Efficient string matching: an aid to bibliographic search
Communications of the ACM
Virtual-Machine-based Intrusion Detection on File-aware Block Level Storage
SBAC-PAD '06 Proceedings of the 18th International Symposium on Computer Architecture and High Performance Computing
Storage-based intrusion detection: watching storage activity for suspicious behavior
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Lares: An Architecture for Secure Active Monitoring Using Virtualization
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
BitVisor: a thin hypervisor for enforcing i/o device security
Proceedings of the 2009 ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
TCP Reassembler for Layer7-Aware Network Intrusion Detection/Prevention Systems
IEICE - Transactions on Information and Systems
ACM Transactions on Information and System Security (TISSEC)
MAVMM: Lightweight and Purpose Built VMM for Malware Analysis
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Hypervisor-based prevention of persistent rootkits
Proceedings of the 2010 ACM Symposium on Applied Computing
TrustVisor: Efficient TCB Reduction and Attestation
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Hi-index | 0.00 |
Enhancement of security using hypervisors is an effective approach that has been extensively studied. This paper is concerned with hypervisors using the parapass-through architecture, in which most of the I/O accesses from the operating system are passed through the hypervisor, while the minimum accesses necessary to implement security functionality are mediated by the hypervisor. Parapass-through hypervisors can provide various security functionalities such as encryption of storage data and creation of virtual private networks. Although a previous study has detailed a method for protecting privacy with a parapass-through hypervisor, it has not yet clarified a method for detecting malware. In this paper, we propose a scheme for incorporating malware detection functionality into a parapass-through hypervisor. Using this scheme, we implemented BVMD, an extension of a parapass-through hypervisor BitVisor, for malware detection. BVMD detects malware by comparing the contents of the data I/O with the malware signatures. A major advantage of BVMD is that its detection depends only slightly on the guest operating system. We confirmed through experiments that BVMD could detect many in-the-wild malware.