Hypervisor-assisted dynamic malware analysis

Roee S. Leon; Michael Kiperberg; Anat Anatey Leon Zabag; Nezer Jacob Zaidenberg

doi:10.1186/s42400-021-00083-9

Hypervisor-assisted dynamic malware analysis

Roee S. Leon, Michael Kiperberg, Anat Anatey Leon Zabag, Nezer Jacob Zaidenberg

Research output: Contribution to journal › Article › peer-review

Abstract

Malware analysis is a task of utmost importance in cyber-security. Two approaches exist for malware analysis: static and dynamic. Modern malware uses an abundance of techniques to evade both dynamic and static analysis tools. Current dynamic analysis solutions either make modifications to the running malware or use a higher privilege component that does the actual analysis. The former can be easily detected by sophisticated malware while the latter often induces a significant performance overhead. We propose a method that performs malware analysis within the context of the OS itself. Furthermore, the analysis component is camouflaged by a hypervisor, which makes it completely transparent to the running OS and its applications. The evaluation of the system’s efficiency suggests that the induced performance overhead is negligible.

Original language	English
Article number	19
Journal	Cybersecurity
Volume	4
Issue number	1
DOIs	https://doi.org/10.1186/s42400-021-00083-9
State	Published - Dec 2021
Externally published	Yes

All Science Journal Classification (ASJC) codes

Software
Information Systems
Computer Networks and Communications
Artificial Intelligence

Access to Document

10.1186/s42400-021-00083-9

Cite this

@article{3c429d913c66465c83759bc3e6a087b8,

title = "Hypervisor-assisted dynamic malware analysis",

abstract = "Malware analysis is a task of utmost importance in cyber-security. Two approaches exist for malware analysis: static and dynamic. Modern malware uses an abundance of techniques to evade both dynamic and static analysis tools. Current dynamic analysis solutions either make modifications to the running malware or use a higher privilege component that does the actual analysis. The former can be easily detected by sophisticated malware while the latter often induces a significant performance overhead. We propose a method that performs malware analysis within the context of the OS itself. Furthermore, the analysis component is camouflaged by a hypervisor, which makes it completely transparent to the running OS and its applications. The evaluation of the system{\textquoteright}s efficiency suggests that the induced performance overhead is negligible.",

author = "Leon, \{Roee S.\} and Michael Kiperberg and \{Leon Zabag\}, \{Anat Anatey\} and Zaidenberg, \{Nezer Jacob\}",

note = "Publisher Copyright: {\textcopyright} 2021, The Author(s).",

year = "2021",

month = dec,

doi = "10.1186/s42400-021-00083-9",

language = "الإنجليزيّة",

volume = "4",

journal = "Cybersecurity",

issn = "2096-4862",

publisher = "SpringerOpen",

number = "1",

}

TY - JOUR

T1 - Hypervisor-assisted dynamic malware analysis

AU - Leon, Roee S.

AU - Kiperberg, Michael

AU - Leon Zabag, Anat Anatey

AU - Zaidenberg, Nezer Jacob

PY - 2021/12

Y1 - 2021/12

N2 - Malware analysis is a task of utmost importance in cyber-security. Two approaches exist for malware analysis: static and dynamic. Modern malware uses an abundance of techniques to evade both dynamic and static analysis tools. Current dynamic analysis solutions either make modifications to the running malware or use a higher privilege component that does the actual analysis. The former can be easily detected by sophisticated malware while the latter often induces a significant performance overhead. We propose a method that performs malware analysis within the context of the OS itself. Furthermore, the analysis component is camouflaged by a hypervisor, which makes it completely transparent to the running OS and its applications. The evaluation of the system’s efficiency suggests that the induced performance overhead is negligible.

AB - Malware analysis is a task of utmost importance in cyber-security. Two approaches exist for malware analysis: static and dynamic. Modern malware uses an abundance of techniques to evade both dynamic and static analysis tools. Current dynamic analysis solutions either make modifications to the running malware or use a higher privilege component that does the actual analysis. The former can be easily detected by sophisticated malware while the latter often induces a significant performance overhead. We propose a method that performs malware analysis within the context of the OS itself. Furthermore, the analysis component is camouflaged by a hypervisor, which makes it completely transparent to the running OS and its applications. The evaluation of the system’s efficiency suggests that the induced performance overhead is negligible.

UR - http://www.scopus.com/inward/record.url?scp=85107120155&partnerID=8YFLogxK

U2 - 10.1186/s42400-021-00083-9

DO - 10.1186/s42400-021-00083-9

M3 - مقالة

SN - 2096-4862

VL - 4

JO - Cybersecurity

JF - Cybersecurity

IS - 1

M1 - 19

ER -

Hypervisor-assisted dynamic malware analysis

Abstract

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this