TY - GEN
T1 - Implicit detection of hidden processes with a feather-weight hardware-assisted virtual machine monitor
AU - Wen, Yan
AU - Zhao, Jinjing
AU - Wang, Huaimin
AU - Cao, Jiannong
PY - 2008/12/1
Y1 - 2008/12/1
N2 - Process hiding is a commonly used stealth technique which facilitates the evasion from the detection by anti-malware programs. In this paper, we propose a new approach called Aries to implicitly detect the hidden processes. Aries introduces a novel feather-weight hardware-assisted virtual machine monitor (VMM) to obtain the True Process List (TPL). Compared to existing VMM-based approaches, Aries offers three distinct advantages: dynamic OS migration, implicit introspection of TPL and non-bypassable interfaces for exposing TPL. Unlike typical VMMs, Aries can dynamically migrate a booted OS on it. By tracking the low-level interactions between the OS and the memory management structures, Aries is decoupled with the explicit OS implementation information which is subvertable for the privileged malware. Our functionality evaluation shows Aries can detect more process-hiding malware than existing detectors while the performance evaluation shows desktop-oriented workloads achieve 95.2% of native speed on average.
AB - Process hiding is a commonly used stealth technique which facilitates the evasion from the detection by anti-malware programs. In this paper, we propose a new approach called Aries to implicitly detect the hidden processes. Aries introduces a novel feather-weight hardware-assisted virtual machine monitor (VMM) to obtain the True Process List (TPL). Compared to existing VMM-based approaches, Aries offers three distinct advantages: dynamic OS migration, implicit introspection of TPL and non-bypassable interfaces for exposing TPL. Unlike typical VMMs, Aries can dynamically migrate a booted OS on it. By tracking the low-level interactions between the OS and the memory management structures, Aries is decoupled with the explicit OS implementation information which is subvertable for the privileged malware. Our functionality evaluation shows Aries can detect more process-hiding malware than existing detectors while the performance evaluation shows desktop-oriented workloads achieve 95.2% of native speed on average.
KW - Hardware-assisted VMM
KW - Stealth malware
KW - Virtual machine monitor
UR - http://www.scopus.com/inward/record.url?scp=70349880840&partnerID=8YFLogxK
U2 - 10.1007/978-3-540-70500-0-27
DO - 10.1007/978-3-540-70500-0-27
M3 - Conference article published in proceeding or book
SN - 3540699716
SN - 9783540699712
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 361
EP - 375
BT - Information Security and Privacy - 13th Australasian Conference, ACISP 2008, Proceedings
T2 - 13th Australasian Conference on Information Security and Privacy, ACISP 2008
Y2 - 7 July 2008 through 9 July 2008
ER -