Network Based Malware Detection within Virtualised Environments

Chouhan, Pushpinder Kaur; Hagan, Matthew; McWilliams, Gavin; Sezer, Sakir

doi:10.1007/978-3-319-14325-5_29

Cited by 9 publications

(4 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The summary category further contains the file, registries, and other related information. Network related features: Network‐based malware detection 48 is a significant part of malware detection. The type of network access indicates the presence of malware, as malware may download files, replicates itself over the network, access malicious URLs, and so on.…”

Section: Resultsmentioning

confidence: 99%

Automated Windows behavioral tracing for malware analysis

Rana

Kumar

Handa

et al. 2022

Security and Privacy

View full text Add to dashboard Cite

In malware analysis, there are two problem scenarios—detection and prevention. In prevention, analysts try to quarantine the file before it gets executed in a real system. The file is further analyzed in a sandbox to observe the behavior. Hence, our work shows that our agent captures events for malware analysis. After integration with the sandbox, it produces robust and efficient models. ETW is a Windows in‐build tool with kernel‐level access. We develop an agent using ETW in C++ with proper usage details. We collect data using cuckoo sandbox and ETW agent for 11 546 samples and perform comparative frequency analysis. The performance of various machine learning classifiers is examined on the behavioral data. Random Forest classifier performs the best on the combined (cuckoo+ETW) data with an accuracy of 99.68% and FPR of 0.45%. The improved performance of combined data over cuckoo data on packed and un‐seen malware is also significantly good. In the detection, if malware somehow escapes from the deployed prevention mechanism and gets executed, the analyst tries to detect malicious actions and respond before it is too late. Our agent can tackle such issues and can function as a standalone host‐based monitoring agent to extract kernel‐level information.

show abstract

Section: Resultsmentioning

confidence: 99%

Automated Windows behavioral tracing for malware analysis

Rana

Kumar

Handa

et al. 2022

Security and Privacy

View full text Add to dashboard Cite

show abstract

“…Operation with special control over physical infrastructure. The host operating system can view and control virtual machines [4]. This approach is simple, but when an attacker manages host operating system scripts, all guest operating systems have control over the host operating system on that kernel.…”

Section: Figure1operating System Based Virtualizationmentioning

confidence: 99%

“…Malware detection in a virtualized infrastructure Malware is any executable file designed to compromise the integrity of a running system. There are two popular approaches for detecting malware in cloud computing, namely collaboration within and outside the VM and hypervisor-assisted malware detection [4].…”

Section: Figure 3 Hypervisor Based Virtualizationmentioning

confidence: 99%

Identification of Unsaturated Attacks in Virtualized Infrastructures With Big Data Analytics in Cloud Computing

Vinod Kumar,

Vardhan,

Subba Rao

et al. 2023

JNAO

View full text Add to dashboard Cite

Security systems to protect virtualized cloud architecture typically include two types of malware detection and security analysis. Detecting malware typically involves two steps, monitoring the hotspots at various points in the virtualized infrastructure, and then using a regularly updated attack signature database to detect the presence of malware. 'Attack. It allows real-time detection of attacks, the use of special signature databases that are vulnerable to zero- day attacks that do not have attack signatures, and therefore traditional infrastructure. cannot detect complex attacks on virtualized infrastructure. Similarly, security analysis eliminates the need for signature databases using event correlation to detect previously undetected attacks, which are often unmanaged, and the current implementation is scalable in nature. In this article, we recommend BDSA's approach to establish a three-tier system for the continuous detection of future attacks. Initially, network logs from the visiting virtual machine and client application logsare sometimes collected from the visiting virtual machines and stored in HDFS. At this point, the strengths of the attack are removed with a connection scheme and a Map Reduce analyzer. Our BDSA approach uses HDFS distribution management and Spark's map-reduction display capability to address security and speed and volume issues.

show abstract

“…A hypervisor-assisted malware detection scheme is designed in [6] to detect botnet activity within the guest VMs. The scheme installs a network sniffer on the hypervisor to monitor external traffic as well as inter-VM traffic.…”

Section: Hypervisor-assisted Malware Detectionmentioning

confidence: 99%