Rootkit detection on virtual machines through deep information extraction at hypervisor-level

Xie, Xiongwei; Wang, Weichao

doi:10.1109/cns.2013.6682767

Cited by 7 publications

(2 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Memory forensic analysis relies on memory images, such as VM (Virtual Machine) images, to deduce the potential existence of malicious software or applications [12,13]. While certain techniques aim to reduce the number of memory checks required, this approach fundamentally differs from our proposal.…”

Section: Related Workmentioning

confidence: 98%

JITScanner: Just-in-Time Executable Page Check in the Linux Operating System

Caporaso,

Bianchi,

Quaglia

2024

Applied Sciences

View full text Add to dashboard Cite

Modern malware poses a severe threat to cybersecurity, continually evolving in sophistication. To combat this threat, researchers and security professionals continuously explore advanced techniques for malware detection and analysis. Dynamic analysis, a prevalent approach, offers advantages over static analysis by enabling observation of runtime behavior and detecting obfuscated or encrypted code used to evade detection. However, executing programs within a controlled environment can be resource-intensive, often necessitating compromises, such as limiting sandboxing to an initial period. In our article, we propose an alternative method for dynamic executable analysis: examining the presence of malicious signatures within executable virtual pages precisely when their current content, including any updates over time, is accessed for instruction fetching. Our solution, named JITScanner, is developed as a Linux-oriented package built upon a Loadable Kernel Module (LKM). It integrates a user-level component that communicates efficiently with the LKM using scalable multi-processor/core technology. JITScanner’s effectiveness in detecting malware programs and its minimal intrusion in normal runtime scenarios have been extensively tested, with the experiment results detailed in this article. These experiments affirm the viability of our approach, showcasing JITScanner’s capability to effectively identify malware while minimizing runtime overhead.

show abstract

Section: Related Workmentioning

confidence: 98%

JITScanner: Just-in-Time Executable Page Check in the Linux Operating System

Caporaso,

Bianchi,

Quaglia

2024

Applied Sciences

View full text Add to dashboard Cite

show abstract

“…Similar to our work, Forensic VMs [33] rely on VMI to analyze VMs for attacks, but they cannot provide automated post attack analysis or the zero window of vulnerability guarantees oered by CRIMES. Other approaches to providing security in the hypervisor include virus scanning [28], root kit detection [39], etc. Such systems could be incorporated into CRIMES as detection modules, granting them the ability to not only detect attacks, but perform additional analysis afterwards.…”

Section: Related Workmentioning

confidence: 99%

Crimes

Rajasekaran

Chawla

Zhang

et al. 2018

Proceedings of the 19th International Middleware Conference

View full text Add to dashboard Cite

Cloud applications are appealing targets to attackers, yet current cloud infrastructures have few ways of helping defend their customers from attacks. However, the use of virtual machines, and the economy of scale found in cloud platforms, provides an opportunity to oer strong security guarantees to tenants at low cost to the cloud provider. We present CRIMES, an evidence based, modular security framework for cloud platforms that uses speculative execution coupled with memory introspection tools to detect malicious behavior in real time. By buering VM outputs (i.e., outgoing network packets and disk writes) until a scan has been completed, CRIMES gives strong guarantees about the amount of damage an attack can do, while minimizing overheads. When an attack is detected, CRIMES rolls back to a recent checkpoint and performs automated forensic analysis to help pinpoint the source of an attack. Our evaluation demonstrates that CRIMES incurs less overhead compared to memory protection tools such as AddressSanitizer, while oering valuable forensic analysis for buer overow attacks and malware detection across multiple applications and the OS. CCS CONCEPTS • Security and privacy → Virtualization and security; Distributed systems security;

show abstract

Memory Access Monitoring and Disguising of Process Information to Avoid Attacks to Essential Services

Sato

Yamauchi

Takahashi

2016

2016 Fourth International Symposium on Computing and Networking (CANDAR)

View full text Add to dashboard Cite

To prevent attacks on essential software and to mitigate damage, an attack avoiding method that complicates process identification from attackers is proposed. This method complicates the identification of essential services by replacing process information with dummy information. However, this method allows attackers to identify essential processes by detecting changes in process information. To address this problems and provide more complexity to process identification, this paper proposes a memory access monitoring by using a virtual machine monitor. By manipulating the page access permission, a virtual machine monitor detects page access, which includes process information, and replaces it with dummy information. This paper presents the design, implementation, and evaluation of the proposed method.

show abstract

Rootkit detection on virtual machines through deep information extraction at hypervisor-level

Cited by 7 publications

References 7 publications

JITScanner: Just-in-Time Executable Page Check in the Linux Operating System

JITScanner: Just-in-Time Executable Page Check in the Linux Operating System

Crimes

Memory Access Monitoring and Disguising of Process Information to Avoid Attacks to Essential Services

Contact Info

Product

Resources

About