skip to main content
10.1145/2508859.2512518acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
poster

POSTER: Introducing pathogen: a real-time virtualmachine introspection framework

Published: 04 November 2013 Publication History

Abstract

In recent years, malware has grown extremely rapidly in complexity and rates of system infection. Current generation anti-virus and anti-malware software provides system protection through the use of locally installed monitoring agents, which are dependent upon vendor generated signature and heuristic based rules. However, because these monitoring agents are installed within the systems they are trying to protect, they themselves are potential targets of attack by malware. Pathogen overcomes this issue by using a real-time system monitoring and analysis framework that utilises Virtual Machine introspection (VMI) to allow the monitoring of a system without the need for any locally installed agents. One of the main research problems in VMI is how to parse and interpret the memory of an executing system from outside of that system. Pathogen's contribution is a lightweight introspection framework that bridges the semantic gap.

References

[1]
A. Bianchi et al. Blacksheep: Detecting compromised hosts in homogeneous crowds. In Proceedings of the 2012 ACM conference on Computer and communications security. P.341--352., 2012.
[2]
Microsoft Protection Center. Sirefef malware definition. http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2FSirefef, 2013.
[3]
AMD Corporation. AMD Virtualization (AMD-V) Technology. http://sites.amd.com/uk/business/it-solutions/virtualization/Pages/amd-v.aspx, 2013.
[4]
Intel Corporation. Hardware-Assisted Virtualization Technology. http://www.intel.com/content/www/us/en/virtualization/virtualization-technology/hardware-assist-virtualization-technology.html, 2013.
[5]
Intel Corporation. IA-32e Paging. Intel Developer's Manual. Volume 3. http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html, 2013.
[6]
Microsoft Corporation. Microsoft Public Symbol Server. http://support.microsoft.com/kb/311503, 2013.
[7]
Simon. Crosby. Mind the Gap!" The Limitations of VM Introspection. http://blogs.bromium.com/2012/10/01/mind-the-gap-the-limitations-of-vm-introspection/, 2012.
[8]
M. Sharif et al. Secure in-vm monitoring using hardware virtualization. In Proceedings of the 16th ACM conference on Computer and Communications Security, P.447--487, 2009.
[9]
T.Garfinkel and M.Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2003.
[10]
VMI Tools. VMI memory analysis framework. https://code.google.com/p/vmitools/, 2013.
[11]
Volatility. Volatile memory analysis framework. https://www.volatilesystems.com/default/volatility, 2013.

Cited By

View all
  • (2023)Mitigating Risks in the Cloud-Based Metaverse Access Control Strategies and TechniquesInternational Journal of Cloud Applications and Computing10.4018/IJCAC.33436414:1(1-30)Online publication date: 1-Dec-2023
  • (2023)GooseBt: A programmable malware detection framework based on process, file, registry, and COM monitoringComputer Communications10.1016/j.comcom.2023.03.011204(24-32)Online publication date: Apr-2023
  • (2019)Review: Build a Roadmap for Stepping Into the Field of Anti-Malware Research SmoothlyIEEE Access10.1109/ACCESS.2019.29457877(143573-143596)Online publication date: 2019
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
November 2013
1530 pages
ISBN:9781450324779
DOI:10.1145/2508859
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Check for updates

Author Tags

  1. introspection
  2. malware
  3. monitoring
  4. security

Qualifiers

  • Poster

Conference

CCS'13
Sponsor:

Acceptance Rates

CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)5
  • Downloads (Last 6 weeks)1
Reflects downloads up to 30 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Mitigating Risks in the Cloud-Based Metaverse Access Control Strategies and TechniquesInternational Journal of Cloud Applications and Computing10.4018/IJCAC.33436414:1(1-30)Online publication date: 1-Dec-2023
  • (2023)GooseBt: A programmable malware detection framework based on process, file, registry, and COM monitoringComputer Communications10.1016/j.comcom.2023.03.011204(24-32)Online publication date: Apr-2023
  • (2019)Review: Build a Roadmap for Stepping Into the Field of Anti-Malware Research SmoothlyIEEE Access10.1109/ACCESS.2019.29457877(143573-143596)Online publication date: 2019
  • (2018)Secure Virtualization Environment Based on Advanced Memory IntrospectionSecurity and Communication Networks10.1155/2018/94102782018(21)Online publication date: 1-Mar-2018
  • (2015)Exploring VM IntrospectionACM SIGPLAN Notices10.1145/2817817.273119650:7(133-146)Online publication date: 14-Mar-2015
  • (2015)Memory Interface Design for 3D Stencil Kernels on a Massively Parallel Memory SystemACM Transactions on Reconfigurable Technology and Systems10.1145/28007888:4(1-24)Online publication date: 11-Sep-2015
  • (2015)Low-Overhead FPGA Middleware for Application Portability and ProductivityACM Transactions on Reconfigurable Technology and Systems10.1145/27464048:4(1-22)Online publication date: 11-Sep-2015
  • (2015)SuperDragonACM Transactions on Reconfigurable Technology and Systems10.1145/27409668:4(1-22)Online publication date: 13-Sep-2015
  • (2015)Exploring VM IntrospectionProceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments10.1145/2731186.2731196(133-146)Online publication date: 14-Mar-2015
  • (2015)The Table-Hadamard GRNGACM Transactions on Reconfigurable Technology and Systems10.1145/26296078:4(1-22)Online publication date: 24-Sep-2015
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media