標題: Divergence Detector: A Fine-grained Approach to Detecting VM-Awareness Malware
作者: Hsu, Chia-Wei
Shih, Fan-Syun
Wang, Chi-Wei
Shieh, Shiuhpyng Winston
資訊工程學系
Department of Computer Science
關鍵字: Virtual Mashine;VM-awareness;Malware
公開日期: 2013
摘要: Virtualized execution has become an effective mechanism to analyze malware in a dynamic way. To conceal its malicious behaviors, VM-aware malware probes the execution environment for analysis-resistance. These malware programs hide their malicious behaviors if they are launched in a virtual machine (VM). VM awareness becomes a barrier for malware analysis due to the concealment of malicious behaviors. In this paper, we discover that uncertain factors have significant influence on the effectiveness of malware detection. To cope with the problems, a new VM-aware detection scheme, namely Divergence Detector, is proposed to address the swindle of the evolved malware. Unlike conventional schemes, the Divergence Detector reduces the uncertain factors at instruction level, and can detect the divergence of multi-execution traces across heterogeneous virtual machines. The proposed Divergence Detector is implemented across the three commonly used VM platforms, that is, QEMU, Bochs and Xen. It compares the code coverage of the execution traces on various VM platforms to discover the deviation of behavior, thereby precisely detecting the VM-awareness. We will formally predict the effectiveness of Divergence Detector by constructing a mathematic model, which shows the maximum false positive rate is exponentially decreased with respect to the number of multi-executions. Representative samples utilizing seven types of commonly used VM-aware techniques were also employed for evaluation. The evaluation results indicate that the maximum false positive rate complies with our prediction. The uncertain factors play the major role in the VM-awareness detection. To reduce uncertain factors causing false positives, a method is proposed for VM-aware detection. The Divergence Detector can also enable the identification of new types of malware since the benign programs do not need to be aware of execution environment.
URI: http://hdl.handle.net/11536/23079
http://dx.doi.org/10.1109/SERE.2013.23
ISBN: 978-0-7695-5021-3
DOI: 10.1109/SERE.2013.23
期刊: 2013 IEEE 7TH INTERNATIONAL CONFERENCE ON SOFTWARE SECURITY AND RELIABILITY (SERE)
起始頁: 80
結束頁: 89
Appears in Collections:Conferences Paper


Files in This Item:

  1. 000327102200014.pdf

If it is a zip file, please download the file and unzip it, then open index.html in a browser to view the full text content.