SeCom: A Novel Approach for MalwareConfiscation in OS level Virtual Machines

Virtual Machines are based on the specifications of a presumptive computer. It is an independent instance and performs the function as like the original host machine. It can be created upon use and disposed upon the completion of the tasks or the detection of error. One of the main demerits of virtual machine is that if there is no malicious activity, the user has to redo all of the work in her actual workspace since there is no easy way to commit. So, a lightweight commitment approach called SeCom have been proposed, which eliminates the malicious program at the end of virtual machine termination i.e. while committing the benign data. It consists of three steps: correlation, recognition and commitment. Firstly, instead of manipulating huge data, it relies only on the OS level information flow and malware behaviors, thereby it reduces performance overhead. Secondly, it recognizes the data in cluster by cluster manner, to ease the detection. Thirdly, it marks the cluster as harmful if and only if it has at least two different types of malware behavior, to reduce the false positives. When comparing with other commercial antimalware tools, it cleans up all the malware behavior and maintains the performance of host machine to the desired level. Moreover, it results in lower number of false alarms than that accomplished by behavior based approach of antimalware tools.

[1]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[2]  Christopher Krügel,et al.  Behavior-based Spyware Detection , 2006, USENIX Security Symposium.

[3]  Yang Yu,et al.  A feather-weight virtual machine for windows applications , 2006, VEE '06.

[4]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[5]  Sy-Yen Kuo,et al.  Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management , 2004, LISA.

[6]  Shan Lu,et al.  Flight data recorder: monitoring persistent-state interactions to improve systems management , 2006, OSDI '06.

[7]  Christopher Krügel,et al.  Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks , 2009, DIMVA.

[8]  Hao Chen,et al.  Back to the Future: A Framework for Automatic Malware Removal and System Repair , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[9]  Robert N. M. Watson,et al.  Jails: confining the omnipotent root , 2000 .

[10]  Tzi-cker Chiueh,et al.  Design, implementation, and evaluation of repairable file service , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[11]  Eric Totel,et al.  COTS Diversity Based Intrusion Detection and Application to Web Servers , 2005, RAID.

[12]  Larry L. Peterson,et al.  Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors , 2007, EuroSys '07.

[13]  Yang Yu,et al.  Applications of a feather-weight virtual machine , 2008, VEE '08.

[14]  Zhenkai Liang,et al.  One-Way Isolation: An Effective Approach for Realizing Safe Execution Environments , 2005, NDSS.

[15]  Bev Littlewood,et al.  Redundancy and Diversity in Security , 2004, ESORICS.

[16]  Hong Chen,et al.  Usable Mandatory Integrity Protection for Operating Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[17]  Somesh Jha,et al.  Automatic Generation of Remediation Procedures for Malware Infections , 2010, USENIX Security Symposium.

[18]  Daniel Price,et al.  Solaris Zones: Operating System Support for Consolidating Commercial Workloads , 2004, LISA.