyzing the system calls for malware detection on the servers and then reduce the performance impact on the clients. In this paper, we revise the previous malware persistent model to cover the module-based and co-working malware. We also propose a MapReduce-based system call analysis method to realize the new model. This method is implemented on a Hadoop platform and uses 50 read-world malware for effective and efficient tests. The experimental results show that the detection rate can improve by 28% and performance can improve by more than 30% in comparison to previous research.