Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
skip to main content
10.1145/2664243.2664271acmotherconferencesArticle/Chapter ViewAbstractPublication PagesacsacConference Proceedingsconference-collections
research-article

SEER: practical memory virus scanning as a service

Published: 08 December 2014 Publication History

Abstract

Virus Scanning-as-a-Service (VSaaS) has emerged as a popular security solution for virtual cloud environments. However, existing approaches fail to scan guest memory, which can contain an emerging class of Memory-only Malware. While several host-based memory scanners are available, they are computationally less practical for cloud environments. This paper proposes SEER as an architecture for enabling Memory VSaaS for virtualized environments. SEER leverages cloud resources and technologies to consolidate and aggregate virus scanning activities to efficiently detect malware residing in memory. Specifically, SEER combines fast memory snapshotting and computation deduplication to provide practical and efficient off-host memory virus scanning. We evaluate SEER and demonstrate up to an 87% reduction in data size that must be scanned and up to 72% savings in overall scan time, compared to naively applying file-based scanning approaches. Furthermore, SEER provides a 50% reduction in scan time when using a warm cache. In doing so, SEER provides a practical solution for cloud vendors to transparently and periodically scan virtual machine memory for malware.

References

[1]
Fabrice Bellard. Qemu, a fast and portable dynamic translator. In Proceedings of the annual conference on USENIX Annual Technical Conference, 2005.
[2]
Antonio Bianchi, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. Blacksheep: detecting compromised hosts in homogeneous crowds. In Proceedings of the 2012 ACM conference on Computer and communications security, 2012.
[3]
Jamie Butler. Dkom (direct kernel object manipulation). Black Hat Windows Security, 2004.
[4]
Agentless security. Trend Micro. http://www.trendmicro.com/cloud-content/us/pdfs/business/sb_vmware-agentless-security.pdf.
[5]
Brendan Dolan-Gavitt. The vad tree: A process-eye view of physical memory. Digit. Investig., September 2007.
[6]
Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP '11, 2012.
[7]
Jason Gionta, Ahmed Azab, William Enck, Peng Ning, and Xiaolan Zhang. Dacsa: A decoupled architecture for cloud security analysis. In Proceedings of the 7th Workshop on Cyber Security Experimentation and Test. USENIX, 2014.
[8]
Diwaker Gupta, Sangmin Lee, Michael Vrable, Stefan Savage, Alex C. Snoeren, George Varghese, Geoffrey M. Voelker, and Amin Vahdat. Difference engine: harnessing memory redundancy in virtual machines. Commun. ACM, 53(10):85--93, October 2010.
[9]
Xuxian Jiang, Xinyuan Wang, and Dongyan Xu. Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction. In Proceedings of the 14th ACM conference on Computer and communications security, 2007.
[10]
Tomasz Kojm. Clamav, 2004. http://www.clamav.net.
[11]
Jesse Kornblum. Identifying almost identical files using context triggered piecewise hashing. digital investigation, 3:91--97, 2006.
[12]
Michael Ligh, Steven Adair, Blake Hartstein, and Matthew Richard. Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code. John Wiley & Sons, 2010.
[13]
Malc0de. Malc0de, 2007. http://malc0de.com.
[14]
About the metasploit meterpreter. Offensive-security, 2012. http://www.offensive-security.com/metasploit-unleashed/About_Meterpreter.
[15]
Ned Moran, Sai Omkar Vashisht, Mike Scott, and Thoufique Haq. Operation ephemeral hydra: Ie zero-day linked to deputydog uses diskless method. FireEye, Nov 2013.
[16]
NSSLabs. Endpoint protection products 2010 group test summary. NSS Labs, 2010.
[17]
Jon Oberheide, Evan Cooke, and Farnam Jahanian. Cloudav: N-version antivirus in the network cloud. In USENIX Security Symposium, pages 91--106, 2008.
[18]
Fahmida Y. Rashid. Watering hole attacks scoop up everyone, not just developers at facebook, twitter. PC Mag, March 2013.
[19]
Sans institute infosec reading room: What is code red worm. Sans Institutue, 2001.
[20]
Craig A. N. Soules, Kimberly Keeton, and Charles B. Morrey, III. Scan-lite: enterprise-wide analysis on the cheap. In Proceedings of the 4th ACM European conference on Computer systems, 2009.
[21]
Standard Performance Evaluation Corporation. Specweb2009.
[22]
Andrew Tridgell and Paul Mackerras. The rsync algorithm, 1996.
[23]
VMWare. Vmware vshield endpoint, 2010. http://www.vmware.com/files/pdf/vmware-vshield-endpoint-ds-en.pdf.
[24]
The volatility framework: volatile memory artifact extraction utility framework. Volatile Systems.
[25]
Jinpeng Wei, Xiaolan Zhang, Glenn Ammons, Vasanth Bala, and Peng Ning. Managing security of virtual machine images in a cloud environment. In Proceedings of the 2009 ACM workshop on Cloud computing security, 2009.

Cited By

View all
  • (2022) Terminator: A Secure Coprocessor to Accelerate Real-Time AntiViruses Using Inspection BreakpointsACM Transactions on Privacy and Security10.1145/349453525:2(1-34)Online publication date: 4-Mar-2022
  • (2022)An Adaptive Anomaly Detection Method for Cloud Computing System2022 IEEE 5th International Conference on Electronics Technology (ICET)10.1109/ICET55676.2022.9823988(1289-1295)Online publication date: 13-May-2022
  • (2021)Challenges and pitfalls in malware researchComputers and Security10.1016/j.cose.2021.102287106:COnline publication date: 1-Jul-2021
  • Show More Cited By
  1. SEER: practical memory virus scanning as a service

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference
    December 2014
    492 pages
    ISBN:9781450330053
    DOI:10.1145/2664243
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    • ACSA: Applied Computing Security Assoc

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 08 December 2014

    Permissions

    Request permissions for this article.

    Check for updates

    Qualifiers

    • Research-article

    Funding Sources

    Conference

    ACSAC '14
    Sponsor:
    • ACSA
    ACSAC '14: Annual Computer Security Applications Conference
    December 8 - 12, 2014
    Louisiana, New Orleans, USA

    Acceptance Rates

    Overall Acceptance Rate 104 of 497 submissions, 21%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)7
    • Downloads (Last 6 weeks)1
    Reflects downloads up to 01 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2022) Terminator: A Secure Coprocessor to Accelerate Real-Time AntiViruses Using Inspection BreakpointsACM Transactions on Privacy and Security10.1145/349453525:2(1-34)Online publication date: 4-Mar-2022
    • (2022)An Adaptive Anomaly Detection Method for Cloud Computing System2022 IEEE 5th International Conference on Electronics Technology (ICET)10.1109/ICET55676.2022.9823988(1289-1295)Online publication date: 13-May-2022
    • (2021)Challenges and pitfalls in malware researchComputers and Security10.1016/j.cose.2021.102287106:COnline publication date: 1-Jul-2021
    • (2020)PHM Technology for Memory Anomalies in Cloud Computing for IaaS2020 IEEE 20th International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS51102.2020.00018(41-51)Online publication date: Dec-2020
    • (2019)A Cloud-Based Real-Time Mechanism to Protect End Hosts against MalwareApplied Sciences10.3390/app91837489:18(3748)Online publication date: 8-Sep-2019
    • (2019)Forensics‐as‐a‐Service (FaaS) in the State‐of‐the‐Art CloudSecurity, Privacy, and Digital Forensics in the Cloud10.1002/9781119053385.ch16(321-337)Online publication date: 8-Feb-2019
    • (2017)Black penguin: On the feasibility of detecting intrusion with homogeneous memory2017 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS.2017.8228671(586-594)Online publication date: Oct-2017
    • (2017)Hidden process offline forensic based on memory analysis in windowsWuhan University Journal of Natural Sciences10.1007/s11859-017-1257-y22:4(346-354)Online publication date: 15-Jul-2017
    • (2015)CloudIDEAProceedings of the Confederated International Conferences on On the Move to Meaningful Internet Systems: OTM 2015 Conferences - Volume 941510.1007/978-3-319-26148-5_40(594-611)Online publication date: 26-Oct-2015

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media