Unknown Malware Detection Based on the Full Virtualization and SVM

Malware has become the centerpiece of security threats on the e-commercial business. The focus of malware research is shifting from using signature patterns to identifying the malicious behavior patterns. Many researcher extract behavior pattern from system call sequences to identify malware from benign programs with data mining techniques. Most system call tracing tools must run alongside the malware in the same system environment and could be easily detected by malware. In this paper, we propose a new system calls tracing system based on the full virtualization via Intel-VT technology. Malicious samples are running in a GuestOS and they can not detect the existence of system call tracing tool running in the HostOS. We collect a system call trace data set from 1226 malicious and 587 benign executables. An experiment based on the SVM model shows that the proposed method can detect malware with strong resilience and high accuracy.