[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to main content

FindEvasion: An Effective Environment-Sensitive Malware Detection System for the Cloud

  • Conference paper
  • First Online:
Digital Forensics and Cyber Crime (ICDF2C 2017)

Abstract

In recent years, environment-sensitive malwares are growing rapidly and they pose significant threat to cloud platforms. They may maliciously occupy the computing resources and steal the tenants’ private data. The environment-sensitive malware can identify the operating environment and perform corresponding malicious behaviors in different environments. This greatly increased the difficulty of detection. At present, the research on automatic detection of environment-sensitive malwares is still rare, but it has attracted more and more attention.

In this paper, we present FindEvasion, a cloud-oriented system for detecting environment-sensitive malware. Our FindEvasion system makes full use of the virtualization technology to transparently extract the suspicious programs from the tenants’ Virtual Machine (VM), and analyzes them on our multiple operating environments. We introduce a novel algorithm, named Mulitiple Behavioral Sequences Similarity (MBSS), to compare a suspicious program’s behavioral profiles observed in multiple analysis environments, and determine whether the suspicious program is an environment-sensitive malware or not. The experiment results show that our approach produces better detection results when compared with previous methods.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
GBP 19.95
Price includes VAT (United Kingdom)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
GBP 35.99
Price includes VAT (United Kingdom)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
GBP 44.99
Price includes VAT (United Kingdom)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Symantec. https://www.symantec.com/security-center/threat-report

  2. Kirat, D., Vigna, G., Kruegel, C.: Barecloud: bare-metal analysis-based evasive malware detection. In: Malware Detection (2014)

    Google Scholar 

  3. Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_18

    Chapter  Google Scholar 

  4. Linux Foundation: The Xen project. http://www.xenproject.org/. Accessed 4 Mar 2017

  5. Cuckoo Sandbox. http://www.cuckoosandbox.org

  6. Bayer, U., Comparetti, P.M., Hlauschek, C., Krgel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: Network and Distributed System Security Symposium, NDSS 2009, San Diego, California, USA, February 2009

    Google Scholar 

  7. Powers, D.M.W.: Evaluation: from precision, recall and f-factor to ROC, informedness, markedness and correlation. J. Mach. Learn. Technol. 2, 2229–3981 (2011)

    Google Scholar 

  8. VX Heaven Virus Collection: VX Heaven. http://vx.nextlux.org. Accessed 4 Mar 2017

  9. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5(2), 32–39 (2007)

    Article  Google Scholar 

  10. Norman Sandbox. http://www.norman.com/

  11. Jiang, X., Wang, X.: “Out-of-the-Box” monitoring of VM-based high-interaction honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 198–218. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74320-0_11

    Chapter  Google Scholar 

  12. Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A Tool for Analyzing Malware (2006)

    Google Scholar 

  13. Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, pp. 116–127, October 2007

    Google Scholar 

  14. Bellard, F.: QEMU, a fast and portable dynamic translator. In: Conference on USENIX Technical Conference, p. 41 (2005)

    Google Scholar 

  15. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: ACM Conference on Computer and Communications Security, CCS 2008, Alexandria, Virginia, USA, pp. 51–62, October 2008

    Google Scholar 

  16. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based “Out-of-the-Box” semantic view reconstruction. In: ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, pp. 128–138, October 2007

    Google Scholar 

  17. Fattori, A., Paleari, R., Martignoni, L., Monga, M.: Dynamic and transparent analysis of commodity production systems. In: IEEE/ACM International Conference on Automated Software Engineering, pp. 417–426 (2010)

    Google Scholar 

  18. Vasudevan, A., Yerraballi, R.: Cobra: fine-grained malware analysis using stealth localized-executions. In: IEEE Symposium on Security & Privacy, p. 15 pp. -279 (2006)

    Google Scholar 

  19. Chen, X., Andersen, J., Mao, Z.M., Bailey, M.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: IEEE International Conference on Dependable Systems and Networks with FTCS and DCC, pp. 177–186 (2008)

    Google Scholar 

  20. Lau, B., Svajcer, V.: Measuring virtual machine detection in malware using DSD tracer. J. Comput. Virol. Hacking Tech. 6(3), 181–195 (2010)

    Article  Google Scholar 

Download references

Acknowledgments

This paper is supported by National Natural Science Foundation of China (NSFC) under Grant No. 61572481, National key research and development program of China under Grant No. 2016YFB0801600 and Nation key research and development program of China under Grant No. 2016QY04W0900.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Qingjia Huang .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Jia, X., Zhou, G., Huang, Q., Zhang, W., Tian, D. (2018). FindEvasion: An Effective Environment-Sensitive Malware Detection System for the Cloud. In: Matoušek, P., Schmiedecker, M. (eds) Digital Forensics and Cyber Crime. ICDF2C 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 216. Springer, Cham. https://doi.org/10.1007/978-3-319-73697-6_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-73697-6_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-73696-9

  • Online ISBN: 978-3-319-73697-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics