SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management
LISA '04 Proceedings of the 18th USENIX conference on System administration
Solaris Zones: Operating System Support for Consolidating Commercial Workloads
LISA '04 Proceedings of the 18th USENIX conference on System administration
A feather-weight virtual machine for windows applications
Proceedings of the 2nd international conference on Virtual execution environments
Back to the Future: A Framework for Automatic Malware Removal and System Repair
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Usable Mandatory Integrity Protection for Operating Systems
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Behavior-based spyware detection
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007
Flight data recorder: monitoring persistent-state interactions to improve systems management
OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Panorama: capturing system-wide information flow for malware detection and analysis
Proceedings of the 14th ACM conference on Computer and communications security
Applications of a feather-weight virtual machine
Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Remus: high availability via asynchronous virtual machine replication
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Learning and Classification of Malware Behavior
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Os-level virtualization and its applications
Os-level virtualization and its applications
Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Effective and efficient malware detection at the end host
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Automatic generation of remediation procedures for malware infections
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Optimizing the Performance of Virtual Machine Synchronization for Fault Tolerance
IEEE Transactions on Computers
COTS diversity based intrusion detection and application to web servers
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Hi-index | 0.00 |
A common application of virtual machines (VM) is to use and then throw away, basically treating a VM like a completely isolated and disposable entity. The disadvantage of this approach is that if there is no malicious activity, the user has to re-do all of the work in her actual workspace since there is no easy way to commit (i.e., merge) only the benign updates within the VM back to the host environment. In this work, we develop a VM commitment system called Secom to automatically eliminate malicious state changes when merging the contents of an OS-level VM to the host. Secom consists of three steps: grouping state changes into clusters, distinguishing between benign and malicious clusters, and committing benign clusters. Secom has three novel features. First, instead of relying on a huge volume of log data, it leverages OS-level information flow and malware behavior information to recognize malicious changes. As a result, the approach imposes a smaller performance overhead. Second, different from existing intrusion detection and recovery systems that detect compromised OS objects one by one, Secom classifies objects into clusters and then identifies malicious objects on a cluster by cluster basis. Third, to reduce the false positive rate when identifying malicious clusters, it simultaneously considers two malware behaviors that are of different types and the origin of the processes that exhibit these behaviors, rather than considers a single behavior alone as done by existing malware detection methods. We have successfully implemented Secom on the Feather-weight Virtual Machine (FVM) system, a Windows-based OS-level virtualization system. Experiments show that the prototype can effectively eliminate malicious state changes while committing a VM with small performance degradation. Moreover, compared with the commercial anti-malware tools, the Secom prototype has a smaller number of false negatives and thus can more thoroughly clean up malware side effects. In addition, the number of false positives of the Secom prototype is also lower than that achieved by the on-line behavior-based approach of the commercial tools.