Security analysts and attackers engage in an arms race, driving the evolution of malware analysis. Consequently, developing an effective malware detection model has become essential to detect emerging threats leveraging the virtualization environment. In this paper, we design and develop a real-time attack-resilient malware detection framework that analyzes binary executables in bare-metal virtualization servers for identifying malevolent behavior. The framework is intended as a web-based service model that retrieves binary files from end-user machines and executes them in the server by creating virtual machines (VMs) on the fly and performing process injection inside the VM. It extracts runtime execution logs at the hypervisor (outside the VM), then pre-processes and cleans the collected tracing logs before providing them to the deep learning model. Primarily, system calls and dynamic link libraries are considered for analysis. Furthermore, a functional prototype is developed as a web-service for malware scanning using the Streamlit framework to perform real-time Windows PEs analysis. The prototype generates and sends the prediction reports to end-users for further action. The proposed framework achieves the highest accuracy of 98.125% and an F1-score of 98.119% using emerging malware executables.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

vKavach: A Real-Time Attack Resilient Malware Detector in Virtualization Environment

  • Avantika Gaur,
  • Mohit Bhatt,
  • Saksham Badoni,
  • Preeti Mishra,
  • P. Vinod

摘要

Security analysts and attackers engage in an arms race, driving the evolution of malware analysis. Consequently, developing an effective malware detection model has become essential to detect emerging threats leveraging the virtualization environment. In this paper, we design and develop a real-time attack-resilient malware detection framework that analyzes binary executables in bare-metal virtualization servers for identifying malevolent behavior. The framework is intended as a web-based service model that retrieves binary files from end-user machines and executes them in the server by creating virtual machines (VMs) on the fly and performing process injection inside the VM. It extracts runtime execution logs at the hypervisor (outside the VM), then pre-processes and cleans the collected tracing logs before providing them to the deep learning model. Primarily, system calls and dynamic link libraries are considered for analysis. Furthermore, a functional prototype is developed as a web-service for malware scanning using the Streamlit framework to perform real-time Windows PEs analysis. The prototype generates and sends the prediction reports to end-users for further action. The proposed framework achieves the highest accuracy of 98.125% and an F1-score of 98.119% using emerging malware executables.