Implicit detection of hidden processes with a feather-weight hardware-assisted virtual machine monitor

Yan Wen, Jinjing Zhao, Huaimin Wang, Jiannong Cao

Research output: Chapter in book / Conference proceedingConference article published in proceeding or bookAcademic researchpeer-review

10 Citations (Scopus)

Abstract

Process hiding is a commonly used stealth technique which facilitates the evasion from the detection by anti-malware programs. In this paper, we propose a new approach called Aries to implicitly detect the hidden processes. Aries introduces a novel feather-weight hardware-assisted virtual machine monitor (VMM) to obtain the True Process List (TPL). Compared to existing VMM-based approaches, Aries offers three distinct advantages: dynamic OS migration, implicit introspection of TPL and non-bypassable interfaces for exposing TPL. Unlike typical VMMs, Aries can dynamically migrate a booted OS on it. By tracking the low-level interactions between the OS and the memory management structures, Aries is decoupled with the explicit OS implementation information which is subvertable for the privileged malware. Our functionality evaluation shows Aries can detect more process-hiding malware than existing detectors while the performance evaluation shows desktop-oriented workloads achieve 95.2% of native speed on average.
Original languageEnglish
Title of host publicationInformation Security and Privacy - 13th Australasian Conference, ACISP 2008, Proceedings
Pages361-375
Number of pages15
DOIs
Publication statusPublished - 1 Dec 2008
Event13th Australasian Conference on Information Security and Privacy, ACISP 2008 - Wollongong, NSW, Australia
Duration: 7 Jul 20089 Jul 2008

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5107 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference13th Australasian Conference on Information Security and Privacy, ACISP 2008
Country/TerritoryAustralia
CityWollongong, NSW
Period7/07/089/07/08

Keywords

  • Hardware-assisted VMM
  • Stealth malware
  • Virtual machine monitor

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this