Abstract
With the development of cloud computing technology, more and more malicious software attacks against virtual machines and virtualized environments have increased sharply. However, leading cloud security is particularly prominent. To solve this problem, we have designed a model to analyze the process of a virtual machine. The model is based on a virtual machine introspection technology, which can monitor the program running in the virtual machine. It combined with the characteristics of a plurality of open-source software, such as Drakvuf, Libvmi, Malheur. We have designed it with three parts, the preparing detected environment, capturing behavior and behavioral analysis. It can be used to capture the running process of malware, detect rootkit and analyze the sequence of system calls. Finally, the experiment result demonstrates the effectiveness and practicability of our proposed model.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Willems, G., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5, 32–39 (2007)
Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. J. Comput. Virol. 2, 67–77 (2006)
Cuckoobox. http://www.cuckoosandbox.org/
Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through vmm-based out-of-the box semantic view reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 128–138 (2007)
Srivastava, A., Giffin, J.T.: Tamper-resistant, application-aware blocking of malicious network connections. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 39–58. Springer, Heidelberg (2008)
Nance, K., Bishop, M., Hay, B.: Investigating the implications of virtual machine introspection for digital forensics. In: International Conference on Availability, Reliability and Security, ARES 2009, pp. 1024–1029 (2009)
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the Network and Distributed Systems Security Symposium, pp. 191–206 (2003)
Payne, B.D., Carbone, M., Sharif, M., et al.: Lares: An architecture for secure active monitoring using virtualization. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy, pp. 233–247. IEEE Computer Society (2008)
Xiong, H., Liu, Z., Xu, W., et al.: Libvmi: a library for bridging the semantic gap between guest OS and VMM. In: International Conference on Computer and Information Technology, pp. 549–556. IEEE (2012)
Lengyel, T.K., Maresca, S., Payne, B.D., et al.: Scalability, fidelity and stealth in the drakvuf dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 386–395. ACM (2014)
Guestfish. http://libguestfs.org/guestfish.1.html
Payne, B.D.: Simplifying virtual machine introspection using libvmi. Sandia report (2012)
Intel Corporation Intel 64 and IA-32 architectures software developer’s manual, volume 3B (2008)
Nakajima, J.: Intel virtualization technology roadmap and VT-d support in Xen (2006)
Okolica, J.S., Peterson, G.L.: Extracting forensic artifacts from windows o/s memory. Technical report, DTIC document (2011)
Deng, Z., Zhang, X., Xu, D.: Spider: stealthy binary program instrumentation and debugging via hardware virtualization. In: Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC 2013, New York, NY, USA. ACM (2013)
Rieck, K., Trinius, P., Willems, C., Holz, T.: Automatic analysis of malware behavior using machine learning. J. Comput. Secur. 19(4), 639–668 (2011)
Qiao, Y., Yang, Y., He, J., Tang, C., Liu, Z.: CBM: free, automatic malware analysis framework using API call sequences. In: Sun, F., Li, T., Li, H. (eds.) Knowledge Engineering and Management. AISC, vol. 214, pp. 225–236. Springer, Heidelberg (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Li, C., Xiang, Y., Shi, J. (2015). A Model of Dynamic Malware Analysis Based on VMI. In: Wang, G., Zomaya, A., Martinez, G., Li, K. (eds) Algorithms and Architectures for Parallel Processing. ICA3PP 2015. Lecture Notes in Computer Science(), vol 9532. Springer, Cham. https://doi.org/10.1007/978-3-319-27161-3_42
Download citation
DOI: https://doi.org/10.1007/978-3-319-27161-3_42
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27160-6
Online ISBN: 978-3-319-27161-3
eBook Packages: Computer ScienceComputer Science (R0)