research-article

Architecture for Resource-Aware VMI-based Cloud Malware Analysis

Authors:

Benjamin Taubmann,

Bojan KolosnjajiAuthors Info & Claims

SHCIS '17: Proceedings of the 4th Workshop on Security in Highly Connected IT Systems

Pages 43 - 48

https://doi.org/10.1145/3099012.3099015

Published: 19 June 2017 Publication History

Abstract

Virtual machine introspection (VMI) is a technology with many possible applications, such as malware analysis and intrusion detection. However, this technique is resource intensive, as inspecting program behavior includes recording of a high number of events caused by the analyzed binary and related processes. In this paper we present an architecture that leverages cloud resources for virtual machine-based malware analysis in order to train a classifier for detecting cloud-specific malware. This architecture is designed while having in mind the resource consumption when applying the VMI-based technology in production systems, in particular the overhead of tracing a large set of system calls. In order to minimize the data acquisition overhead, we use a data-driven approach from the area of resource-aware machine learning. This approach enables us to optimize the trade-off between malware detection performance and the overhead of our VMI-based tracing system.

References

[1]

2017. VirusTotal Statistics. https://www.virustotal.com/sr/statistics/. (2017). {Accessed: 2017-04-02}.

[2]

Hyun-wook Baek, Abhinav Srivastava, and Jacobus Van Der Merwe. 2014. Cloud-VMI: Virtual Machine Introspection As a Cloud Service. In Proc. of the 2014 IEEE Int. Conf. on Cloud Engineering (IC2E '14). 153--158.

Digital Library

[3]

Jan K Chorowski, Dzmitry Bahdanau, Dmitriy Serdyuk, Kyunghyun Cho, and Yoshua Bengio. 2015. Attention-based models for speech recognition. In Advances in Neural Information Processing Systems. 577--585.

Digital Library

[4]

Gabriella Contardo, Ludovic Denoyer, and Thierry Artières. 2016. Recurrent neural networks for adaptive feature acquisition. In International Conference on Neural Information Processing. Springer, 591--599.

[5]

Google Inc. 2017. Rekall Memory Forensic Framework. (2017). http://www.rekall-forensic.com/, {Accessed: 2017-03-31}.

[6]

N. Gruschka and M. Jensen. 2010. Attack Surfaces: A Taxonomy for Attacks on Cloud Services. In IEEE 3rd International Conference on Cloud Computing (CLOUD). 276--279.

Digital Library

[7]

Katherine Heller, Krysta Svore, Angelos D Keromytis, and Salvatore Stolfo. 2003. One Class Support Vector Machines for Detecting Anomalous Windows Registry Accesses. In Workshop on Data Mining for Computer Security (DMSEC).

[8]

Bhushan Jain, Mirza Basim Baig, Dongli Zhang, Donald E. Porter, and Radu Sion. 2014. SoK: Introspections on Trust and the Semantic Gap. In IEEE Symposium on Security and Privacy. 605--620.

Digital Library

[9]

Shihao Ji and Lawrence Carin. 2007. Cost-sensitive feature acquisition and classification. Pattern Recognition 40, 5 (2007), 1474--1485.

Digital Library

[10]

David Johnson, Mike Hibler, and Eric Eide. 2014. Composable Multi-Level Debugging with Stackdb. In Proceedings of the 10th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE '14). 213--225.

Digital Library

[11]

Tamas K. Lengyel, Steve Maresca, Bryan D. Payne, George D. Webster, Sebastian Vogl, and Aggelos Kiayias. 2014. Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System. In Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC '14). ACM, New York, NY, USA, 386--395.

Digital Library

[12]

Bryan D. Payne. 2017. LibVMI. (2017). https://code.google.com/p/vmitools/ {Accessed: 2016-10-14}.

[13]

Jonas Pfoh, Christian Schneider, and Claudia Eckert. 2013. Leveraging String Kernels for Malware Detection. In International Conference on Network and System Security.

[14]

Konrad Rieck, Thorsten Holz, Carsten Willems, Patrick Düssel, and Pavel Laskov. 2008. Learning and Classification of Malware Behavior. In dimva.

Digital Library

[15]

Martin Roesch. 1999. Snort - Lightweight Intrusion Detection for Networks. In Proceedings of the 13th USENIX Conference on System Administration (LISA '99). USENIX Association, Berkeley, CA, USA, 229--238. http://dl.acm.org/citation.cfm?id=1039834.1039864

Digital Library

[16]

Sheng-syun Shen and Hung-yi Lee. 2016. Neural Attention Models for Sequence Classification: Analysis and Application to Key Term Extraction and Dialogue Act Detection. CoRR abs/1604.00077 (2016). http://arxiv.org/abs/1604.00077

[17]

Benjamin Taubmann, Christoph Frädrich, Dominik Dusold, and Hans P. Reiser. 2016. Tlskex: Harnessing virtual machine introspection for decrypting TLS communication. In DFRWS' 16.

[18]

B. Taubmann, N. Rakotondravony, and H. P. Reiser. 2016. CloudPhylactor: Harnessing Mandatory Access Control for Virtual Machine Introspection in Cloud Data Centers. In 2016 IEEE Trustcom/BigDataSE/ISPA. 957--964.

[19]

Florian Tegeler, Xiaoming Fu, Giovanni Vigna, and Christopher Kruegel. 2012. Botfinder: Finding Bots in Network Traffic Without Deep Packet Inspection. In conext.

Digital Library

[20]

The Volatility Foundation. 2017. Volatility - Open Source Memory Forensics. (2017). http://www.volatilityfoundation.org/ {Accessed: 2017-03-31}.

[21]

Christina Warrender, Stephanie Forrest, and Barak Pearlmutter. 1999. Detecting Intrusions Using System Calls: Alternative Data Models.

Cited By

Shamseddine MAl-Dulaimy AItani WNolte TPapadopoulos A(2022)Nodeguard: A Virtualized Introspection Security Approach for the Modern Cloud Data Center2022 22nd IEEE International Symposium on Cluster, Cloud and Internet Computing (CCGrid)10.1109/CCGrid54584.2022.00093(790-797)Online publication date: May-2022
https://doi.org/10.1109/CCGrid54584.2022.00093
Latzo T(2021)Efficient Fingerprint Matching for Forensic Event ReconstructionDigital Forensics and Cyber Crime10.1007/978-3-030-68734-2_6(98-120)Online publication date: 7-Feb-2021
https://doi.org/10.1007/978-3-030-68734-2_6
Latzo TFreiling F(2019)Characterizing the Limitations of Forensic Event Reconstruction Based on Log Files2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE)10.1109/TrustCom/BigDataSE.2019.00069(466-475)Online publication date: Aug-2019
https://doi.org/10.1109/TrustCom/BigDataSE.2019.00069

Index Terms

Architecture for Resource-Aware VMI-based Cloud Malware Analysis
1. Security and privacy
  1. Systems security
    1. Operating systems security
      1. Virtualization and security
2. Theory of computation
  1. Theory and algorithms for application domains
    1. Machine learning theory

Recommendations

Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system
ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference

Malware is one of the biggest security threats on the Internet today and deploying effective defensive solutions requires the rapid analysis of a continuously increasing number of malware samples. With the proliferation of metamorphic malware the ...
Virtual Machine Introspection
SIN '14: Proceedings of the 7th International Conference on Security of Information and Networks

Due to exposure to the Internet, virtual machines (VMs) as forms of delivering virtualized infrastructures and resources represent a first point-of-target for security attackers who want to gain access into the virtualization environment. In-VM ...
Automated multi-level malware detection system based on reconstructed semantic view of executables using machine learning techniques at VMM

In order to fulfill the requirements like stringent timing restraints and demand on resources, CyberPhysical System (CPS) must deploy on the virtualized environment such as cloud computing. To protect Virtual Machines (VMs) in which CPSs are functioning ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SHCIS '17: Proceedings of the 4th Workshop on Security in Highly Connected IT Systems

June 2017

53 pages

ISBN:9781450352710

DOI:10.1145/3099012

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 June 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Conference

SHCIS '17

SHCIS '17: Workshop on Security in Highly Connected IT Systems

June 19 - 22, 2017

Neuchâtel, Switzerland

Acceptance Rates

SHCIS '17 Paper Acceptance Rate 8 of 11 submissions, 73%;

Overall Acceptance Rate 8 of 11 submissions, 73%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
176
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)1

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Shamseddine MAl-Dulaimy AItani WNolte TPapadopoulos A(2022)Nodeguard: A Virtualized Introspection Security Approach for the Modern Cloud Data Center2022 22nd IEEE International Symposium on Cluster, Cloud and Internet Computing (CCGrid)10.1109/CCGrid54584.2022.00093(790-797)Online publication date: May-2022
https://doi.org/10.1109/CCGrid54584.2022.00093
Latzo T(2021)Efficient Fingerprint Matching for Forensic Event ReconstructionDigital Forensics and Cyber Crime10.1007/978-3-030-68734-2_6(98-120)Online publication date: 7-Feb-2021
https://doi.org/10.1007/978-3-030-68734-2_6
Latzo TFreiling F(2019)Characterizing the Limitations of Forensic Event Reconstruction Based on Log Files2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE)10.1109/TrustCom/BigDataSE.2019.00069(466-475)Online publication date: Aug-2019
https://doi.org/10.1109/TrustCom/BigDataSE.2019.00069

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten