Skip to main content
SpringerLink
Log in

SPEMS: A Stealthy and Practical Execution Monitoring System Based on VMI

  • Conference paper
  • First Online:
Cloud Computing and Security (ICCCS 2015)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 9483))

Included in the following conference series:

Abstract

Dynamic analyzing has been proposed for over decades to tracing the execution of programs. However, most of them need an agent installed inside the execution environment, which is easy to be detected and bypassed. To solve the problem, we proposed a system named SPEMS which utilized virtual machine introspection (VMI) technology to stealthily monitor the execution of programs inside virtual machines. SPEMS integrates and improves multiple open-source software tools. By inspecting the whole process of sample preparation, execution tracing and analysis, it is able to be applied in large scale program monitoring, malware analyzing and memory forensics. Experiments results show our system has remarkable performance improvement compared with former works.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Willems, G., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5, 32–39 (2007)

    Article  Google Scholar 

  2. Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. J. Comput. Virol. 2, 67–77 (2006)

    Article  Google Scholar 

  3. Cuckoobox. http://www.cuckoosandbox.org/

  4. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: NDSS, pp. 191–206 (2003)

    Google Scholar 

  5. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 128–138 (2007)

    Google Scholar 

  6. Srivastava, A., Giffin, J.T.: Tamper-resistant, application-aware blocking of malicious network connections. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 39–58. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  7. Nance, K., Bishop, M., Hay, B.: Investigating the implications of virtual machine introspection for digital forensics. In: ARES 2009 International Conference on Availability, Reliability and Security, 2009, pp. 1024–1029 (2009)

    Google Scholar 

  8. Payne, B.D.: Simplifying virtual machine introspection using libvmi. Sandia report (2012)

    Google Scholar 

  9. Lengyel, T.K., Neumann, J., Maresca, S., Payne, B.D., Kiayias, A.: Virtual machine introspection in a hybrid honeypot architecture. In: CSET (2012)

    Google Scholar 

  10. Hizver, J., Chiueh, T.C.: Real-time deep virtual machine introspection and its applications. In: Proceedings of the 10th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE 2014, pp. 3–14. ACM, New York (2014)

    Google Scholar 

  11. Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  12. Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, SOSP 2007, vol. 41, pp. 335–350. ACM, New York (2007)

    Google Scholar 

  13. Payne, B.D., Carbone,M., Sharif,M., Lee, W.: Lares: an architecture for secure active monitoring using virtualization. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy, SP 2008, pp. 233–247. IEEE Computer Society, Washington, DC (2008)

    Google Scholar 

  14. Deng, Z., Zhang, X., Xu, D.: Spider: stealthy binary program instrumentation and debugging via hardware virtualization. In: Proceedings of the 29th Annual Computer Security Applications Conference, pp. 289–298 (2013)

    Google Scholar 

  15. Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the drakvuf dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 386–395 (2014)

    Google Scholar 

  16. Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: IEEE Symposium on Security and Privacy (SP), pp. 297–312. IEEE, New York (2011)

    Google Scholar 

  17. Fu, Y., Lin, Z.: Space traveling across VM: automatically bridging the semantic gap in virtual machine introspection via online Kernel data redirection. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 586–600. IEEE Computer Society, Washington, DC (2012)

    Google Scholar 

  18. Fu, Y., Lin, Z.: Bridging the semantic gap in virtual machine introspection via online Kernel data redirection. ACM Trans. Inf. Syst. Secur. 16(2) (2013)

    Google Scholar 

  19. VM escape. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0923

  20. Guestfish. http://libguestfs.org/guestfish.1.html

  21. Qiao, Y., Yang, Y., He, J., Tang, C., Liu, Z.: CBM: free, automatic malware analysis framework using API call sequences. Adv. Intell. Syst. Comput. 214, 225–236 (2014)

    Article  Google Scholar 

  22. Qiao, Y., Yang, Y., Ji, L., He, J.: Analyzing malware by abstracting the frequent itemsets in API call sequences. In: Proceedings of the 12th IEEE International Conference Trust Security Privacy Computing and Communications (TrustCom), 2013, pp. 265–270 (2013)

    Google Scholar 

  23. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 51–62 (2008)

    Google Scholar 

  24. Mei, S., Wang, Z., Cheng, Y., Ren, J., Wu, J., Zhou, J.: Trusted bytecode virtual machine module: a novel method for dynamic remote attestation in cloud computing. Int. J. Comput. Intell. Syst. 5, 924–932 (2012)

    Article  Google Scholar 

  25. Shuang, T., Lin, T., Xiaoling, L., Yan, J.: An efficient method for checking the integrity of data in the cloud. China Commun. 11, 68–81 (2014)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computer, National University of Defense Technology, Changsha, China

    Jiangyong Shi, Yuexiang Yang, Chengye Li & Xiaolei Wang

Authors
  1. Jiangyong Shi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yuexiang Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Chengye Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Xiaolei Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jiangyong Shi .

Editor information

Editors and Affiliations

  1. Nanjing University of Aeronautics and As, Nanjing, China

    Zhiqiu Huang

  2. Nanjing University of Information Scienc, Nanjing, China

    Xingming Sun

  3. Nanjing, China

    Junzhou Luo

  4. Nanjing University of Aeronautics and As, Nanjing, China

    Jian Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Shi, J., Yang, Y., Li, C., Wang, X. (2015). SPEMS: A Stealthy and Practical Execution Monitoring System Based on VMI. In: Huang, Z., Sun, X., Luo, J., Wang, J. (eds) Cloud Computing and Security. ICCCS 2015. Lecture Notes in Computer Science(), vol 9483. Springer, Cham. https://doi.org/10.1007/978-3-319-27051-7_32

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-27051-7_32

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-27050-0

  • Online ISBN: 978-3-319-27051-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation