论文信息 - SEER: practical memory virus scanning as a service

SEER: practical memory virus scanning as a service

Virus Scanning-as-a-Service (VSaaS) has emerged as a popular security solution for virtual cloud environments. However, existing approaches fail to scan guest memory, which can contain an emerging class of Memory-only Malware. While several host-based memory scanners are available, they are computationally less practical for cloud environments. This paper proposes SEER as an architecture for enabling Memory VSaaS for virtualized environments. SEER leverages cloud resources and technologies to consolidate and aggregate virus scanning activities to efficiently detect malware residing in memory. Specifically, SEER combines fast memory snapshotting and computation deduplication to provide practical and efficient off-host memory virus scanning. We evaluate SEER and demonstrate up to an 87% reduction in data size that must be scanned and up to 72% savings in overall scan time, compared to naively applying file-based scanning approaches. Furthermore, SEER provides a 50% reduction in scan time when using a warm cache. In doing so, SEER provides a practical solution for cloud vendors to transparently and periodically scan virtual machine memory for malware.

Peng Ning | Xiaolan Zhang | Ahmed M. Azab | William Enck | Jason Gionta

[1] Christopher Krügel,et al. Blacksheep: detecting compromised hosts in homogeneous crowds , 2012, CCS '12.

[2] Xuxian Jiang,et al. Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[3] References , 1971 .

[4] Paul Mackerras,et al. The rsync algorithm , 1996 .

[5] Michael Ligh,et al. Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code , 2010 .

[6] Farnam Jahanian,et al. CloudAV: N-Version Antivirus in the Network Cloud , 2008, USENIX Security Symposium.

[7] Jonathon T. Giffin,et al. Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection , 2011, 2011 IEEE Symposium on Security and Privacy.

[8] Kimberly Keeton,et al. SCAN-Lite: enterprise-wide analysis on the cheap , 2009, EuroSys '09.

[9] Peng Ning,et al. DACSA: A Decoupled Architecture for Cloud Security Analysis , 2014, CSET.

[10] Peng Ning,et al. Managing security of virtual machine images in a cloud environment , 2009, CCSW '09.

[11] George Varghese,et al. Difference engine , 2010, OSDI.

[12] Brendan Dolan-Gavitt,et al. The VAD tree: A process-eye view of physical memory , 2007, Digit. Investig..

[13] Jesse D. Kornblum. Identifying almost identical files using context triggered piecewise hashing , 2006, Digit. Investig..

[14] Fabrice Bellard,et al. QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.