Identifying system calls invoked by malware using branch trace facilities

Yuto Otsuki; Eiji Takimoto; Shoichi Saito; Eric W. Cooper; Koichi Mouri

Identifying system calls invoked by malware using branch trace facilities

Yuto Otsuki, Eiji Takimoto, Shoichi Saito, Eric W. Cooper, Koichi Mouri

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

We are developing Alkanet, a system call tracer for malware analysis. However, recent malware infects other processes. Others consist of two or more modules or plug-ins. It is difficult to trace these malware because traditional methods focus on threads or processes. Getting the system call invoker by stack tracing is a traditional method to solve this problem. However, if malware has falsified its stack, this method cannot identify it correctly. In this paper, we describe a method for identifying a system call invoker by branch trace facilities. We consider the effectiveness of branch trace facilities for malware analysis.

Original language	English
Title of host publication	IMECS 2015 - International MultiConference of Engineers and Computer Scientists 2015
Publisher	Newswood Limited
Pages	145-151
Number of pages	7
Volume	1
ISBN (Electronic)	9789881925329
Publication status	Published - 2015
Externally published	Yes
Event	International MultiConference of Engineers and Computer Scientists 2015, IMECS 2015 - Tsimshatsui, Kowloon, Hong Kong Duration: Mar 18 2015 → Mar 20 2015

Other

Other	International MultiConference of Engineers and Computer Scientists 2015, IMECS 2015
Country	Hong Kong
City	Tsimshatsui, Kowloon
Period	3/18/15 → 3/20/15

All Science Journal Classification (ASJC) codes

Computer Science (miscellaneous)

Fingerprint Dive into the research topics of 'Identifying system calls invoked by malware using branch trace facilities'. Together they form a unique fingerprint.

Cite this

Identifying system calls invoked by malware using branch trace facilities. / Otsuki, Yuto; Takimoto, Eiji; Saito, Shoichi; Cooper, Eric W.; Mouri, Koichi.

IMECS 2015 - International MultiConference of Engineers and Computer Scientists 2015. Vol. 1 Newswood Limited, 2015. p. 145-151.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Otsuki, Y, Takimoto, E, Saito, S, Cooper, EW & Mouri, K 2015, Identifying system calls invoked by malware using branch trace facilities. in IMECS 2015 - International MultiConference of Engineers and Computer Scientists 2015. vol. 1, Newswood Limited, pp. 145-151, International MultiConference of Engineers and Computer Scientists 2015, IMECS 2015, Tsimshatsui, Kowloon, Hong Kong, 3/18/15.

@inproceedings{e03acb2f3e43406b9ca4496e2b91d3e5,

title = "Identifying system calls invoked by malware using branch trace facilities",

abstract = "We are developing Alkanet, a system call tracer for malware analysis. However, recent malware infects other processes. Others consist of two or more modules or plug-ins. It is difficult to trace these malware because traditional methods focus on threads or processes. Getting the system call invoker by stack tracing is a traditional method to solve this problem. However, if malware has falsified its stack, this method cannot identify it correctly. In this paper, we describe a method for identifying a system call invoker by branch trace facilities. We consider the effectiveness of branch trace facilities for malware analysis.",

author = "Yuto Otsuki and Eiji Takimoto and Shoichi Saito and Cooper, {Eric W.} and Koichi Mouri",

year = "2015",

language = "English",

volume = "1",

pages = "145--151",

booktitle = "IMECS 2015 - International MultiConference of Engineers and Computer Scientists 2015",

publisher = "Newswood Limited",

note = "International MultiConference of Engineers and Computer Scientists 2015, IMECS 2015 ; Conference date: 18-03-2015 Through 20-03-2015",

}

TY - GEN

T1 - Identifying system calls invoked by malware using branch trace facilities

AU - Otsuki, Yuto

AU - Takimoto, Eiji

AU - Saito, Shoichi

AU - Cooper, Eric W.

AU - Mouri, Koichi

PY - 2015

Y1 - 2015

N2 - We are developing Alkanet, a system call tracer for malware analysis. However, recent malware infects other processes. Others consist of two or more modules or plug-ins. It is difficult to trace these malware because traditional methods focus on threads or processes. Getting the system call invoker by stack tracing is a traditional method to solve this problem. However, if malware has falsified its stack, this method cannot identify it correctly. In this paper, we describe a method for identifying a system call invoker by branch trace facilities. We consider the effectiveness of branch trace facilities for malware analysis.

AB - We are developing Alkanet, a system call tracer for malware analysis. However, recent malware infects other processes. Others consist of two or more modules or plug-ins. It is difficult to trace these malware because traditional methods focus on threads or processes. Getting the system call invoker by stack tracing is a traditional method to solve this problem. However, if malware has falsified its stack, this method cannot identify it correctly. In this paper, we describe a method for identifying a system call invoker by branch trace facilities. We consider the effectiveness of branch trace facilities for malware analysis.

UR - http://www.scopus.com/inward/record.url?scp=84938063793&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84938063793&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:84938063793

VL - 1

SP - 145

EP - 151

BT - IMECS 2015 - International MultiConference of Engineers and Computer Scientists 2015

PB - Newswood Limited

T2 - International MultiConference of Engineers and Computer Scientists 2015, IMECS 2015

Y2 - 18 March 2015 through 20 March 2015

ER -