Abstract
In recent years, environment-sensitive malwares are growing rapidly and they pose significant threat to cloud platforms. They may maliciously occupy the computing resources and steal the tenants’ private data. The environment-sensitive malware can identify the operating environment and perform corresponding malicious behaviors in different environments. This greatly increased the difficulty of detection. At present, the research on automatic detection of environment-sensitive malwares is still rare, but it has attracted more and more attention.
In this paper, we present FindEvasion, a cloud-oriented system for detecting environment-sensitive malware. Our FindEvasion system makes full use of the virtualization technology to transparently extract the suspicious programs from the tenants’ Virtual Machine (VM), and analyzes them on our multiple operating environments. We introduce a novel algorithm, named Mulitiple Behavioral Sequences Similarity (MBSS), to compare a suspicious program’s behavioral profiles observed in multiple analysis environments, and determine whether the suspicious program is an environment-sensitive malware or not. The experiment results show that our approach produces better detection results when compared with previous methods.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Symantec. https://www.symantec.com/security-center/threat-report
Kirat, D., Vigna, G., Kruegel, C.: Barecloud: bare-metal analysis-based evasive malware detection. In: Malware Detection (2014)
Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_18
Linux Foundation: The Xen project. http://www.xenproject.org/. Accessed 4 Mar 2017
Cuckoo Sandbox. http://www.cuckoosandbox.org
Bayer, U., Comparetti, P.M., Hlauschek, C., Krgel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: Network and Distributed System Security Symposium, NDSS 2009, San Diego, California, USA, February 2009
Powers, D.M.W.: Evaluation: from precision, recall and f-factor to ROC, informedness, markedness and correlation. J. Mach. Learn. Technol. 2, 2229–3981 (2011)
VX Heaven Virus Collection: VX Heaven. http://vx.nextlux.org. Accessed 4 Mar 2017
Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5(2), 32–39 (2007)
Norman Sandbox. http://www.norman.com/
Jiang, X., Wang, X.: “Out-of-the-Box” monitoring of VM-based high-interaction honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 198–218. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74320-0_11
Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A Tool for Analyzing Malware (2006)
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, pp. 116–127, October 2007
Bellard, F.: QEMU, a fast and portable dynamic translator. In: Conference on USENIX Technical Conference, p. 41 (2005)
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: ACM Conference on Computer and Communications Security, CCS 2008, Alexandria, Virginia, USA, pp. 51–62, October 2008
Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based “Out-of-the-Box” semantic view reconstruction. In: ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, pp. 128–138, October 2007
Fattori, A., Paleari, R., Martignoni, L., Monga, M.: Dynamic and transparent analysis of commodity production systems. In: IEEE/ACM International Conference on Automated Software Engineering, pp. 417–426 (2010)
Vasudevan, A., Yerraballi, R.: Cobra: fine-grained malware analysis using stealth localized-executions. In: IEEE Symposium on Security & Privacy, p. 15 pp. -279 (2006)
Chen, X., Andersen, J., Mao, Z.M., Bailey, M.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: IEEE International Conference on Dependable Systems and Networks with FTCS and DCC, pp. 177–186 (2008)
Lau, B., Svajcer, V.: Measuring virtual machine detection in malware using DSD tracer. J. Comput. Virol. Hacking Tech. 6(3), 181–195 (2010)
Acknowledgments
This paper is supported by National Natural Science Foundation of China (NSFC) under Grant No. 61572481, National key research and development program of China under Grant No. 2016YFB0801600 and Nation key research and development program of China under Grant No. 2016QY04W0900.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Jia, X., Zhou, G., Huang, Q., Zhang, W., Tian, D. (2018). FindEvasion: An Effective Environment-Sensitive Malware Detection System for the Cloud. In: Matoušek, P., Schmiedecker, M. (eds) Digital Forensics and Cyber Crime. ICDF2C 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 216. Springer, Cham. https://doi.org/10.1007/978-3-319-73697-6_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-73697-6_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-73696-9
Online ISBN: 978-3-319-73697-6
eBook Packages: Computer ScienceComputer Science (R0)