VMI based malware detection in virtual environment.Objective Intrusion Detection System IDS Techniques VMI Techniques Types of hypervisors XEN Architecture VMI Tools DRAKVUF LibVMI Procedure Execution flow

1. VMI based Malware Detection in
Virtualization Environment

2. Outline
• Introduction
• Motivation
• Objective
• Intrusion Detection System
• IDS Techniques
• VMI Techniques
• Types of hypervisors
• XEN Architecture
• VMI Tools
• DRAKVUF
• LibVMI
• Procedure
• Execution flow
• Bibliography

3. Introduction
• Hacking incidents are increasing day by day. Security
has become a major concern in such a technological
environment. Companies are investing lots of money on
the safety and confidentiality of data.
• The existing signature based techniques [1][2][3] store
the attack signatures. It requires the huge maintenance
of signature database.
• Other security approaches (signature-
based/static/dynamic) [4][5] in traditional environment
can be directly installed into the monitored machine.

4. • The main drawback with traditional security
tools is that if the system gets compromised,
these security processes also get compromised.
• Ex. Torpig and Config malware can disable the
security tool like Sophos.
• Hence, traditional security tools are not
efficient in the virtualization environment.
• Semantic Gap Issue
• They do not support advanced features such as
Virtual Machine Introspection (VMI) [6].

5. Motivation
With increasing hacking incidents, people and organizations
lose lots and lots of money as well as confidential data. So
we decided to come up with an approach which deals with
them.
The Biggest Cybersecurity Disaster of 2017 so far [7]:
• Shadow Brokers- The mysterious hacking group known
as the Shadow Brokers first surfaced in August 2016,
claiming to have breached the spy tools of the elite NSA-
linked operation known as the Equation Group.
• WannaCry- On May 12 a strain of ransomware called
WannaCry spread around the world, walloping hundreds of
thousands of targets, including public utilities and large
corporations.

6. Objective
• The aim of this project is, “to design and
analyze a malware detection approach
(particularly dynamic analysis) to detect
attacks outside the Virtual Machine (VM) by
making use of Virtual Machine Introspection
(VMI) ”.

7. • Petya/NotPetya/Nyetya/Goldeneye- A month or
so after WannaCry, another wave of ransomware
infections that partially leveraged Shadow
Brokers Windows exploits hit targets worldwide.
• Cloudbleed- In February, the internet
infrastructure company Cloudflare announced
that a bug in its platform caused random leakage
of potentially sensitive customer data.
• Wikileaks CIA Vault 7- On March 7,
WikiLeaks published a data trove containing
8,761 documents allegedly stolen from the CIA
that contained extensive documentation of
alleged spying operations and hacking tools.

8. IDS – Intrusion Detection System [8]
• a device or software application
• monitors a network or systems for malicious
activity or policy violations
• detected activity reported to admin or collected
centrally using a security information and event
management (SIEM) system.
• A SIEM system combines outputs from multiple
sources, and uses alarm filtering techniques to
distinguish malicious activity from false alarms.

9. IDS Techniques

10. IDS Techniques [9]
• Signature-Based malware detection: Signature-based detection
works by scanning the contents of computer files and cross-
referencing their contents with the “code signatures” belonging to
known viruses.
• Specification-based malware detection: Specification based
detection makes use of certain rule set of what is considered as
normal in order to decide the maliciousness of the program
violating the predefined rule set.
• Behavioral based Detection: The behaviour-based malware
detection system is composed of several applications, which
together provide the resources and mechanisms needed to detect
malware on the Android platform.

11. VMI Techniques[10]
In-VM
• avoids the semantic gap problem
• in-VM agent monitors the guest OS from the
inside
• exposes guest OS activities to the hypervisor
• Hypervisor role is to enable enforcement of the
desired security policies
Eg. Lares, SIM framework

12. Out-of-VM delivered
• mainly covers early and passive VMI techniques
• bridges the semantic gap using delivered semantic
information
• knowledge about guest OS internals and
location/definition of OS data structures of
interest is:
i. incorporated explicitly in the VMI system
ii. extracted from OS source code
iii. obtained through kernel symbols if available.
eg. Livewire, VMwatcher, XenAccess, Virtuoso

13. Out-of-VM derived
• Hardware architectures provide functionalities
such as multi-tasking, user privileges, memory
management and protection, system virtualization
• makes use of these functionalities to inspect guest
OS activities
• observes and interprets hardware states and events
• OS-agnostic, resistant to kernel data attacks and
to malware evasion
• We classify these VMI techniques into two
subcategories:
i. Trap handling-based- eg. Antifarm, Lycosid
ii. Trap forcing-based- eg. Ether, Nitro, Hypertap

14. Hybrid techniques
• uses combination of in-VM, delivered and
derived techniques
• achieves more robustness and reliability
• Extends range of possible VMI applications
• Four types-
i. Trap forcing-based- eg. Secvisor
ii. Data redirection- eg. NICKLE, VMST
iii. Process transplanting- eg. Process out-grafting
iv. Function call injection- eg. Syringe, Hypershell

15. Types of hypervisors[11]
There are two types of hypervisors:
Type 1:
• run directly on the system hardware.
• referred to as a "native" or "bare metal" or "embedded"
• building the hypervisor into the firmware is proving to be
more efficient
• provide higher performance, availability, and security
Type 2:
• run on a host OS
• During virtualization they were most popular.
• Admins could buy the software and install it on a server they
already had
• used mainly on client systems where efficiency is less
critical.

16. XEN Architecture

17. VMI Tools[12]
Lares [13] An Architecture for Secure Active Monitoring
Using Virtualization
• Host-based security tools such as anti-virus and intrusion
detection systems are not adequately protected on today's
computers.
• Malware is often designed to immediately disable any security
tools upon installation, rendering them useless.
• While current research has focused on moving these
vulnerable security tools into an isolated virtual machine, this
approach cripples security tools by preventing them from
doing active monitoring.
• This tool describes an architecture that takes a hybrid
approach, giving security tools the ability to do active
monitoring while still benefiting from the increased security of
an isolated virtual machine.

18. Lycosid [14]
• detect running hidden process
• compares lengths of two process list views,
one built using VMI while the other one is
obtained with in-gest utilities
• In-gest utility: is a high-speed client-side DB2®
utility that streams data from files and pipes
into DB2 target tables.
• correlation of the two views of per process
CPU time consumption allows to identify the
hidden process

19. DRAKVUF[15]
• a virtualization based agentless black-box
binary analysis system
• allows for in-depth execution tracing of
arbitrary binaries
• no special software required within the virtual
machine used for analysis

20. LibVMI[16]
• a C library with Python bindings
• makes it easy to monitor the low-level details
of a running virtual machine
• views its memory
• traps on hardware events
• accesses the vCPU registers

21. Procedure
Installing all the required softwares within the system.
• Installation of LibVMI, Xen hypervisor, partition Ubuntu, DRAKVUF and utility
updates.
Bringing the virus within the VM
• Downloading the malware dataset and run executables in the VM to look up for its
system calls.
Extracting system calls through VMI
• Then we’ll extract the system calls through VMI via Xen hypervisor by giving
various commands within the host OS terminal
Preparation of dataset
• Now we’ll prepare a dataset of all the normal as well as infected filed for further
procedures.
Feature Extraction
• Feature extraction is done i.e. frequency of particular system calls, appearance of
byte codes and strings is recorded for further evaluation (Bag of words).
Classification using Machine learning
• Now we’ll apply Machine learning using Python to classify the given files as
malicious or normal

22. Execution Flow of Approach

23. Bibliography
1. F. Anjum ; D. Subhadrabandhu ; S. Sarkar. Signature based intrusion detection for wireless ad-hoc networks: a
comparative study of various routing protocols. in: Vehicular Technology Conference, IEEE, 2003.
2. N Hubballi, V Suryanarayanan. False alarm minimization techniques in signature-based intrusion detection
systems: A survey. In: Computer Communications- Elsevier, 2014.
3. Y. Tang ; S. Chen. Defending against Internet worms: a signature-based approach. In: IEEE Computer and
Communications Societies, 2005.
4. 2017 P. Mishra, E.S.Pilli, V.Varadharajana, U.Tupakaula , “Intrusion detection techniques in cloud environment: A
survey.Journal of Network and Computer Applications 77 (2017), PP. 18-47.
5. M Almorsy, J Grundy, I Müller. An analysis of the cloud computing security problem. in - arXiv preprint
arXiv:1609.01107, arxiv.org, 2016
6. Yacine Hebbal ; Sylvie Laniepce ; Jean-Marc Menaud. Virtual Machine Introspection: Techniques and
Applications. in: Availability, Reliability and Security (ARES), 2015 10th International Conference , 2015.
7. https://www.wired.com/story/2017-biggest-hacks-so-far/
8. https://en.wikipedia.org/wiki/Intrusion_detection_system
9. http://www.forum-intrusion.com/archive/Intrusion%20Detection%20Techniques%20and%20Approaches.htm
10. Yacine Hebbal ; Sylvie Laniepce ; Jean-Marc Menaud. Virtual Machine Introspection: Techniques and
Applications, in : Availability, Reliability and Security (ARES), 2015 10th International Conference on, IEEE, 2015
11. http://searchservervirtualization.techtarget.com/feature/Whats-the-difference-between-Type-1-and-Type-2-
hypervisors
12. Yacine Hebbal ; Sylvie Laniepce ; Jean-Marc Menaud. Virtual Machine Introspection: Techniques and
Applications, in : Availability, Reliability and Security (ARES), 2015 10th International Conference on, IEEE, 2015
13. B. Payne, M. Carbone, M. Sharif, and W. Lee, “Lares: An architecture for secure active monitoring using
virtualization,” in Security and Privacy, 2008. SP 2008. IEEE Symposium on, pp. 233–247, May 2008.
14. B. D. Payne, M. De Carbone, and W. Lee, “Secure and flexible monitoring of virtual machines,” in Computer
Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, pp. 385–397, IEEE, 2007.
15. https://drakvuf.com/
16. http://libvmi.com/

24. Thank you

26. Working on IDA-Pro
• Disassembling Steam.exe

27. Screenshots while installation DRAKVUF

28. Starting the VM

29. Seeing the process list in VM

30. Seeing the system calls in VM