System Calls for Malware Detection and Classification: Methodologies and Applications

TL;DR

This paper reviews how system calls and API calls are utilized in malware detection and classification, emphasizing techniques like static/dynamic analysis, sandboxing, and machine learning across various operating systems.

Contribution

It provides a comprehensive overview of methodologies using system calls for malware detection, including recent advances and evasion tactics across multiple platforms.

Findings

System call analysis effectively distinguishes malicious from benign software.

Combining static, dynamic, and machine learning techniques improves detection accuracy.

Malware employs sophisticated evasion strategies to bypass system call-based detection.

Abstract

As malware continues to become more complex and harder to detect, Malware Analysis needs to continue to evolve to stay one step ahead. One promising key area approach focuses on using system calls and API Calls, the core communication between user applications and the operating system and their kernels. These calls provide valuable insight into how software or programs behaves, making them an useful tool for spotting suspicious or harmful activity of programs and software. This chapter takes a deep down look at how system calls are used in malware detection and classification, covering techniques like static and dynamic analysis, as well as sandboxing. By combining these methods with advanced techniques like machine learning, statistical analysis, and anomaly detection, researchers can analyze system call patterns to tell the difference between normal and malicious behavior. The chapter also explores how these techniques are applied across different systems, including Windows, Linux, and Android, while also looking at the ways sophisticated malware tries to evade detection.