Skip to main content
SpringerLink
Log in

SeqTrace: API Call Tracing Based on Intel PT and VMI for Malware Detection

  • Conference paper
  • First Online:
Algorithms and Architectures for Parallel Processing (ICA3PP 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13777))

  • 1511 Accesses

Abstract

API-call sequence, a significant dynamic feature of the software, is widely applied to malware detection. Unfortunately, native approaches to API-call analysis are time-consuming and cause heavy performance penalties. To improve the efficiency of API-call analysis, this paper proposes a novel dynamic analysis approach named SeqTrace based on Intel Process Trace (PT) and Virtual Machine Introspection (VMI) technologies. First, we propose an API-call Tracing approach based on the Intel PT feature of the CPU. It leverages Intel PT to trace the execution of analyzed samples and logs relative information of their API calls with slight overhead. Then, to efficiently translate the semantics of API calls from logged information, we design Semantic Decoder based on VMI technology. Moreover, we implement a prototype API called SeqTrace on the QEMU/KVM platform and evaluate it through a set of experiments. Compared with previous approaches, the experimental results show that SeqTrace achieves API-call sequence tracing with fine-grained semantic information and reduces the tracing overhead by more than 80%.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Steven, H., Anil, S.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), (1999)

    Google Scholar 

  2. Amin, K., Sajjad A., Collin, M., William, R., Engin, K.: UNVEIL: a large-scale, automated approach to detecting ransomware. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 757–772 (2016)

    Google Scholar 

  3. Thomas, N.-K., Max W.: Semi-supervised classification with graph convolutional networks. arXiv preprint, arXiv:1609.02907 (2016)

  4. Rosenberg, I., Shabtai, A., Rokach, L., Elovici, Y.: Generic black-box end-to-end attack against state of the art API call based malware classifiers. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 490–510. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_23

    Chapter  Google Scholar 

  5. Fadadu, F., Handa, A., Kumar, N., Shukla, S.K.: Evading API call sequence based malware classifiers. In: Zhou, J., Luo, X., Shen, Q., Xu, Z. (eds.) ICICS 2019. LNCS, vol. 11999, pp. 18–33. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-41579-2_2

    Chapter  Google Scholar 

  6. Bergenholtz, E., Casalicchio, E., Ilie, D., Moss, A.: Detection of metamorphic malware packers using multilayered LSTM networks. In: Meng, W., Gollmann, D., Jensen, C.D., Zhou, J. (eds.) ICICS 2020. LNCS, vol. 12282, pp. 36–53. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-61078-4_3

    Chapter  Google Scholar 

  7. Binghui, W., Zhenqiang, G.: Attacking graph-based classification via manipulating the graph structure. In: 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 2023–2040 (2019)

    Google Scholar 

  8. Pfoh, J., Schneider, C., Eckert, C., et al.: Nitro: hardware-based system call tracing for virtual machines. In: International Workshop on Security, pp. 96–112 (2011)

    Google Scholar 

  9. Holz, T., Freiling, F., Willems, C.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5(2), 32–39 (2007)

    Article  Google Scholar 

  10. Bojan, J.: A Not-So-Common Cold: Malware Statistics in 2021. March 2021. https://dataprot.net/statistics/malware-statistics

  11. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: 10th Network and Distributed System Symposium (NDSS 2003), San Diego, CA, USA (2003)

    Google Scholar 

  12. Bauman, E., Ayoade, G., Lin, Z.: A survey on hypervisor-based monitoring: approaches, applications, and evolutions. ACM Comput. Surv. 48(1), 1001–1033 (2015)

    Article  Google Scholar 

  13. Intel 64 and IA-32 architectures software developer’s manual. (2016)

    Google Scholar 

  14. Payne, B.-D.: Simplifying virtual machine introspection using LibVMI. In: Technical Reports SAND2012-7818, Sandia National Laboratories (2012)

    Google Scholar 

  15. Sergej, S., Cornelius, A., Robert, G., Sebastian, S., Thorsten, H.: kAFL: hardware-assisted feedback fuzzing for OS kernels. In: 26th USENIX Conference on Security Symposium, Vancouver, BC, pp. 167–182. USENIX Association (2017)

    Google Scholar 

  16. Ding, Z., Cui, L., Fei, H., et al.: A high-efficiency and comprehensive dynamic behavior analysis system for malware based on hardware virtualization. In: 22nd International Conference on High Performance Computing and Communications; 18th International Conference on Smart City; 6th International Conference on Data Science and Systems (HPCC/SmartCity/DSS), IEEE (2020)

    Google Scholar 

  17. HD Tune Pro, www.hdtune.com

  18. Fritz Chess, www.jens-hartmann.at/Fritzmarks/

  19. Bohme, M., Pham, V.-T., Roychoudhury, A.: Coverage-based greybox fuzzing as markov chain. IEEE Trans. Software Eng. 45(5), 489–506 (2019)

    Google Scholar 

  20. Cha, S.-K., Woo, M., Brumley, D.: Program-adaptive mutational fuzzing. In: IEEE Symposium on Security and Privacy, pp. 725–741. IEEE (2015)

    Google Scholar 

  21. Sanjay, R., Vivek, J., Ashish, K., Lucian, C., Cristiano, G., Herbert, B.: VUzzer: application-aware evolutionary fuzzing. In: 24th Network and Distributed System Symposium (NDSS 2017), San Diego, CA, USA (2017)

    Google Scholar 

  22. Ge, X., Talele, N., Payer, M., et al.: IEEE European Symposium on Security and Privacy. Fine-grained control-flow integrity for kernel software, IEEE (2016)

    Google Scholar 

  23. Vishwath, M., Per, L., Stefan, B., Kevin, W.-H., Michael, F.: Opaque control-flow integrity. In: 22th Network and Distributed System Symposium (NDSS 2015), San Diego, CA, USA (2015)

    Google Scholar 

  24. Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.-R.: Control-flow bending: on the effectiveness of control-flow integrity. In: 24th USENIX Conference on Security Symposium, Washington, D.C., pp. 161–176. USENIX Association (2015)

    Google Scholar 

  25. Payer, M., Barresi, A., Gross, T.R.: Fine-grained control-flow integrity through binary hardening. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 144–164. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_8

    Chapter  Google Scholar 

  26. Wang, M., Yin, H., Bhaskar, A.-V., Su, P., Feng, D.: Binary code continent: finer-grained control flow integrity for stripped binaries. In: 31st Annual Computer Security Applications Conference (ACSAC 2015), Los Angeles, CA, USA, pp. 331–340 (2015)

    Google Scholar 

  27. Gu, Y., Zhao, Q., Zhang, Y., Lin, Z.: PT-CFI: transparent backward-edge control flow violation detection using intel processor trace. In: 7th ACM on Conference on Data and Application Security and Privacy, Scottsdale, Arizona, USA, pp. 173–184 (2017)

    Google Scholar 

  28. Ge, X., Cui, W., Jaeger, T.: GRIFFIN guarding control flows using Intel Processor Trace. In: 22nd International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2017), Xi’an, China, pp. 585–598 (2017)

    Google Scholar 

  29. Wang, X.-R., Liu, Y.-T., Chen, H.-B.: Transparent protection of kernel module against ROP with Intel processor trace. J. Software 29(5), 1333–1347 (2018)

    Google Scholar 

  30. Alazab, M., Layton, R., Venkataraman, S., Watters, P.: Malware detection based on structure detection based on structural and behaal and behavioural features of API calls. In: proceedings of the 2010 International Cyber Resilience Conference, pp. 1–10 (2010)

    Google Scholar 

  31. Sami, A., Yadegari, B., Rahimi, H., Peiravian, N., Hashemi, S., Hamze, A.: Malware detection based on mining API calls. In: proceedings of the 2010 ACM Symposium on Applied Computing (SAC 2010), New York, USA, pp. 1020–1025 (2010)

    Google Scholar 

  32. Wang, C., Pang, J., Zhao, R., Liu, X.: Using API sequence and Bayes algorithm to detect suspicious behavior. In: 2009 International Conference on Communication Software and Networks, pp. 544–548 (2009)

    Google Scholar 

  33. Oktavianto, D., Muhardianto, I.: Cuckoo Malware Analysis. Packt Publishing Ltd (2013)

    Google Scholar 

  34. Shi, B., Cui, L., Li, B., Liu, X., Hao, Z., Shen, H.: ShadowMonitor: an effective In-VM monitoring framework with hardware-enforced isolation. In: Research in Attacks, Intrusions, and Defenses, pp. 670–690 (2018)

    Google Scholar 

  35. Bryan, D.-P., Carbone, M., Lee, W., et al.: Secure and Flexible Monitoring of Virtual Machines. In: 23th Annual Computer Security Applications Conference, pp. 385–397, ACM (2007)

    Google Scholar 

  36. Dinaburg, A., Royal, P., Sharif, M., et al.: Ether: malware analysis via hardware virtualization extensions. In: 15th ACM conference on Computer and Communications Security, pp. 51–62 (2008)

    Google Scholar 

  37. Wang, C., Hao, Z., Yun, X.: NOR: towards non-intrusive, real-time and OS-agnostic introspection for virtual machines in cloud environment. In: Chen, X., Lin, D., Yung, M. (eds.) Inscrypt 2017. LNCS, vol. 10726, pp. 500–517. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75160-3_29

    Chapter  Google Scholar 

  38. Tamas, K.-L., Steve, M., Bryan, D.-P., et al.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: 30th Annual Computer Security Applications Conference, pp. 386–395 (2014)

    Google Scholar 

  39. VirusSign, www.virussign.com/index.html

Download references

Acknowledgments

This work is supported by the National Natural Science Foundation of China (grant no. 62072453, 61972392 ), Youth Innovation Promotion Association of the Chinese Academy of Sciences (no. 2020164).

Author information

Authors and Affiliations

  1. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Zhenquan Ding

  2. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Zhenquan Ding, Hui Xu, Lei Cui, Feng Cheng & Zhiyu Hao

  3. State Grid Information and Telecommunication Branch, Beijing, China

    Yonghe Guo, Longchuan Yan & Yuanlong Peng

Authors
  1. Zhenquan Ding
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yonghe Guo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hui Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Longchuan Yan
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Lei Cui
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Yuanlong Peng
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Feng Cheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Zhiyu Hao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hui Xu .

Editor information

Editors and Affiliations

  1. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

  2. University of New Brunswick, Fredericton, NB, Canada

    Rongxing Lu

  3. University of Exeter, Exeter, UK

    Geyong Min

  4. Rutgers University, Newark, NJ, USA

    Jaideep Vaidya

Rights and permissions

Reprints and permissions

Copyright information

© 2023 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ding, Z. et al. (2023). SeqTrace: API Call Tracing Based on Intel PT and VMI for Malware Detection. In: Meng, W., Lu, R., Min, G., Vaidya, J. (eds) Algorithms and Architectures for Parallel Processing. ICA3PP 2022. Lecture Notes in Computer Science, vol 13777. Springer, Cham. https://doi.org/10.1007/978-3-031-22677-9_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22677-9_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22676-2

  • Online ISBN: 978-3-031-22677-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation