Chaoyuan Cui,Yun Wu,Ping Li,Rujing Wang

DOI: https://doi.org/10.2991/ccis-13.2013.59

2013-01-01

Abstract:With the development of the Cloud computing, more and more people are accustomed to resource sharing or online shopping. And malware has become a major threat to the Cloud safety. Process hiding is a powerful technique commonly used by stealthy malware to evade detection by anti-malware. In this paper, we present a novel approach called VMPmonitor-an efficient modularity approach for hidden process detection. With the help of the guest OS register information (mainly the ESP) collected by virtual machine monitor, VMPmonitor can implicitly capture the hidden process information of target guest OS. Compared to other approaches, VMPmonitor obtains guest process information implicitly. Using implicit information reduces its susceptibility to guest evasion attack. Experimental result shows that VMPmonitor has better reliability and accuracy.

Peng Jiang,Hongyi Wu,Cong Wang,Chunsheng Xin

DOI: https://doi.org/10.1109/ICC.2018.8422830

2018-01-01

Abstract:Identity-based attacks such as MAC spoofing are common in wireless networks. The recently developed virtualization technologies bring a new type of MAC spoofing attack, virtual MAC spoofing. This makes it even more challenging to detect such attacks, especially in a tight environment with spatial similarities. In this paper, we design, implement and evaluate a system to effectively detect virtual MAC spoofing attacks via deep learning. A deep convolutional neural network is constructed to extract physical features from CSI obtained from packet transmissions, to detect virtual MAC spoofing attacks. An important merit of the proposed detection system is that this system can distinguish two devices even at the same location, which was not well addressed by previous approaches. Our extensive experimental results demonstrate the effectiveness of the system with an average detection accuracy of 95%, even when devices are co-located.

Xiao-can ZHAO,Ju REN,Yang XU,Guo-jun WANG

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2017.12.023

2017-01-01

Abstract:In recent years ,the stealth of malware is getting stronger and stronger .In this paper ,a SMM-based Hidden process Detection model (SHPD) is proposed .SHPD can effectively detect the stealthy process in system while ensuring its own transparency .SHPD consists of two parts :the client and the monitor .The client ,which implemented in BIOS ,uses both internal and external semantic information to establish multiple views of processes in OS and sends those process views to the monitor .The monitor identifies the stealthy process by comparing the differences between the views .In the paper ,we build a prototype system under the support of the SHPD theory , and conduct functional testing and analysis .The experimental results verify the feasibility of SHPD .

Haibo Chen,Pengcheng Liu,Rong Chen,Binyu Zang

2007-01-01

Abstract:Processes in commodity operating systems are “wild” 1 in nature: They are usually granted with excessive privileges, yet can be easily compromised and abused. Unfortunately, since commodity operating systems are big, complex, thus inherently untrusted, monitoring process behaviors within them is inherently insecure and could be circumvented or tampered. In this paper, we present an approach, named VMM-based process shepherding, to prevent, detect and isolate harmful behaviors (e.g. intrusions) of wild processes. The key idea of our approach is using a virtual machine monitor (VMM) to shepherd all privileged operations made by a wild process, in terms of system calls. As a VMM can easily be adjusted to intercept all system calls from a process running within operating systems thereon, such interception is mandatory and can not be bypassed. Further, as our approach is completely implemented in VMMs, it can result in good operating system transparency and portability. We provide three techniques as building blocks to process shepherding. First, the VMM prohibits any unauthorized accesses to privileged resources (e.g. system configuration files) using policy-based system call auditing. Second, the VMM uses system call sequences to detect possible malicious behaviors. Unexpected system call sequences should be considered as evidences for misbehaving. Third, the VMM isolates all suspect operations and discard them once a wild process is identified as malicious. Based on the three techniques, our approach tends to be safe and non-intrusive, that is, it can isolate damages made by a wild process. We present Shepherd, a prototype system based on Xen VMM, and evaluate it against real-life applications. According to our evaluation, Shepherd is resistant against several recent real-life attacks. Performance measurements show that our implementation incurs only a small amount of performance overhead.

YongGang Li,ChaoYuan Cui,BingYu Sun,WenBo Li

DOI: https://doi.org/10.3966/160792642018091905011

2018-01-01

Abstract:With the spread of malwares, the security of virtual machine (VM) is suffering severe challenges recent years. Rootkits and their variants can hide themselves and other kernel objects such as processes, files, and modules making malicious activity hard to be detected. The existed solutions are either coarse-grained, monitoring at virtual machine level, or non-universal, only supporting specific operating system with specific modification. In this paper, we propose a fine-grained approach called HODetector based on static semantic information library (SSIL) to detect the hidden objects outside VM. We have deployed HODetector prototype on Xen virtualization platform and used it to detect the processes, files, and modules hidden by rootkits. The experiment results show that HODetector is effective for different rootkits and general for Linux operating system with various kernels.

Tengfei Yi,Aijun Zong,Miao Yu,Shang Gao,Qian Lin,Peijie Yu,Zhong Ren,Zhengwei Qi

DOI: https://doi.org/10.1109/icrccs.2009.63

2009-01-01

Abstract:Anti-debugging technique is widely used to protect executable files in commercial software applications. However, most of contemporary anti-debugging products fail to guarantee their functionalities in that when the application code is running on Ring 0 or above, malicious attackers can still manipulate it to block the anti-debugging process. This paper introduces an anti-debugging framework based on hardware virtualization technology called Virtual Machine Monitor (VMM), which can monitor each code running above its privilege level on Intel x86 platform. Our experiments demonstrate that major debuggers running on Microsoft Windows, such as VC2005 and WinDBG, are incapable to debug the target application with the protection of our anti-debugging framework.

Mohammed Nasereddin,Raad Al-Qassas

DOI: https://doi.org/10.1007/s10207-024-00836-w

2024-03-17

International Journal of Information Security

Abstract:This paper introduces a new approach for examining and analyzing fileless malware artifacts in computer memory. The proposed approach offers the distinct advantage of conducting a comprehensive live analysis of memory without the need for periodic memory dumping. Once a new process arrives, log files are collected by monitoring the Event Tracing for Windows facility as well as listing the executables of the active process for violation detection. The proposed approach significantly reduces detection time and minimizes resource consumption by adopting parallel computing (programming), where the main software (Master) divides the work, organizes the process of searching for artifacts, and distributes tasks to several agents. A dataset of 17411 malware samples is used in the assessment of the new approach. It provided satisfactory and reliable results in dealing with at least six different process injection techniques including classic DLL injection, reflective DLL injection, process hollowing, hook injection, registry modifications, and .NET DLL injection. The detection accuracy rate has reached with a false-positive rate of . Moreover, the accuracy was monitored in the case of launching several malwares using different process injection techniques simultaneously, and the detector was able to detect them efficiently. Also, it achieved a detection time with an average of 0.052 msec per detected malware.

computer science, information systems, theory & methods, software engineering

杜海,陈榕

DOI: https://doi.org/10.3969/j.issn.1000-3428.2009.08.030

2009-01-01

Abstract:Aiming at the problems existed in Operating System(OS) process monitoring, a new full-virtualization-based process monitoring method is proposed. It uses full virtualization technology to detect and isolate all the harmful behaviors of untrusted processes in OS. Experimental results show this method has better performances of pellucidity and portability, which can prevent against multiple attacks and incur only a small amount of performance overhead.

Menglong Jiang,Zhengwei Qi,Haibing Guan,Anil Kumar Karna

DOI: https://doi.org/10.1109/FCST.2009.26

2009-01-01

Abstract:With the development of network malicious code, the existing security holes in present systems facilitate data loss. Though protection methods and software are updated day by day, some recent rootkits, that can still invisibly access kernel, make new challenges for the system security. The focal point on system security is how to protect a chosen process on the infected operating system. Process protection and monitoring are becoming more and more important for emerging networks and systems. In this paper, we present a new technique, Croth, which is based on hardware virtualization technology. It introduces a novel mechanism, Cape, that is located in virtual machine monitor (VMM). The main work of Cape is to emulate most of the operations originally done by operating system. This primitive offers an additional dimension of protection beyond the hierarchical protection domains, implemented by traditional operating systems and processor architectures. The design and implementation of hiding sensitive data is also presented in this paper. Our design has been fully implemented and used to protect a wide range of legacy process without any modification on Windows operating system. Our experimental result shows that the operating system could not get accurate data while the chosen process is controlled by Croth. It has provided a little performance overhead, however, performance is still acceptable.

李佳静,梁知音,韦韬,邹维,毛剑

DOI: https://doi.org/10.3724/sp.j.1001.2010.03507

2010-01-01

Abstract:In this paper, a novel method is presented to solve these problems.This method processes the X86 executable programs statically, so it has a higher code coverage than dynamic methods.Besides, it employs a data flow analysis method to identify the jump targets for indirect jumps.It also utilizes optimized tainting mark rules based on the operation semantic of branch conditions.Experiments on 103 real malwares and 7 benign softwares show that the proposed method has the following advantages: For Trojan-spy program detection, it can reduce the false negatives caused by the explicit-flow-sensitive method, and it is effective in dealing with information steal behaviors triggered by some particular conditions.For benign program analysis, it can reduce most of the tainted branches that should be tracked in the original implicit-flow-sensitive method without optimization.

guofeng wang,chuanyi liu,jie lin

DOI: https://doi.org/10.1007/978-3-662-43908-1_4

2014-01-01

Abstract:Modern malware attacks are designed intricately, transport data encrypted, so monitoring network traffic can't solve such attacks completely. Therefore, network monitoring and analysis need to be combined with system behavior monitoring and memory analysis, and the latter is more important. In this article we propose a hardware-based virtualization prototype system, combined with memory analysis tools to monitor and counterwork malicious attacks actively. The system is based on Xen virtualization platform, which monitoring virtual machine behavior by capturing specific events. The events are triggered by some specific behaviors associated with malicious software monitoring, such as executing privileged instruction, system calls, memory writing, etc. When necessary, we can dump the memory of the virtual machine, use memory analysis tools for detailed analysis, so as to achieve the purpose of monitoring and counterworking.

Radu Marian Portase,Andrei Marius Muntea,Andrei Mermeze,Adrian Colesa,Gheorghe Sebestyen

DOI: https://doi.org/10.3390/s24165118

2024-08-07

Abstract:Behavioral malware detection is based on attributing malicious actions to processes. Malicious processes may try to hide by changing the behavior of other benign processes to achieve their goals. We showcase how Component Object Model (COM) and Windows Management Instrumentation (WMI) can be used to create such spoofing attacks. We discuss the internals of COM and WMI and Asynchronous Local Procedure Call (ALPC). We present multiple functional monitoring techniques to identify the spoofing and discuss the strong and weak points of each technique. We create a robust process monitoring system that can correctly identify the source of malicious actions spoofed via COM, WMI and ALPC with a low performance impact. Finally, we discuss how malicious actors use COM, WMI and ALPC by examining real-world malware detected by our monitoring system.

Xianming Zhong,Chengcheng Xiang,Miao Yu,Zhengwei Qi,Haibing Guan

DOI: https://doi.org/10.1007/s10766-013-0285-2

2015-01-01

International Journal of Parallel Programming

Abstract:Digital evidences hold great significance for governing cybercrime. Unfortunately, previous acquisition tools were troubled by either the shortage of suspending the target system's running or the security of the acquisition tools themselves, thus the correctness and accuracy of their obtained evidences cannot be guaranteed. In this paper, we propose VAIL, a novel virtualization based monitoring system for mini-intrusive live forensics, which employs hardware assisted virtualization technique to gather integrated information from the native computer system. Meanwhile, the execution of the target system will not be interrupted and VAIL keeps immune to attacks from the target system. We have implemented a proof-of-concept prototype that has been validated with a Windows guest system. The experimental results show that VAIL can obtain comprehensive digital evidences from the target system as designed, including the CPU state, the physical memory content, and the I/O activities. And on average, VAIL only introduces 4.21 % performance overhead to the target system, which proves that VAIL is practical in real commercial environments.

Jian Wang,Lingzhi Wang,Husheng Yu,Xiangmin Shen,Yan Chen

2024-01-01

Abstract:The escalating sophistication of cyber-attacks and the widespread utilization of stealth tactics have led to significant security threats globally. Nevertheless, the existing static detection methods exhibit limited coverage, and traditional dynamic monitoring approaches encounter challenges in bypassing evasion techniques. Thus, it has become imperative to implement nuanced and dynamic analysis to achieve precise behavior detection in real time. There are two pressing concerns associated with current dynamic malware behavior detection solutions. Firstly, the collection and processing of data entail a significant amount of overhead, making it challenging to be employed for real-time detection on the end host. Secondly, these approaches tend to treat malware as a singular entity, thereby overlooking varied behaviors within one instance. To fill these gaps, we propose PARIS, an adaptive trace fetching, lightweight, real-time malicious behavior detection system. Specifically, we monitor malicious behavior with Event Tracing for Windows (ETW) and learn to selectively collect maliciousness-related APIs or call stacks, significantly reducing the data collection overhead. As a result, we can monitor a wider range of APIs and detect more intricate attack behavior. We implemented a prototype of PARIS and evaluated the system overhead, the accuracy of comparative behavior recognition, and the impact of different models and parameters. The result demonstrates that PARIS can reduce over 98.8 compared to the raw ETW trace and hence decreases the overhead on the host in terms of memory, bandwidth, and CPU usage with a similar detection accuracy to the baselines that suffer from the high overhead. Furthermore, a breakdown evaluation shows that 80 reduction in CPU usage can be attributed to our adaptive trace-fetching collector.

ZHOU Ji-Dong,CUI Chao-Yuan,WANG Ru-Jing,CHEN Zhu-Hong

DOI: https://doi.org/10.3969/j.issn.1003-3254.2013.06.028

2013-01-01

Abstract:Xen Hardware-Assisted Virtualization(HVM) is a service that one can run a virtual machine which is a unmodified OS on Xen Hypervisor.HVM causes a loss of management of the process granularity for the reason of VMM's lack of interference and understanding of the guest OS.This paper presents a lightweight process trace method for Xen HVM named Xen HPT.With the assistance of guest OS register information(mainly the ESP) collected by VMM,Xen HPT can implicitly capture the real-time process information of target guest OS outside on Domain0 with little effect on guest OS.Xen HPT has been tested by Linux guest OS and result shows that the method is effective.

Chaoyuan Cui,Yun Wu,Yonggang Li,Bingyu Sun

DOI: https://doi.org/10.3837/tiis.2017.03.026

2017-01-01

KSII Transactions on Internet and Information Systems

Abstract:Intrusion detection techniques based on virtual machine introspection (VMI) provide high temper-resistance in comparison with traditional in-host anti-virus tools. However, the presence of semantic gap also leads to the performance and compatibility problems. In order to map raw bits of hardware to meaningful information of virtual machine, detailed knowledge of different guest OS is required. In this work, we present VDSM, a lightweight and general approach based on driver separation mechanism: divide semantic view reconstruction into online driver of view generation and offline driver of semantics extraction. We have developed a prototype of VDSM and used it to do intrusion detection on 13 operation systems. The evaluation results show VDSM is effective and practical with a small performance overhead.

Xiaoguang Wang,Yong Qi,Yuehua Dai,Jianbao Ren

DOI: https://doi.org/10.1109/compsacw.2013.38

2013-01-01

Abstract:Ensuring the correctness of security sensitive application running on a potentially malicious operating system is an open problem. Existing approaches for protecting a sensitive process are either losing deployment transparency or lack of the inter-process communication ability for the protected process. In this paper, we present a novel approach called shadow process execution (SPE), which can provide security sensitive applications with executing integrity. With the help of virtualization layer, SPE shadows the sensitive application in a separate virtual machine (VM), which significantly removes the complex and potentially malicious software stack from trusted computing base (TCB). At the same time, SPE maintains dynamic runtime protection without application source code. Finally we demonstrate the feasibility of SPE by designing and implementing a prototype system based on KVM hypervisor. And we show the transparent and dynamic feature of SPE by running and protecting a real world encryption utility program.

Cheng JIA,Yuezhi ZHOU

DOI: https://doi.org/10.3969/j.issn.1000-3428.2017.09.032

2017-01-01

Abstract:This paper researches the existing implementation methods and detection techniques of hidden processes,and proposes a method of getting process information by retrieving memory.The relationship between process structure and handle structure can be used as a memory retrieval flag to retrieve memory.This method avoids the problem of existing memory retrieval methods that the destroyed retrieval flag can lead to failure of detecting hidden process.This paper designs and implements a hidden process detection system by using cross-view matching technology.Experimental results show that the detection system can realize functions to detect and distinguish hidden processes.

Ruoxu Zhao,Dawu Gu,Juanru Li,Hui Liu

DOI: https://doi.org/10.1007/978-3-642-34129-8_22

2012-01-01

Abstract:Malware often encrypts its malicious code and sensitive data to avoid static pattern detection, thus detecting encryption functions and extracting the encryption keys in a malware can be very useful in security analysis. However, it's a complicated process to automatically detect encryption functions among huge amount of binary code, and the main challenge is to keep high efficiency and accuracy at the same time. In this paper we propose an enhanced detection approach. First we designed a novel process level emulation technique to efficiently analyze binary code, which is less resource-consuming compared with full system emulation. Further, we conduct program partitioning and assembly-to-IL(intermediate language) translation on binary code to simplify the analysis. We applied our approach to sample programs using cryptographic libraries and custom implemented version of typical encryption algorithms, and showed that these routines can be detected efficiently. It is convenient for analysts to use our approach to deal with the encrypted data within malware automatically. Our approach also provides an extensible interface for analysts to add extra templates to detect other forms of functions besides encryption routines.

Thomas Dangl,Stewart Sentanoe,Hans P. Reiser

DOI: https://doi.org/10.1016/j.sysarc.2024.103101

IF: 5.836

2024-03-03

Journal of Systems Architecture

Abstract:Active and passive virtual machine introspection mechanisms are pivotal for monitoring virtual machines on top of a hypervisor. They enable external tools to monitor and inspect the state from the outside. Active virtual machine introspection mechanisms intercept the execution at predetermined locations of interest synchronous to the execution of the system. Such mechanisms, in particular, require support from the processor vendor by facilitating interpositioning. This support is missing on AMD x86 processors, leading to inferior introspection solutions. We outline implicit assumptions about active introspection mechanisms in previous work, offer constructions for solution strategies on AMD systems, and discuss stealthiness and correctness. We show empirically that such retrofitted software solutions exhibit performance metrics in the same order of magnitude as native hardware solutions. Moreover, we highlight that the open problems for virtual machine introspection on ARM systems and those encountered on AMD x86 are related. Hence, we present an introspection architecture based on KVMi that addresses these open problems. Finally, we demonstrate comparable and, in many cases, superior performance to state-of-the-art solutions on Intel x86 .

computer science, software engineering, hardware & architecture