skip to main content
10.1145/3099012.3099015acmotherconferencesArticle/Chapter ViewAbstractPublication PagesshcisConference Proceedingsconference-collections
research-article

Architecture for Resource-Aware VMI-based Cloud Malware Analysis

Published: 19 June 2017 Publication History

Abstract

Virtual machine introspection (VMI) is a technology with many possible applications, such as malware analysis and intrusion detection. However, this technique is resource intensive, as inspecting program behavior includes recording of a high number of events caused by the analyzed binary and related processes. In this paper we present an architecture that leverages cloud resources for virtual machine-based malware analysis in order to train a classifier for detecting cloud-specific malware. This architecture is designed while having in mind the resource consumption when applying the VMI-based technology in production systems, in particular the overhead of tracing a large set of system calls. In order to minimize the data acquisition overhead, we use a data-driven approach from the area of resource-aware machine learning. This approach enables us to optimize the trade-off between malware detection performance and the overhead of our VMI-based tracing system.

References

[1]
2017. VirusTotal Statistics. https://www.virustotal.com/sr/statistics/. (2017). {Accessed: 2017-04-02}.
[2]
Hyun-wook Baek, Abhinav Srivastava, and Jacobus Van Der Merwe. 2014. Cloud-VMI: Virtual Machine Introspection As a Cloud Service. In Proc. of the 2014 IEEE Int. Conf. on Cloud Engineering (IC2E '14). 153--158.
[3]
Jan K Chorowski, Dzmitry Bahdanau, Dmitriy Serdyuk, Kyunghyun Cho, and Yoshua Bengio. 2015. Attention-based models for speech recognition. In Advances in Neural Information Processing Systems. 577--585.
[4]
Gabriella Contardo, Ludovic Denoyer, and Thierry Artières. 2016. Recurrent neural networks for adaptive feature acquisition. In International Conference on Neural Information Processing. Springer, 591--599.
[5]
Google Inc. 2017. Rekall Memory Forensic Framework. (2017). http://www.rekall-forensic.com/, {Accessed: 2017-03-31}.
[6]
N. Gruschka and M. Jensen. 2010. Attack Surfaces: A Taxonomy for Attacks on Cloud Services. In IEEE 3rd International Conference on Cloud Computing (CLOUD). 276--279.
[7]
Katherine Heller, Krysta Svore, Angelos D Keromytis, and Salvatore Stolfo. 2003. One Class Support Vector Machines for Detecting Anomalous Windows Registry Accesses. In Workshop on Data Mining for Computer Security (DMSEC).
[8]
Bhushan Jain, Mirza Basim Baig, Dongli Zhang, Donald E. Porter, and Radu Sion. 2014. SoK: Introspections on Trust and the Semantic Gap. In IEEE Symposium on Security and Privacy. 605--620.
[9]
Shihao Ji and Lawrence Carin. 2007. Cost-sensitive feature acquisition and classification. Pattern Recognition 40, 5 (2007), 1474--1485.
[10]
David Johnson, Mike Hibler, and Eric Eide. 2014. Composable Multi-Level Debugging with Stackdb. In Proceedings of the 10th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE '14). 213--225.
[11]
Tamas K. Lengyel, Steve Maresca, Bryan D. Payne, George D. Webster, Sebastian Vogl, and Aggelos Kiayias. 2014. Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System. In Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC '14). ACM, New York, NY, USA, 386--395.
[12]
Bryan D. Payne. 2017. LibVMI. (2017). https://code.google.com/p/vmitools/ {Accessed: 2016-10-14}.
[13]
Jonas Pfoh, Christian Schneider, and Claudia Eckert. 2013. Leveraging String Kernels for Malware Detection. In International Conference on Network and System Security.
[14]
Konrad Rieck, Thorsten Holz, Carsten Willems, Patrick Düssel, and Pavel Laskov. 2008. Learning and Classification of Malware Behavior. In dimva.
[15]
Martin Roesch. 1999. Snort - Lightweight Intrusion Detection for Networks. In Proceedings of the 13th USENIX Conference on System Administration (LISA '99). USENIX Association, Berkeley, CA, USA, 229--238. http://dl.acm.org/citation.cfm?id=1039834.1039864
[16]
Sheng-syun Shen and Hung-yi Lee. 2016. Neural Attention Models for Sequence Classification: Analysis and Application to Key Term Extraction and Dialogue Act Detection. CoRR abs/1604.00077 (2016). http://arxiv.org/abs/1604.00077
[17]
Benjamin Taubmann, Christoph Frädrich, Dominik Dusold, and Hans P. Reiser. 2016. Tlskex: Harnessing virtual machine introspection for decrypting TLS communication. In DFRWS' 16.
[18]
B. Taubmann, N. Rakotondravony, and H. P. Reiser. 2016. CloudPhylactor: Harnessing Mandatory Access Control for Virtual Machine Introspection in Cloud Data Centers. In 2016 IEEE Trustcom/BigDataSE/ISPA. 957--964.
[19]
Florian Tegeler, Xiaoming Fu, Giovanni Vigna, and Christopher Kruegel. 2012. Botfinder: Finding Bots in Network Traffic Without Deep Packet Inspection. In conext.
[20]
The Volatility Foundation. 2017. Volatility - Open Source Memory Forensics. (2017). http://www.volatilityfoundation.org/ {Accessed: 2017-03-31}.
[21]
Christina Warrender, Stephanie Forrest, and Barak Pearlmutter. 1999. Detecting Intrusions Using System Calls: Alternative Data Models.

Cited By

View all
  • (2022)Nodeguard: A Virtualized Introspection Security Approach for the Modern Cloud Data Center2022 22nd IEEE International Symposium on Cluster, Cloud and Internet Computing (CCGrid)10.1109/CCGrid54584.2022.00093(790-797)Online publication date: May-2022
  • (2021)Efficient Fingerprint Matching for Forensic Event ReconstructionDigital Forensics and Cyber Crime10.1007/978-3-030-68734-2_6(98-120)Online publication date: 7-Feb-2021
  • (2019)Characterizing the Limitations of Forensic Event Reconstruction Based on Log Files2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE)10.1109/TrustCom/BigDataSE.2019.00069(466-475)Online publication date: Aug-2019

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
SHCIS '17: Proceedings of the 4th Workshop on Security in Highly Connected IT Systems
June 2017
53 pages
ISBN:9781450352710
DOI:10.1145/3099012
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 June 2017

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Cloud Computing
  2. Dynamic Malware Analysis
  3. Machine Learning
  4. Virtual Machine Introspection

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Funding Sources

Conference

SHCIS '17

Acceptance Rates

SHCIS '17 Paper Acceptance Rate 8 of 11 submissions, 73%;
Overall Acceptance Rate 8 of 11 submissions, 73%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)2
  • Downloads (Last 6 weeks)1
Reflects downloads up to 25 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2022)Nodeguard: A Virtualized Introspection Security Approach for the Modern Cloud Data Center2022 22nd IEEE International Symposium on Cluster, Cloud and Internet Computing (CCGrid)10.1109/CCGrid54584.2022.00093(790-797)Online publication date: May-2022
  • (2021)Efficient Fingerprint Matching for Forensic Event ReconstructionDigital Forensics and Cyber Crime10.1007/978-3-030-68734-2_6(98-120)Online publication date: 7-Feb-2021
  • (2019)Characterizing the Limitations of Forensic Event Reconstruction Based on Log Files2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE)10.1109/TrustCom/BigDataSE.2019.00069(466-475)Online publication date: Aug-2019

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media