Visualizing and Controlling VMI-Based Malware Analysis in IaaS Cloud

Abstract

Security in virtualized environment has known the support of different tools in the low-level detection and analysis of malware. The in-guest tracing mechanisms are now capable of operating at assembly language-, system call-, function call-and instruction-level to detect and classify malicious activities. Therefore, they are producing large amount of data about the state of a target system. However, the integrity of such data becomes questionable whenever the hosting target system is compromised. With virtual machine introspection (VMI), the monitoring tool runs outside the target monitored virtual machine (VM) [1]. Thus, the integrity of retrieved data is ensured even if the target system is compromised. Various works have brought VMI to Infrastructure-as-a-Service (Iaas) cloud environment, allowing the cloud user to run (simultaneous) forensics operations on his production VMs. The associated tracing mechanisms can collect larger amount of data in form of commented behavior traces or unstandardized log records. Thus, a human operator is needed to efficiently parse, represent, visualize and interpret the collected data, to benefit from their security relevance [2]. The use of visualization helps analysts investigate, compare and culster malware samples [3]. Existing visualization tools make use of recorded information to enhance the detection of intrusive behavior or the clustering of malware [4] from the observed system. However, at our knowledge, no existing tools establish a pre-to post-exploitation visualization graphs. We present an approach that enhances the detection and analysis of malware in the cloud by providing the cloud end-users the mean to efficiently visualize the different security relevant data collected through multiple VMI-based mechanisms.