MAVMM: Lightweight and Purpose Built VMM for Malware Analysis

Nguyen, Anh; Schear, Nabíl; Jung, HeeDong; Godiyal, Apeksha; King, Samuel T.; Nguyen, Hai Duc

doi:10.1109/acsac.2009.48

Cited by 52 publications

(28 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Behavior-based detection is effective to defeat the obfuscation techniques; however, its extracting subsystem is too complicated to deploy. In addition, this method belongs to dynamic detection type so it itself has the natural problems of a monitoring system [3]. For instance, the silent malware is used VMM (Virtual Machine Monitor) detection techniques: IDT check, LDT check, MCW check or Virtual PC Special Instruction [3] to detect its executing environment that is whether virtual or not and then automatically changes to the appropriate behavior.…”

Section: Introductionmentioning

confidence: 99%

Semantic Set Analysis for Malware Detection

Nhuong

Nhi

Cam

et al. 2014

Computer Information Systems and Industrial Management

View full text Add to dashboard Cite

Abstract. Nowadays, malware is growing rapidly through the last few years and becomes more and more sophisticated as well as dangerous. A striking malware is obfuscation malware that is very difficult to detect. This kind of malware can create new variants that are similar to original malware feature but different about code. In order to deal with such types of malware, many approaches have been proposed, however, some of these approaches are ineffective due to their limited detection range, huge overheads or manual stages. Malware detection based on signature, for example, cannot overcome the obfuscation techniques of malware. Likewise, the behavior-based methods have the natural problems of a monitoring system such as recovery costs and long-lasting detection time. In this paper, we propose a new method (semantic set method) to detect metamorphic malware effectively by using semantic set (a set of changed values of registers or variables allocated in memory when a program is executed). For more details, this semantic set is analyzed by n-gram separator and Naïve Bayes classifier to increase detection accuracy and reduce detection time. This system has been already experimented on different datasets and got the accuracy up to 98% and detection rate almost 100%.

show abstract

Section: Introductionmentioning

confidence: 99%

Semantic Set Analysis for Malware Detection

Nhuong

Nhi

Cam

et al. 2014

Computer Information Systems and Industrial Management

View full text Add to dashboard Cite

show abstract

“…Onoe et al present a method to filter system calls based on security policies [16]. MAVMM, a custom, lightweight VMM designed for malware detection [15] also utilizes system call interception. Ether [6] uses the same interception mechanism, but focuses on keeping its presence undetectable by malware.…”

Section: Related Workmentioning

confidence: 99%

“…Some have shown that the VMM can infer a great deal of information about the guest (both the applications and the kernel) through indirect means [8,7]. These techniques have particularly useful applications in security, where trust can be placed in the VMM to detect attacks and malicious processes [5,9,18,15].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Shifting GEARS to enable guest-context virtual services

Hale

Lei

Dinda

2012

Proceedings of the 9th International Conference on Autonomic Computing

View full text Add to dashboard Cite

We argue that the implementation of VMM-based virtual services for a guest should extend into the guest itself, even without its cooperation. Placing service components directly into the guest OS or application can reduce implementation complexity and increase performance. In this paper we show that the set of tools in a VMM required to enable a broad range of such guest-context services is fairly small. Further, we outline and evaluate these tools and describe their design and implementation in the context of Guest Examination and Revision Services (GEARS), a new framework within the Palacios VMM. We then describe two example GEARS-based services-an MPI communication accelerator and an overlay networking accelerator-that illustrate the benefits of allowing virtual service implementations to span across the VMM, guest, and application. Other VMMs could employ the ideas and tools in GEARS.

show abstract

“…On one hand, virtual machines (VMs) help improve security in the cloud computing infrastructure through greater isolation and more transparent malware analysis and intrusion detection (e.g. Nguyen et al (2009); Oliveira and Wu (2009) ;Riley et al (2008); Dinaburg et al (2008); Dunlap et al (2002); Garfinkel and Rosenblum (2003); Joshi et al (2005); Seshadri et al (2007); Payne et al (2008); Kourai and Chiba (2005)). On the other hand, virtualization also gives rise to new challenges in maintaining security and privacy in cloud computing infrastructures.…”

Section: Introductionmentioning

confidence: 99%

Privacy-preserving virtual machine checkpointing mechanism

Gofman

Luo

Wyszynski

et al. 2014

IJCC

View full text Add to dashboard Cite

Virtual Machines (VMs) have been widely adopted in cloud platforms to improve server consolidation and reduce operating costs. VM checkpointing is used to capture a persistent snapshot of a running VM and to later restore the VM to a previous state. Although VM checkpointing eases system administration, such as in recovering from a VM crash or undoing a previous VM activity, it can also increase the risk of exposing users' confidential data. This is because the checkpoint may store a VM's physical memory pages and disk contents that contain confidential data such as clear text passwords and credit card numbers. This paper presents the design and implementation of SPARC, a Security and Privacy AwaRe virtual machine Checkpointing mechanism. SPARC enables users to selectively exclude users' confidential data within a VM from being checkpointed. We describe the design challenges in effectively tracking and excluding process-specific memory and disk contents from the checkpoint file for a VM running on the commodity Linux operating system. We also present techniques to track process dependencies due to inter-process communication and to account for such dependencies in SPARC .

show abstract

MAVMM: Lightweight and Purpose Built VMM for Malware Analysis

Cited by 52 publications

References 12 publications

Semantic Set Analysis for Malware Detection

Semantic Set Analysis for Malware Detection

Shifting GEARS to enable guest-context virtual services

Privacy-preserving virtual machine checkpointing mechanism

Contact Info

Product

Resources

About