Issue No.02 - March-April (2013 vol.10)
pp: 70-83
Zhiyong Shan , Dept. of Comput. Sci., Renmin Univ. of China, Beijing, China
Xin Wang , Dept. of Electr. & Comput. Eng., Stony Brook Univ., Stony Brook, NY, USA
Tzi-cker Chiueh , Dept. of Comput. Sci., Stony Brook Univ., Stony Brook, NY, USA
A virtual machine(VM) can be simply created upon use and disposed upon the completion of the tasks or the detection of error. The disadvantage of this approach is that if there is no malicious activity, the user has to redo all of the work in her actual workspace since there is no easy way to commit (i.e., merge) only the benign updates within the VM back to the host environment. In this work, we develop a VM commitment system called Secom to automatically eliminate malicious state changes when merging the contents of an OS-level VM to the host. Secom consists of three steps: grouping state changes into clusters, distinguishing between benign and malicious clusters, and committing benign clusters. Secom has three novel features. First, instead of relying on a huge volume of log data, it leverages OS-level information flow and malware behavior information to recognize malicious changes. As a result, the approach imposes a smaller performance overhead. Second, different from existing intrusion detection and recovery systems that detect compromised OS objects one by one, Secom classifies objects into clusters and then identifies malicious objects on a cluster by cluster basis. Third, to reduce the false-positive rate when identifying malicious clusters, it simultaneously considers two malware behaviors that are of different types and the origin of the processes that exhibit these behaviors, rather than considers a single behavior alone as done by existing malware detection methods. We have successfully implemented Secom on the feather-weight virtual machine system, a Windows-based OS-level virtualization system. Experiments show that the prototype can effectively eliminate malicious state changes while committing a VM with small performance degradation. Moreover, compared with the commercial antimalware tools, the Secom prototype has a smaller number of false negatives and thus can more thoroughly clean up malware side effects. In addition, the number of false positives of the Secom prototype is also lower than that achieved by the online behavior-based approach of the commercial tools.
Malware, Virtual machining, Joints, Labeling, Object recognition, Monitoring, Software, virtual machine commitment, Virtual machine, malware behavior, malware detection
Zhiyong Shan, Xin Wang, Tzi-cker Chiueh, "Malware Clearance for Secure Commitment of OS-Level Virtual Machines", IEEE Transactions on Dependable and Secure Computing, vol.10, no. 2, pp. 70-83, March-April 2013, doi:10.1109/TDSC.2012.88
[1] W. Sun, Z. Liang, R. Sekar, and V.N. Venkatakrishnan, "One-Way Isolation: An Effective Approach for Realizing Safe Execution Environments," Proc. 12th ISOC Network and Distributed Systems Symp. (NDSS), pp. 265-278, 2005.
[2] S.T. King and P.M. Chen, "Backtracking Intrusions," Proc. ACM Symp. Operating Systems Principles (SOSP), pp. 223-236, 2003.
[3] S. Soltesz, H. Pötzl, M.E. Fiuczynski, A. Bavier, and L. Peterson, "Container-Based Operating System Virtualization: A Scalable, High-Performance Alternative to Hypervisors," Proc. Second ACM European Conf. Computer Systems, 2007.
[4] D. Price and A. Tucker, "Solaris Zones: Operating System Support for Consolidating Commercial Workloads," Proc. 18th Large Installation System Administration Conf., pp. 241-254, 2004.
[5] OpenVZ, "Unique Features of OpenVZ," , 2013.
[6] SWsoft, "Virtuozzo Server Virtualization," http://www.swsoft. com/en/productsvirtuozzo , 2013.
[7] Y. Yu, F. Guo, S. Nanda, L. Lam, and T. Chiueh, "A Feather-Weight Virtual Machine for Windows Applications," Proc. Second Int'l Conf. Virtual Execution Environments (VEE), pp. 24-34, 2006.
[8] Y. Yu, "OS-level Virtualization and Its Applications," PhD dissertation, Stony Brook Univ., 2007.
[9] Symantec, Inc., response/ threatexplorerthreats.jsp, 2013.
[10] P.-H. Kamp and R.N.M. Watson, "Jails: Confining the Omnipotent Root," Proc. Second Int'l SANE Conf., 2000.
[11] Microsoft Security Bull., current.aspx, 2013.
[12] M. Howard, "Fending off Future Attacks by Reducing Attack Surface," , 2003.
[13] Y. Yu, H.K. Govindarajan, L. Lam, and T. Chiueh, "Applications of Feather-Weight Virtual Machine," Proc. Int'l Conf. Virtual Execution Environments (VEE), Mar. 2008.
[14] R. Paleari, L. Martignoni, E. Passerini, D. Davidson, M. Fredrikson, J. Giffin, and S. Jha, "Automatic Generation of Remediation Procedures for Malware," Proc. USENIX Conf. Security, Aug. 2010.
[15] F. Hsu, H. Chen, T. Ristenpart, J. Li, and Z. Su, "Back to the Future: A Framework for Automatic Malware Removal," Proc. 22nd Ann. Computer Security Applications Conf. (ACSAC), 2006.
[16] G.W. Dunlap, S.T. King, S. Cinar, M.A. Basrai, and P.M. Chen, "ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay," Proc. Fifth Symp. Operating Systems Design and Implementation (OSDI), Dec. 2002.
[17] A. Goel, K. Po, K. Farhadi, Z. Li, and E. Lara, "The Taser Intrusion Recovery System," Proc. 20th ACM Symp. Operating Systems Principles (SOSP), Oct. 2005.
[18] N. Zhu and T. Chiueh, "Design, Implementation, and Evaluation of Repairable File Service," Proc. Int'l Conf. Dependable Systems and Networks (DSN), pp. 217-226, 2003.
[19] S.N. Chari and P.-C. Cheng, "BlueBox: A Policy-Driven, Host-Based Intrusion Detection System," Proc. Symp. Network and Distributed System Security (NDSS), Feb. 2002.
[20] S.A. Hofmeyr, S. Forrest, and A. Somayaji, "Intrusion Detection Using Sequences of System Calls," J. Computer Security, vol. 6, no. 3, pp. 151-180, 1998.
[21] M. Christodorescu, S. Jha, S.A. Seshia, D. Song, and R.E. Bryant, "Semantics-Aware Malware Detection," Proc. IEEE Symp. Security and Privacy, pp. 32-46, May 2005.
[22] H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda, "Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis," Proc. 14th ACM Conf. Computer and Comm. Security (CCS), 2007.
[23] PC Magazine, "PC Magazine Benchmarks," http://www.,2542,t=WebBenchi=48947,00. asp , 2013.
[24] Y.-M. Wang, R. Roussev, C. Verbowski, A. Johnson, M.-W. Wu, Y. Huang, and S.-Y. Kuo, "Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management," Proc. 18th USENIX Conf. System Administration, 2004.
[25] Z. Shan, X. Wang, and T. Chiueh, "Safe Side Effects Commitment for OS-Level Virtualization," Proc. Eighth ACM Int'l Conf. Autonomic Computing (ICAC), June 2011.
[26] C. Verbowski, E. Kiciman, A. Kumar, B. Daniels, S. Lu, J. Lee, Y.-M. Wang, and R. Roussev, "Flight Data Recorder: Monitoring Persistent-State Interactions to Improve Systems Management," Proc. Seventh Symp. Operating Systems Design and Implementation (OSDI), pp. 117-130, 2006.
[27] M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda, "Defending Browsers against Drive-By Downloads: Mitigating Heap-Spraying Code Injection Attacks," Proc. Sixth Int'l Conf. Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), July 2009.
[28] B. Littlewood and L. Strigini, "Redundancy and Diversity in Security," Proc. Ninth European Symp. Research Computer Security (ESORICS), pp. 423-438, 2004.
[29] E. Totel, F. Majorczyk, and L. Mé, "COTS Diversity Based Intrusion Detection and Application to Web Servers," Proc. Eighth Int'l Conf. Recent Advances in Intrusion Detection (RAID), Sept. 2005.
[30] J. Zhu, Z. Jiang, Z. Xiao, and X. Li, "Optimizing the Performance of Virtual Machine Synchronization for Fault Tolerance," IEEE Trans. Computers, vol. 60, no. 12, pp. 1718-1729, Dec. 2011.
[31] N. Li, Z. Mao, and H. Chen, "Usable Mandatory Integrity Protection for Operating Systems," Proc. IEEE Symp. Security and Privacy, pp. 164-178, May 2007.
[32] E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R.A. Kemmerer, "Behavior-Based Spyware Detection," Proc. 15th Conf. USENIX Security Symp., article 19, 2006.
[33] L. Martignoni, E. Stinson, M. Fredrikson, S. Jha, and J.C. Mitchell, "A Layered Architecture for Detecting Malicious Behaviors," Proc. 11th Int'l Symp. Recent Advances in Intrusion Detection (RAID), Sept. 2008.
[34] A. Lanzi1, M. Sharif, and W. Lee, "K-Tracer: A System for Extracting Kernel Malware Behavior," Proc. 17th Ann. Network and Distributed System Security Symp. (NDSS), 2009.
[35] C. Kolbitsch, P.M. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang, "Effective and Efficient Malware Detection at the End Host," Proc. 18th Conf. USENIX Security Symp., pp. 351-366, 2009.
[36] O. Sukwong, H. Kim, and J. Hoe, "Commercial Antivirus Software Effectiveness: An Empirical Study," Computer, vol. 44, no. 3, pp. 63-70, Mar. 2011.
[37] K. Rieck, T. Holz, C. Willems, P. Düssel, and P. Laskov, "Learning and Classification of Malware Behavior," Proc. Fifth Int'l Conf. Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), pp. 108-125, June 2008.
[38] B. Cully, G. Lefebvre, D. Meyer, M. Feeley, N. Hutchinson, and A. Warfield, "Remus: High Availability via Asynchronous Virtual Machine Replication," Proc. Fifth USENIX Symp. Networked Systems Design and Implementation (NSDI), 2008.
[39] Z. Shan, X. Wang, and T. Chiueh, "Tracer: Enforcing Mandatory Access Control in Commodity OS with the Support of Light-Weight Intrusion Detection and Tracing," Proc. Sixth ACM Symp. Information, Computer and Comm. Security (ASIACCS), pp. 135-144, Mar. 2011.