System calls of the application are arranged in chronological order, forming one system call sequence.
The co-occurrence matrix models the sequence of system calls by associating one system call with another call within a certain distance.
Second, we discover that the relevant relationships of system calls are significantly different between the system call sequences of malware and benign software, and then use co-occurrence matrices to mine these relationships.
Up to now, there are mainly two kinds of methods using system calls, one of which is to use system call frequencies.
In the above methods about system calls, these employing the frequencies do not consider the relevant relationship between two system calls in the system call sequence.
There are many differences between the system call actions of Android and those of Linux.
Whenever a system call of interest begins (or completes), the operating system stops the subject process and notifies the Catcher.
When we intercept a system call which accesses a remote file, we first ensure that an up-to-date copy is available locally.
The drawback of this approach is that it does not work for statically linked applications not owned by the user as well as for applications that circumvent the standard libraries and execute system call instructions directly.
When the application issues a system call (1), it can go directly to the kernel or, if it is file-related, get intercepted by the Catcher (2).
In Ufo there are two events of interest: system call entry into the kernel and system call exit from the kernel.