XScope: Memory Introspection Based Malicious Application Detection

The malicious applications may hide itself to evade the detection of security tools placed inside or outside of the system. To detect these hidden applications, existing approaches employ virtual machine introspection to intercept the process switches and identify the hidden process once it is being switched. However, this method imposes heavy overhead due to frequent process switches. Moreover, it fails to detect some malicious applications which hide in the system without execution for a long time. To solve these problems, we propose XScope, a memory introspection based hidden application detection approach. First, XScope categorizes the memory pages of virtual machine (VM) using memory introspection, and identifies the anonymous pages which are related to user applications. Second, XScope extracts the processes by analyzing the anonymous memory pages, to acquire a full map of processes at the virtual machine monitor (VMM) layer. Third, XScope compares the map acquired at the VMM layer against the map acquired in the VM for detecting the hidden applications. We implement a prototype system and conduct a set of experiments. The experimental results show that XScope is able to detect the hidden malicious application without significant overhead.

[1]  Peng Liu,et al.  System Call Redirection: A Practical Approach to Meeting Real-World Virtual Machine Introspection Needs , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[2]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[3]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[4]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[5]  Christopher Krügel,et al.  Detecting kernel-level rootkits through binary analysis , 2004, 20th Annual Computer Security Applications Conference.

[6]  Bryan D. Payne,et al.  Simplifying virtual machine introspection using LibVMI. , 2012 .

[7]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[8]  Mohamed Almorsy,et al.  CloudSec: A security monitoring appliance for Virtual Machines in the IaaS cloud model , 2011, 2011 5th International Conference on Network and System Security.

[9]  Matt Bishop,et al.  Virtual Machine Introspection: Observation or Interference? , 2008, IEEE Security & Privacy.

[10]  Salvatore J. Stolfo,et al.  Towards Stealthy Malware Detection , 2007, Malware Detection.

[11]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[12]  Lawrie Brown,et al.  Computer Security: Principles and Practice , 2007 .

[13]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[14]  Brendan Dolan-Gavitt,et al.  Leveraging Forensic Tools for Virtual Machine Introspection , 2011 .

[15]  Greg Hoglund,et al.  Rootkits: Subverting the Windows Kernel , 2005 .