Malware Clearance for Secure Commitment of OS-Level Virtual Machines

N Hemalatha

Abstract


A virtual machine(VM) can be simply created upon use and disposed upon the completion of the tasks or the detection of error. The disadvantage of this approach is that if there is no malicious activity, the user has to redo all of the work in her actual workspace since there is no easy way to commit (i.e., merge) only the benign updates within the VM back to the host environment. In this work, we develop a VM commitment system called Secom to automatically eliminate malicious state changes when merging the contents of an OS-level VM to the host. Secom consists of three steps: grouping state changes into clusters, distinguishing between benign and malicious clusters, and committing benign clusters. Secom has three novel features. First, instead of relying on a huge volume of log data, it leverages OS-level information flow and malware behavior information to recognize malicious changes. As a result, the approach imposes a smaller performance overhead. Second, different from existing intrusion detection and recovery systems that detect compromised OS objects one by one, Secom classifies objects into clusters and then identifies malicious objects on a cluster by cluster basis. Third, to reduce the false-positive rate when identifying malicious clusters, it simultaneously considers two malware behaviors that are of different types and the origin of the processes that exhibit these behaviors, rather than considers a single behavior alone as done by existing malware detection methods. We have successfully implemented Secom on the feather-weight virtual machine system, a Windows-based OS-level virtualization system. Experiments show that the prototype can effectively eliminate malicious state changes while committing a VM with small performance degradation. Moreover, compared with the commercial antimalware tools, the Secom prototype has a smaller number of false negatives and thus can more thoroughly clean up malware side effects. In addition, the number of false positives of the Secom prototype is also lower than that achieved by the online behavior-based approach of the commercial tools.


Keywords


Virtual machine, malware behavior, malware detection, virtual machine commitment

References


W. Sun, Z. Liang, R. Sekar, and V.N. Venkatakrishnan, “One-Way Isolation: An Effective Approach for Realizing Safe Execution Environments,” Proc. 12th ISOC Network and Distributed Systems Symp. (NDSS), pp. 265-278, 2005.

S.T. King and P.M. Chen, “Backtracking Intrusions,” Proc. ACM Symp. Operating Systems Principles (SOSP), pp. 223-236, 2003.

S. Soltesz, H. Po¨tzl, M.E. Fiuczynski, A. Bavier, and L. Peterson, “Container-Based Operating System Virtualization: A Scalable, High-Performance Alternative to Hypervisors,” Proc. Second ACM European Conf. Computer Systems, 2007.

D. Price and A. Tucker, “Solaris Zones: Operating System Support for Consolidating Commercial Workloads,” Proc. 18th Large Installation System Administration Conf., pp. 241-254, 2004.

M. Howard, “Fending off Future Attacks by Reducing Attack Surface,” http://msdn.microsoft.com/en-us/library/ ms972812.aspx, 2003.

SWsoft, “Virtuozzo Server Virtualization,” http://www.swsoft. com/en/products/virtuozzo, 2013.

OpenVZ, “Unique Features of OpenVZ,” http://openvz.org/ [30] J. Zhu, Z. Jiang, Z. Xiao, and X. Li, “Optimizing the Performance documentation/tech/features, 2013. Y. Yu, “OS-level Virtualization and Its Applications,” PhD dissertation, Stony Brook Univ., 2007.

Symantec, Inc., http://www.symantec.com/business/security_ response/threatexplorer/threats.jsp, 2013.

P.-H. Kamp and R.N.M. Watson, “Jails: Confining the Omnipotent Root,” Proc. Second Int’l SANE Conf., 2000.

Microsoft Security Bull., http://www.microsoft.com/technet/ security/current.aspx, 2013.

M. Howard, “Fending off Future Attacks by Reducing Attack Surface,” http://msdn.microsoft.com/en-us/library/ ms972812.aspx, 2003.

Y. Yu, H.K. Govindarajan, L. Lam, and T. Chiueh, “Applications of Feather-Weight Virtual Machine,” Proc. Int’l Conf. Virtual Execution Environments (VEE), Mar. 2008.

R. Paleari, L. Martignoni, E. Passerini, D. Davidson, M. Fredrikson, J. Giffin, and S. Jha, “Automatic Generation of Remediation Procedures for Malware,” Proc. USENIX Conf. Security, Aug. 2010.


Full Text: PDF

Refbacks

  • There are currently no refbacks.


Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.

.......................................................................................................................................................................................................................

ISSN  2279 – 0381 |  IST HOMEJOURNAL HOME | Copyright IST 2012-13

.......................................................................................................................................................................................................................