VMScan: an out-of-VM malware scanner

doi:10.19682/j.cnki.1005-8885.2020.0037

中国邮电高校学报(英文) ›› 2020, Vol. 27 ›› Issue (4): 59-68.doi: 10.19682/j.cnki.1005-8885.2020.0037

VMScan: an out-of-VM malware scanner

林杰刘川意方滨兴

哈尔滨工业大学（深圳）

收稿日期:2019-10-24 修回日期:2020-11-19 出版日期:2020-08-31 发布日期:2020-08-31
通讯作者: 林杰 E-mail:jie_lin@hit.edu.cn

VMScan: an out-of-VM malware scanner

Lin Jie, Liu Chuanyi, Fang Binxing

Harbin Institute of Technology, Shenzhen

Received:2019-10-24 Revised:2020-11-19 Online:2020-08-31 Published:2020-08-31
Contact: Lin Jie E-mail:jie_lin@hit.edu.cn

摘要/Abstract

摘要：

The harm caused by malware in cloud computing environment is more and more serious. Traditional anti-virus software is in danger of being attacked when it is deployed in virtual machine on a large scale, and it tends not to be accepted by tenants in terms of performance. In this paper, a method of scanning malicious programs outside the virtual machine is proposed, and the prototype is implemented. This method transforms the memory of the virtual machine to the host machine so that the latter can access it. The user space and kernel space of virtual machine memory are analyzed via semantics, and suspicious processes are scanned by signature database. Experimental results show that malicious programs can be effectively scanned outside the virtual machine, and the performance impact on the virtual machine is low, meeting the needs of tenants.

关键词:

security, virtualization, cloud, malware, virus, detection, signature, scanning

Abstract: The harm caused by malware in cloud computing environment is more and more serious. Traditional anti-virus software is in danger of being attacked when it is deployed in virtual machine on a large scale, and it tends not to be accepted by tenants in terms of performance. In this paper, a method of scanning malicious programs outside the virtual machine is proposed, and the prototype is implemented. This method transforms the memory of the virtual machine to the host machine so that the latter can access it. The user space and kernel space of virtual machine memory are analyzed via semantics, and suspicious processes are scanned by signature database. Experimental results show that malicious programs can be effectively scanned outside the virtual machine, and the performance impact on the virtual machine is low, meeting the needs of tenants.

Key words: security, virtualization, cloud, malware, virus, detection, signature, scanning

中图分类号:

TP309

Lin Jie, Liu Chuanyi, Fang Binxing. VMScan: an out-of-VM malware scanner[J]. The Journal of China Universities of Posts and Telecommunications, 2020, 27(4): 59-68.

参考文献

1. Canavan J. The evolution of malicious IRC bots. White Paper. Cupertino, CA, USA: Symantec, 2005.

2. Mohurle S, Patil M. A brief study of Wannacry threat: Ransomware attack 2017. International Journal of Advanced Research in Computer Science, 2017, 8(5): 1938-1940.

3. Shoch J F, Hupp J A. The “Worm” programs early -- Experience with a distributed computation. Communications of the ACM, 1982, 25(3): 172-180.

4. Thomas M A, Dhillon G. Deep structures of information systems security. Proceedings of the 12th Americas Conference on Information Systems (AMCIS’06), 2006, Aug 4-6, Acapulco, México. Atlanta, GA, USA: Association for Information Systems, 2006: 3743-3480.

5. Garfinkel T, Rosenblum M. A virtual machine introspection based architecture for intrusion detection. Proceedings of the 2003 Network and Distributed System Security Symposium (NDSS’03), 2003, Feb 6-7, San Diego, CA, USA. Geneva, Switzerland: Internet Society, 2003.

6. Kavipurapu K M, Frailey D J. Quantification of architectures using software science. ACM SIGARCH Computer Architecture News, 1979, 7(10): 2-6.

7. Payne B D, Carbone M, Lee W. Secure and flexible monitoring of virtual machines. Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC'07), 2007, Dec 10-14, Miami Beach, FL, USA. Piscataway, NJ, USA: IEEE, 2007: 385-397.

8. Payne B D, Carbone M, Sharif M, et al. Lares: An architecture for secure active monitoring using virtualization. Proceedings of the 2008 IEEE Symposium on Security and Privacy (SP'08), 2008, May 18-22, Oakland, CA, USA. Piscataway, NJ, USA: IEEE, 2008: 233-247.

9. Klemperer P F, Jeon H Y, Payne B D, et al. High-performance memory snapshotting for real-time, consistent, hypervisor-based monitors. IEEE Transactions on Dependable and Secure Computing, 2020, 17(3): 518-535.

10. Dinaburg A, Royal P, Sharif M, et al. Ether: Malware analysis via hardware virtualization extensions. Proceedings of the 15th ACM Conference on Computer and Communications security (CCS’08), 2008, Oct 27-31, Alexandria, VG, USA. New York, NY, USA: ACM, 2008: 51-62.

11. Yan L K, Jayachandra M, Zhang M, et al. V2E: Combining hardware virtualization and software emulation for transparent and extensible malware analysis. Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environment (VEE '12), 2012, Mar 3-4, London, UK. New York, NY, USA: ACM, 2012: 97-108.

12. Clam antivirus user manual. San Jose, CA, USA: Cisco Systems, Inc, 2019.

13. Hay A, Cid D, Bray R. OSSEC host-based intrusion detection guide. Amsterdam, Netherlands: Elsevier, Inc. 2008.

14. Patil R, Dudeja H, Modi C. Designing in-VM-assisted lightweight agent-based malware detection framework for securing virtual machines in cloud computing. International Journal of Information Security, 2020, 19: 147-162.

15. Sadek I, Chong P, Rehman S U, et al. Memory snapshot dataset of a compromised host with malware using obfuscation evasion techniques. Data in Brief, 2019, 26: Article 104437.

16. Dabak P, Phadke S, Borate M. Undocumented Windows NT. New York, NY, USA: Wiley, 1999.

17. Kivity A, Kamay Y, Laor D, et al. KVM: The Linux virtual machine monitor. Proceedings of the 2007 Linux Symposium: Vol 1, 2007, Jun 27-30, Ottawa, Canada. 2007: 225-230.

18. Intel® 64 and IA-32 Architectures software developer’s manual, Volume 3 (3A, 3B, 3C & 3D): System programming guide. Order Number: 325384-070US. Santa Clara, CA, USA. Intel Corporation, 2019.

19. AMD64 Architecture programmer’s manual, Volume 2: System programming. Revision 3.30. Sunnyvale, CA, USA: Advanced Micro Devices, Ins, 2018.

20. Barham P, Dragovic B, Fraser K, et al. Xen and the art of virtualization. Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP’03), 2003, Oct 19-22, Bolton Landing, NY, USA. New York, NY, USA: ACM, 2003: 164-177.

21. Payne B D. Simplifying virtual machine introspection using LibVMI. SANDIA Report SAND2012-7818. Albuquerque, NM, USA and Livermore, CA, USA: Sandia National Laboratories, 2012.

[1]	孟慧任利娜赵宗渠. Identity-based proxy re-encryption scheme from RLWE assumption with ciphertext evolution[J]. 中国邮电高校学报(英文版), 2023, 30(5): 51-60.
[2]	Peng Weiping, Cui Shuang, Song Cheng, Han Ning. Enhanced secure medical data sharing with traceable and direct revocation[J]. 中国邮电高校学报(英文版), 2023, 30(1): 66-79.
[3]	Han Yushan, Che Bichen, Liu Jiali, Dou Zhao, Di Junyu. Nearly universal and efficient quantum secure multi-party computation protocol[J]. 中国邮电高校学报(英文版), 2022, 29(4): 51-68.
[4]	Han Gang, Xing Qixuan, Zhang Yinghui. Fine-grained cooperative access control scheme with hidden policies[J]. 中国邮电高校学报(英文版), 2021, 28(6): 13-25.
[5]	Tao Yunting, Kong Fanyu, Yu Jia. EPMDA: an efficient privacy-preserving multi-dimensional data aggregation scheme for edge computing-based IoT system [J]. 中国邮电高校学报(英文版), 2021, 28(6): 26-35.
[6]	Xu Yan, Li Zheng, Ding Long, Xu Rui. Cross-domain data cloud storage auditing scheme based on certificateless cryptography [J]. 中国邮电高校学报(英文版), 2021, 28(6): 36-47.
[7]	赵国生张婧婷王健. Research on location privacy protection method of sensor-cloud base station [J]. 中国邮电高校学报(英文版), 2021, 28(1): 64-77.
[8]	赵宗渠马少提王永军汤永利叶青. Two-factor ( biometric and password) authentication key exchange on lattice based on key consensus [J]. 中国邮电高校学报(英文版), 2020, 27(6): 42-53.
[9]	Tang Yongli, Wang Mingming, Ye Qing, Qin Panke, Zhao Zongqu. Lattice-based hierarchical identity-based broadcast encryption scheme in the standard model[J]. 中国邮电高校学报(英文版), 2019, 26(4): 70-79.
[10]	Cai Xiumei, Liu Chao, Huang Xianying, Liu Xiaoyang, Cao Qiong, Yang Hongyu. Dynamic model of computer viruses under the effect of removable media and external computers[J]. 中国邮电高校学报(英文版), 2018, 25(4): 86-93.
[11]	Min Xiangshen, Fan Jiulun, Zhang Xuefeng, Ren Fang. Color image encryption scheme based on chaotic systems[J]. 中国邮电高校学报(英文版), 2018, 25(2): 39-48.
[12]	Ding Haiyang, Li Zichen, Bi Wei. (k, n) halftone visual cryptography based on Shamir‘s secret sharing[J]. 中国邮电高校学报(英文版), 2018, 25(2): 60-76.
[13]	Chen Shangdi, Wen Jiejing. New key pre-distribution scheme using symplectic geometry over finite fields for wireless sensor networks[J]. 中国邮电高校学报(英文版), 2017, 24(5): 16-22.
[14]	谢佳胡予濮高军涛高雯李雪莲. Attribute-based signatures on lattices[J]. 中国邮电高校学报(英文版), 2016, 23(4): 83-90.
[15]	冯超辛阳. Fast key generation for Gentry-style homomorphic encryption[J]. Acta Metallurgica Sinica(English letters), 2014, 21(6): 37-44.

VMScan: an out-of-VM malware scanner

VMScan: an out-of-VM malware scanner

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价