Designing a smartphone honeypot system using performancecounters

Abstract

This paper presents a design for a honeypot smartphone system. The smartphone honeypot system has to perform severalcomplex functions, the basic important three functions are: design and construct the system database, malware detection, andsystem reactions. During the construction of the system database various information, about the behaviour of various well knownmalicious applications is captured and saved in a database files using the hardware performance counters. Three features are usedfor this purpose: number of instructions, number of branches, and number of cache misses. A data set with 1260 malicious programis used to collect these features. One-dimensional Euclidian distance and multi-dimensional Euclidian distance are used to classifythe samples from the data set to identify the family they belong to. Although the classification results were as low for some families,the algorithm is fully classified other families with 100% accuracy. The results indicate that the performance counters are good toolsfor detecting malware.