VirtAV: an Agentless Runtime Antivirus System for Virtual Machines |
Tang, Hongwei
(Shenzhen Institute of Advanced Technology, Chinese Academy of Sciences)
Feng, Shengzhong (Shenzhen Institute of Advanced Technology, Chinese Academy of Sciences) Zhao, Xiaofang (University of Chinese Academy of Sciences) Jin, Yan (University of Chinese Academy of Sciences) |
1 | Intel, "Intel 64 and IA-32 Architectures Software Developer's Manual, Volume 3B: System Programming Guide Part 2." |
2 | atozvirus.rar. http://yun.baidu.com/wap/link?uk=2852875414&shareid=3677790463&third=0. |
3 | PCMark. http://cn.futuremark.com/benchmarks/pcmark. |
4 | SysInternalsSuite. https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx. |
5 | M. Sharif, W. Lee, W. Cui and A. Lanzi, "Secure in-VM monitoring using hardware virtualization," in Proc. of 16th ACM Conf. on Computer and Communications Security, pp.477-487, November 9-13, 2009. |
6 | G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai and P. M. Chen, "ReVirt: enabling intrusion analysis through virtual-machine logging and replay," ACM SIGOPS Operating Systems Review, vol. 36, no. SI, pp.211-224, 2002. DOI |
7 | J. Xiao, L. Lu, H. Wang and X. Zhu, "HyperLink: virtual machine introspection and memory forensic analysis without kernel source code," in Proc. of IEEE Int. Conf. on Autonomic Computing, pp.127-136, July 17-22, 2016. |
8 | A. More and S. Tapaswi, "Virtual machine introspection: towards bridging the semantic gap," Journal of Cloud Computing: Advances, Systems and Applications, 3:16, October 2014. DOI |
9 | Y. Liu, Y. Xia, H. Guan, B. Zang and H. Chen, "Concurrent and consistent virtual machine introspection with hardware transactional memory," in Proc. of IEEE Int. Symp. on High Performance Computer Architecture, pp.416-427, February 15-19, 2014. |
10 | L. Liu, J. Ming, Z. Wang, D. Gao and C. Jia, "Denial-of-service attacks on host-based generic unpackers," in Proc. of Int. Conf. on Information and Communications Security (ICICS 2009), pp.241-253, December 14-17, 2009. |
11 | H. Noh, "Complexity-based packed executable classification with high accuracy," Master Thesis, School of Engineering, Information and Communications University, Korea, 2009. |
12 | A. Fischer, T. Kittel, B. Kolosnjaji, T. K. Lengyel, W. Mandarawi, H. D. Meer and et al., "CloudIDEA: a malware defense architecture for cloud data centers," in Proc. of OTM Confederated Int. Conf. "On the Move to Meaningful Internet Systems," pp.594-611, October 26-30, 2015. |
13 | S. Biedermann and S. Katzenbeisser, "Detecting computer worms in the cloud," in Proc. of IFIP WG 11.4 Int. Workshop (iNetSec 2011), pp.43-54, June 9, 2011. |
14 | J. Shi, Y. Yang, and C. Tang, "Hardware assisted hypervisor introspection," SpringerPlus, 5:647, May 2016. DOI |
15 | M. Andreas, K. Christopher and K. Engin, "Exploring multiple execution paths for malware analysis," in Proc. of 28th IEEE Symp. on Security and Privacy, pp.231-245, May 20-23, 2007. |
16 | J. R. Crandall, G. Wassermann, D. A. Oliveira, Z. Su, S. F. Wu and F. T. Chong, "Temporal search: detecting hidden malware timebombs with virtual machines," ACM SIGOPS Operating Systems Review, vol. 40, no. 5, December 2006. |
17 | Y. Wang, D. Beck, X. Jiang and R. Roussev, "Automated web patrol with strider HoneyMonkeys: finding web sites that exploit browser vulnerabilities," in Proc. of 13th Network and Distributed Systems Security Symp., pp.1-15, February 2-3, 2006. |
18 | A. Dinaburg, P. Royal, M. Sharif and W. Lee, "Ether: malware analysis via hardware virtualization extensions," in Proc. of 15th ACM Conf. on Computer and Communications Security, pp.51-62, October 27-31, 2008. |
19 | G. Xiang, H. Jin, D. Zou and X. Chen, "Virtualization based security monitoring," Journal of Software, vol. 23, no. 8, pp.2173-2187, 2012. DOI |
20 | G. Jeong, E. Choo, J. Lee and M. Bat-Erdene, "Generic unpacking using entropy analysis," in Proc. of Int. Conf. on Malicious and Unwanted Software, pp.98-105, October 19-20, 2010. |
21 | PE Formart. https://msdn.microsoft.com/en-us/library/ms680339(v=vs.85).aspx. |
22 | J. O. Kephart and W. C. Arnold, "Automatic extraction of computer virus signatures," in Proc. of 4th Virus Bulletin Int. Conf., pp.179-194, 1994. |
23 | A. V. Aho and M. J. Corasick, "Efficient string matching: an aid to bibliographic search," Communications of the ACM, vol. 18, no. 6, pp.333-340, June 1975. DOI |
24 | ClamAV. http://www.clamav.net. |
25 | McAfee Antivirus. http://www.mcafee.com/. |
26 | Trend Micro White Paper, "Changing the game for antivirus in the virtual datacenter," September 2010. |
27 | A. Arcangeli, I. Eidus and C. Wright, "Increasing memory density by using KSM," in Proc. of Linux Symp., pp.19-28, July 13-17, 2009. |
28 | T. Brosch and M. Morgenstern, "Runtime packers: the hidden problem," in Proc. of Black Hat USA, 2006. |
29 | P. Royal, M. Halpin, D. Dagon, R. Edmonds and W. Lee, "PolyUnpack: automating the hidden-code extraction of unpack-executing malware," in Proc. of Computer Security Applications Conf. 2006 (ACSAC '06), pp.289-300, December 11-15, 2006. |
30 | Malfease Project. http://malfease.oarci.net. |
31 | M. M. K. Al-Anezi, "Generic packing detection using several complexity analysis for accurate malware detection," International Journal of Advanced Computer Science and Applications (IJACSA), vol.5, no. 1, pp.7-14, 2014. |
32 | K. Griffin, S. Schneider, X. Hu and T. C. Chiueh, "Automatic generation of string signatures for malware detection," in Proc. of Recent Advances in Intrusion Detection Int. Symp. (RAID 2009), pp.101-120, September 23-25, 2009. |
33 | Y. Afek, A. Bremler-Barr and S. Landau-Feibish, "Automated signature extraction for high volume attacks," in Proc. of 2013 ACM/IEEE Symp. on Architectures for Networking and Communications Systems (ANCS), pp.147-156, October 21-22, 2013. |
34 | Z. Li, X. F. Wang, Z. Liang and M. K. Reiter, "AGIS: towards automatic generation of infection signatures," in Proc. of IEEE Int. Conf. on Dependable Systems and Networks with FTCS and DCC, pp.237-246, June 24-27, 2008. |
35 | S. Wessel and F. Stumpf, "Page-based runtime integrity protection of user and kernel Code," in Proc. of 5th European Workshop on System Security (EuroSec'12), April 10, 2012. |
36 | X. Jiang, X. Wang and D. Xu, "Stealthy malware detection through VMM-based 'out-of-the-box' semantic view reconstruction," in Proc. of 14th ACM Conf. on Computer and Communications Security, pp.128-138, October 29-November 2, 2007. |
37 | Y. Xia, Y. Liu, H. Chen and B. Zang, "Defending against VM rollback attack," in Proc. of 2012 IEEE/IFIP 42nd Int. Conf. on Dependable Systems and Networks Workshops (DSN-W), pp.1-5, June 25-28, 2012. |
38 | T. Garfinkel and M. Rosenblum, "When virtual is harder than real: security challenges in virtual machine Based computing environments," in Proc. of 10th Conf. on Hot Topics in Operating Systems, vol. 10, pp.20-20, June 12-15, 2005. |
39 | T. Garfinkel and M. Rosenblum, "A virtual machine introspection based architecture for intrusion detection," in Proc. of the 10th Annual Network and Distributed System Security Symp., pp.191-206, February 6-7, 2003. |
40 | P. M. Chen and B. D. Noble, "When virtual is better than real," in Proc. of 8th Workshop on Hot Topics in Operating Systems (HOTOS'01), pp.133-138, May 20-2, 2001. |
41 | Libguestfs. http://libguestfs.org/. |
42 | H. Xiong, Z. Liu, W. Xu and S. Jiao, "Libvmi: a library for bridging the semantic gap between guest OS and VMM," in Proc. of 12th Int. Conf. on Computer and Information Technology (CIT), pp.549-556, October 27-29, 2012. |
43 | B. D. Payne, M. Carbone, M. Sharif and W Lee, "Lares: an architecture for secure active monitoring using virtualization," in Proc. of 29th IEEE Symp. on Security and Privacy, pp.233-247, May 18-22, 2008. |
44 | VMWare vShield Endpoint. http://www.vmware.com/products/vsphere/features/endpoint.html. |
45 | Microsoft PE and COFF Specification, https://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx. |
46 | E. Bauman, G. Ayoade and Z. Lin, "A survey on hypervisor-based monitoring: approaches, applications, and evolutions," ACM Computing Surveys, vol. 48, no. 1, pp.1-33, September 2015. |
47 | C. Pham, Z. Estrada, P. Cao and Z. Kalbarczyk, "Reliability and security monitoring of virtual machines using hardware architectural invariants," in Proc. of 2014 44th Annual IEEE/IFIP Int. Conf. on Dependable Systems and Networks (DSN), pp.13-24, June 23-26, 2014. |
48 | H. W. Baek, A. Srivastava and d. M. J. Van, "CloudVMI: virtual machine introspection as a cloud service," in Proc. of IEEE Int. Conf. on Cloud Engineering, pp.153-158, March 11-14, 2014. |
49 | S. Mariani, L. Fontana, F. Gritti and S. D'Alessio, "PinDemonium: a DBI-based generic unpacker for Windows executables," in Proc. of Black Hat USA, 2016. |
50 | D. Srinivasan, Z. Wang, X. Jiang, and D. Xu, "Process out-grafting: an efficient "out-of-VM" approach for fine-grained process execution monitoring," in Proc. of ACM Conf. on Computer and Communications Security (CCS 2011), pp.363-374, October 17-21, 2011. |
51 | Y. Xia, Y. Liu and H. Chen, "Architecture support for guest-transparent VM protection from untrusted hypervisor and physical attacks," in Proc. of IEEE Int. Symp. on High Performance Computer Architecture, pp.246-257, February 23-27, 2013. |
52 | R. Wu, P. Chen, P. Liu and B. Mao, "System call redirection: a practical approach to meeting real-world virtual machine introspection needs," in Proc. of 2014 IEEE/IFIP Int. Conf. on Dependable Systems and Networks, pp.574-585, June 23-26, 2014. |
53 | S. Suneja, R. Koller, C. Isci, E. de Lara, A. Hashemi, A. Bhattacharyya and et al., "Safe inspection of live virtual machines," in Proc. of the 13th ACM SIGPLAN/SIGOPS Int. Conf. on Virtual Execution Environments, pp.97-111, April 8-9, 2017. |