Hypervisor Memory Introspection and Hypervisor Based Malware Honeypot

Nezer Jacob Zaidenberg, Michael Kiperberg, Raz Ben Yehuda, Roee Leon, Asaf Algawi, Amit Resh

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Memory acquisition is a tool used in advanced forensics and malware analysis. Various methods of memory acquisition exist. Such solutions are ranging from tools based on dedicated hardware to software-only solutions. We proposed a hypervisor based memory acquisition tool. [22]. Our method supports ASLR and Modern operating systems which is an innovation compared to past methods [27, 36]. We extend the hypervisor assisted memory acquisition by adding mass storage device honeypots for the malware to cross and propose hiding the hypervisor using bluepill technology.

Original languageEnglish
Title of host publicationInformation Systems Security and Privacy - 5th International Conference, ICISSP 2019, Revised Selected Papers
EditorsPaolo Mori, Steven Furnell, Olivier Camp
Pages317-334
Number of pages18
DOIs
StatePublished - 2020
Externally publishedYes
Event5th International Conference on Information Systems Security and Privacy, ICISSP 2019 - Prague, Czech Republic
Duration: 23 Feb 201925 Feb 2019

Publication series

NameCommunications in Computer and Information Science
Volume1221 CCIS

Conference

Conference5th International Conference on Information Systems Security and Privacy, ICISSP 2019
Country/TerritoryCzech Republic
CityPrague
Period23/02/1925/02/19

Keywords

  • Atomicity
  • Forensic soundness
  • Integrity of a memory snapshot
  • Live forensics
  • Memory acquisition
  • Memory forensics
  • Reliability
  • Virtualization

All Science Journal Classification (ASJC) codes

  • General Computer Science
  • General Mathematics

Fingerprint

Dive into the research topics of 'Hypervisor Memory Introspection and Hypervisor Based Malware Honeypot'. Together they form a unique fingerprint.

Cite this