research-article

SEER: practical memory virus scanning as a service

Authors:

Xiaolan ZhangAuthors Info & Claims

ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference

Pages 186 - 195

https://doi.org/10.1145/2664243.2664271

Published: 08 December 2014 Publication History

Abstract

Virus Scanning-as-a-Service (VSaaS) has emerged as a popular security solution for virtual cloud environments. However, existing approaches fail to scan guest memory, which can contain an emerging class of Memory-only Malware. While several host-based memory scanners are available, they are computationally less practical for cloud environments. This paper proposes SEER as an architecture for enabling Memory VSaaS for virtualized environments. SEER leverages cloud resources and technologies to consolidate and aggregate virus scanning activities to efficiently detect malware residing in memory. Specifically, SEER combines fast memory snapshotting and computation deduplication to provide practical and efficient off-host memory virus scanning. We evaluate SEER and demonstrate up to an 87% reduction in data size that must be scanned and up to 72% savings in overall scan time, compared to naively applying file-based scanning approaches. Furthermore, SEER provides a 50% reduction in scan time when using a warm cache. In doing so, SEER provides a practical solution for cloud vendors to transparently and periodically scan virtual machine memory for malware.

References

[1]

Fabrice Bellard. Qemu, a fast and portable dynamic translator. In Proceedings of the annual conference on USENIX Annual Technical Conference, 2005.

Digital Library

[2]

Antonio Bianchi, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. Blacksheep: detecting compromised hosts in homogeneous crowds. In Proceedings of the 2012 ACM conference on Computer and communications security, 2012.

Digital Library

[3]

Jamie Butler. Dkom (direct kernel object manipulation). Black Hat Windows Security, 2004.

[4]

Agentless security. Trend Micro. http://www.trendmicro.com/cloud-content/us/pdfs/business/sb_vmware-agentless-security.pdf.

[5]

Brendan Dolan-Gavitt. The vad tree: A process-eye view of physical memory. Digit. Investig., September 2007.

Digital Library

[6]

Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP '11, 2012.

Digital Library

[7]

Jason Gionta, Ahmed Azab, William Enck, Peng Ning, and Xiaolan Zhang. Dacsa: A decoupled architecture for cloud security analysis. In Proceedings of the 7th Workshop on Cyber Security Experimentation and Test. USENIX, 2014.

Digital Library

[8]

Diwaker Gupta, Sangmin Lee, Michael Vrable, Stefan Savage, Alex C. Snoeren, George Varghese, Geoffrey M. Voelker, and Amin Vahdat. Difference engine: harnessing memory redundancy in virtual machines. Commun. ACM, 53(10):85--93, October 2010.

Digital Library

[9]

Xuxian Jiang, Xinyuan Wang, and Dongyan Xu. Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction. In Proceedings of the 14th ACM conference on Computer and communications security, 2007.

Digital Library

[10]

Tomasz Kojm. Clamav, 2004. http://www.clamav.net.

[11]

Jesse Kornblum. Identifying almost identical files using context triggered piecewise hashing. digital investigation, 3:91--97, 2006.

Digital Library

[12]

Michael Ligh, Steven Adair, Blake Hartstein, and Matthew Richard. Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code. John Wiley & Sons, 2010.

Digital Library

[13]

Malc0de. Malc0de, 2007. http://malc0de.com.

[14]

About the metasploit meterpreter. Offensive-security, 2012. http://www.offensive-security.com/metasploit-unleashed/About_Meterpreter.

[15]

Ned Moran, Sai Omkar Vashisht, Mike Scott, and Thoufique Haq. Operation ephemeral hydra: Ie zero-day linked to deputydog uses diskless method. FireEye, Nov 2013.

[16]

NSSLabs. Endpoint protection products 2010 group test summary. NSS Labs, 2010.

[17]

Jon Oberheide, Evan Cooke, and Farnam Jahanian. Cloudav: N-version antivirus in the network cloud. In USENIX Security Symposium, pages 91--106, 2008.

Digital Library

[18]

Fahmida Y. Rashid. Watering hole attacks scoop up everyone, not just developers at facebook, twitter. PC Mag, March 2013.

[19]

Sans institute infosec reading room: What is code red worm. Sans Institutue, 2001.

[20]

Craig A. N. Soules, Kimberly Keeton, and Charles B. Morrey, III. Scan-lite: enterprise-wide analysis on the cheap. In Proceedings of the 4th ACM European conference on Computer systems, 2009.

Digital Library

[21]

Standard Performance Evaluation Corporation. Specweb2009.

[22]

Andrew Tridgell and Paul Mackerras. The rsync algorithm, 1996.

[23]

VMWare. Vmware vshield endpoint, 2010. http://www.vmware.com/files/pdf/vmware-vshield-endpoint-ds-en.pdf.

[24]

The volatility framework: volatile memory artifact extraction utility framework. Volatile Systems.

[25]

Jinpeng Wei, Xiaolan Zhang, Glenn Ammons, Vasanth Bala, and Peng Ning. Managing security of virtual machine images in a cloud environment. In Proceedings of the 2009 ACM workshop on Cloud computing security, 2009.

Digital Library

Cited By

Botacin MMoreira FNavaux PGrégio AAlves M(2022) Terminator: A Secure Coprocessor to Accelerate Real-Time AntiViruses Using Inspection BreakpointsACM Transactions on Privacy and Security10.1145/349453525:2(1-34)Online publication date: 4-Mar-2022
https://dl.acm.org/doi/10.1145/3494535
Jin XQiu X(2022)An Adaptive Anomaly Detection Method for Cloud Computing System2022 IEEE 5th International Conference on Electronics Technology (ICET)10.1109/ICET55676.2022.9823988(1289-1295)Online publication date: 13-May-2022
https://doi.org/10.1109/ICET55676.2022.9823988
Botacin MCeschin FSun ROliveira DGrégio A(2021)Challenges and pitfalls in malware researchComputers and Security10.1016/j.cose.2021.102287106:COnline publication date: 1-Jul-2021
https://dl.acm.org/doi/10.1016/j.cose.2021.102287
Show More Cited By

SEER: practical memory virus scanning as a service
1. Security and privacy
  1. Systems security

Recommendations

Seer: leveraging big data to navigate the complexity of cloud debugging
HotCloud'18: Proceedings of the 10th USENIX Conference on Hot Topics in Cloud Computing

Performance unpredictability in cloud services leads to poor user experience, degraded availability, and has revenue ramifications. Detecting performance degradation a posteriori helps the system take corrective action, but does not avoid the QoS ...
A seer knows best: optimized object storage shuffling for serverless analytics
Middleware '22: Proceedings of the 23rd ACM/IFIP International Middleware Conference

Serverless platforms offer high resource elasticity and pay-as-you-go billing, making them a compelling choice for data analytics. To craft a "pure" serverless solution, the common practice is to transfer intermediate data between serverless functions ...
Lung cancer survival prediction using ensemble data mining on SEER data
Biological Knowledge Discovery and Data Mining

We analyze the lung cancer data available from the SEER program with the aim of developing accurate survival prediction models for lung cancer. Carefully designed preprocessing steps resulted in removal/modification/splitting of several attributes, and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference

December 2014

492 pages

ISBN:9781450330053

DOI:10.1145/2664243

Conference Chairs:
Charles N. Payne
Adventium Labs
,
Adam Hahn
Washington State University
,
Program Chairs:
Kevin Butler
University of Florida
,
Micah Sherr
Georgetown University

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 December 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Division of Computer and Network Systems

Conference

ACSAC '14

Sponsor:

ACSA

ACSAC '14: Annual Computer Security Applications Conference

December 8 - 12, 2014

Louisiana, New Orleans, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
259
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)1

Reflects downloads up to 28 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Botacin MMoreira FNavaux PGrégio AAlves M(2022) Terminator: A Secure Coprocessor to Accelerate Real-Time AntiViruses Using Inspection BreakpointsACM Transactions on Privacy and Security10.1145/349453525:2(1-34)Online publication date: 4-Mar-2022
https://dl.acm.org/doi/10.1145/3494535
Jin XQiu X(2022)An Adaptive Anomaly Detection Method for Cloud Computing System2022 IEEE 5th International Conference on Electronics Technology (ICET)10.1109/ICET55676.2022.9823988(1289-1295)Online publication date: 13-May-2022
https://doi.org/10.1109/ICET55676.2022.9823988
Botacin MCeschin FSun ROliveira DGrégio A(2021)Challenges and pitfalls in malware researchComputers and Security10.1016/j.cose.2021.102287106:COnline publication date: 1-Jul-2021
https://dl.acm.org/doi/10.1016/j.cose.2021.102287
Qiu XDai YSun PJin X(2020)PHM Technology for Memory Anomalies in Cloud Computing for IaaS2020 IEEE 20th International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS51102.2020.00018(41-51)Online publication date: Dec-2020
https://doi.org/10.1109/QRS51102.2020.00018
Hsu FLee CLuo TChang TWu M(2019)A Cloud-Based Real-Time Mechanism to Protect End Hosts against MalwareApplied Sciences10.3390/app91837489:18(3748)Online publication date: 8-Sep-2019
https://doi.org/10.3390/app9183748
Srinivasan AFerrese F(2019)Forensics‐as‐a‐Service (FaaS) in the State‐of‐the‐Art CloudSecurity, Privacy, and Digital Forensics in the Cloud10.1002/9781119053385.ch16(321-337)Online publication date: 8-Feb-2019
https://doi.org/10.1002/9781119053385.ch16
Zhang NZhang RYan QLou WHou YYao D(2017)Black penguin: On the feasibility of detecting intrusion with homogeneous memory2017 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS.2017.8228671(586-594)Online publication date: Oct-2017
https://doi.org/10.1109/CNS.2017.8228671
Cui JZhang HQi JPeng RZhang M(2017)Hidden process offline forensic based on memory analysis in windowsWuhan University Journal of Natural Sciences10.1007/s11859-017-1257-y22:4(346-354)Online publication date: 15-Jul-2017
https://doi.org/10.1007/s11859-017-1257-y
Fischer AKittel TKolosnjaji BLengyel TMandarawi WMeer HMüller TProtsenko MReiser HTaubmann BWeishäupl E(2015)CloudIDEAProceedings of the Confederated International Conferences on On the Move to Meaningful Internet Systems: OTM 2015 Conferences - Volume 941510.1007/978-3-319-26148-5_40(594-611)Online publication date: 26-Oct-2015
https://dl.acm.org/doi/10.1007/978-3-319-26148-5_40

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents