Skip to main content
SpringerLink
Log in

A Model of Dynamic Malware Analysis Based on VMI

  • Conference paper
  • First Online:
Algorithms and Architectures for Parallel Processing (ICA3PP 2015)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 9532))

Abstract

With the development of cloud computing technology, more and more malicious software attacks against virtual machines and virtualized environments have increased sharply. However, leading cloud security is particularly prominent. To solve this problem, we have designed a model to analyze the process of a virtual machine. The model is based on a virtual machine introspection technology, which can monitor the program running in the virtual machine. It combined with the characteristics of a plurality of open-source software, such as Drakvuf, Libvmi, Malheur. We have designed it with three parts, the preparing detected environment, capturing behavior and behavioral analysis. It can be used to capture the running process of malware, detect rootkit and analyze the sequence of system calls. Finally, the experiment result demonstrates the effectiveness and practicability of our proposed model.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Willems, G., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5, 32–39 (2007)

    Article  Google Scholar 

  2. Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. J. Comput. Virol. 2, 67–77 (2006)

    Article  Google Scholar 

  3. Cuckoobox. http://www.cuckoosandbox.org/

  4. Xen. http://www.xenproject.org/

  5. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through vmm-based out-of-the box semantic view reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 128–138 (2007)

    Google Scholar 

  6. Srivastava, A., Giffin, J.T.: Tamper-resistant, application-aware blocking of malicious network connections. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 39–58. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  7. Nance, K., Bishop, M., Hay, B.: Investigating the implications of virtual machine introspection for digital forensics. In: International Conference on Availability, Reliability and Security, ARES 2009, pp. 1024–1029 (2009)

    Google Scholar 

  8. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the Network and Distributed Systems Security Symposium, pp. 191–206 (2003)

    Google Scholar 

  9. Payne, B.D., Carbone, M., Sharif, M., et al.: Lares: An architecture for secure active monitoring using virtualization. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy, pp. 233–247. IEEE Computer Society (2008)

    Google Scholar 

  10. Xiong, H., Liu, Z., Xu, W., et al.: Libvmi: a library for bridging the semantic gap between guest OS and VMM. In: International Conference on Computer and Information Technology, pp. 549–556. IEEE (2012)

    Google Scholar 

  11. Lengyel, T.K., Maresca, S., Payne, B.D., et al.: Scalability, fidelity and stealth in the drakvuf dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 386–395. ACM (2014)

    Google Scholar 

  12. Guestfish. http://libguestfs.org/guestfish.1.html

  13. Payne, B.D.: Simplifying virtual machine introspection using libvmi. Sandia report (2012)

    Google Scholar 

  14. Intel Corporation Intel 64 and IA-32 architectures software developer’s manual, volume 3B (2008)

    Google Scholar 

  15. Nakajima, J.: Intel virtualization technology roadmap and VT-d support in Xen (2006)

    Google Scholar 

  16. Okolica, J.S., Peterson, G.L.: Extracting forensic artifacts from windows o/s memory. Technical report, DTIC document (2011)

    Google Scholar 

  17. Deng, Z., Zhang, X., Xu, D.: Spider: stealthy binary program instrumentation and debugging via hardware virtualization. In: Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC 2013, New York, NY, USA. ACM (2013)

    Google Scholar 

  18. Rieck, K., Trinius, P., Willems, C., Holz, T.: Automatic analysis of malware behavior using machine learning. J. Comput. Secur. 19(4), 639–668 (2011)

    Article  Google Scholar 

  19. Qiao, Y., Yang, Y., He, J., Tang, C., Liu, Z.: CBM: free, automatic malware analysis framework using API call sequences. In: Sun, F., Li, T., Li, H. (eds.) Knowledge Engineering and Management. AISC, vol. 214, pp. 225–236. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. National University of Defense Technology, Changsha, 410073, China

    Chengye Li, Yangyue Xiang & Jiangyong Shi

Authors
  1. Chengye Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yangyue Xiang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jiangyong Shi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Chengye Li .

Editor information

Editors and Affiliations

  1. Central South University, Changsha, China

    Guojin Wang

  2. Sch of Information Technologies, Sydney University, Sydney, New South Wales, Australia

    Albert Zomaya

  3. Department of Information and Commu, University of Murcia, Murcia, Murcia, Spain

    Gregorio Martinez

  4. Changsha, China

    Kenli Li

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Li, C., Xiang, Y., Shi, J. (2015). A Model of Dynamic Malware Analysis Based on VMI. In: Wang, G., Zomaya, A., Martinez, G., Li, K. (eds) Algorithms and Architectures for Parallel Processing. ICA3PP 2015. Lecture Notes in Computer Science(), vol 9532. Springer, Cham. https://doi.org/10.1007/978-3-319-27161-3_42

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-27161-3_42

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-27160-6

  • Online ISBN: 978-3-319-27161-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation