Linux Malicious Application Detection Scheme Based on Virtual Machine Introspection

doi:10.3969/j.issn.1671-1122.2024.05.001

Abstract

Abstract:

With the rapid development of the Internet of things and cloud computing technology, the number and type of Linux malware have increased dramatically. Therefore, how to effectively detect Linux malware has become one of the important research directions in the security field. To solve this problem, this paper proposed a Linux malicious application detection scheme based on virtual machine introspection. This scheme utilized the virtual machine introspection technology to securely obtain the internal running status outside the sandbox, realized all-round monitoring while avoiding the anti-dynamic analysis technology of malware at the same time. Compared to other sandbox monitoring methods, this scheme improved malware performance in the sandbox. In order to pay more attention to the timing between features, a timing processing model was used to model and train the feature information obtained by the sandbox, aiming to judge whether a Linux application was malicious. In this paper, three kinds of neural network were used, including recurrent neural network, long short-term memory network and gated recurrent unit network. The experimental results show that the long short-term memory network works better in this application scenario, with an accuracy rate of 98.02% and a higher recall rate. The innovation of this paper is that the combination of virtual machine introspection technology and neural network model is applied to malicious application detection, which can not only monitor the inside of the virtual machine outside the virtual machine, but also pay attention to the timing between features.

Key words: malicious application detection, virtual machine introspection, deep neural network, Linux sandbox

CLC Number:

TP309

WEN Weiping, ZHANG Shichen, WANG Han, SHI Lin. Linux Malicious Application Detection Scheme Based on Virtual Machine Introspection[J]. Netinfo Security, 2024, 24(5): 657-666.

Figures/Tables 25

References 15

[1]	CNCERT/CC. 2020 China Internet Network Security Report[EB/OL]. (2021-07-21)[2023-08-01]. http://www.cac.gov.cn/2021-07/21/c_1628454189500041.htm.
	国家计算机网络应急技术处理协调中心. 2020年中国互联网网络安全报告[EB/OL]. (2021-07-21)[2023-08-01]. http://www.cac.gov.cn/2021-07/21/c_1628454189500041.htm.
[2]	CNCERT/CC. Overview of China’s Internet Network Security Situation in 2020[EB/OL]. (2021-05-26)[2023-08-01]. http://www.cac.gov.cn/2021-05/26/c_1623610314656045.htm.
	国家计算机网络应急技术处理协调中心. 2020年我国互联网网络安全态势综述[EB/OL]. (2021-05-26)[2023-08-01]. http://www.cac.gov.cn/2021-05/26/c_1623610314656045.htm.
[3]	FANG Zhan, LIU Jun, HUANG Ribian, et al. Research on Multi-Model Android Malicious Application Detection Based on Feature Fusion[C]// IEEE. 2021 4th International Conference on Robotics, Control and Automation Engineering (RCAE). New York: IEEE, 2021: 318-325.
[4]	QIU Hongyuan, FERNANDO C. COLON O. Static Malware Detection with Segmented Sandboxing[EB/OL]. (2013-10-22)[2023-08-01]. https://ieeexplore.ieee.org/document/6703695.
[5]	ALKHATEEB E M S. Dynamic Malware Detection Using API Similarity[EB/OL]. (2017-09-14)[2023-08-01]. https://ieeexplore.ieee.org/document/8031489.
[6]	KEDZIORA M, GAWIN P, SZCZEPANIK M, et al. Malware Detection Using Machine Learning Algorithms and Reverse Engineering of Android Java Code[EB/OL]. (2019-01-29)[2023-08-01]. https://www.researchgate.net/publication/331245836_Malware_Detection_Using_Machine_Learning_Algorithms_and_Reverse_Engineering_of_Android_Java_Code.
[7]	BAUMAN E, AYOADE G, LIN Zhiqiang. A Survey on Hypervisor-Based Monitoring: Approaches, Applications, and Evolutions[J]. ACM Computing Surveys (CSUR), 2015, 48(1): 1-33.
[8]	LI Baohui, XU Kefu, ZHANG Peng, et al. Research and Application Progress of Virtual Machine Introspection Technology[J]. Journal of Software, 2016, 27(6): 1384-1401.
[9]	ROSENBLUM M, GARFINKEL T. Virtual Machine Monitors: Current Technology and Future Trends[J]. Computer, 2005, 38(5): 39-47.
[10]	HOCHREITER S, SCHMIDHUBER J. Long Short-Term Memory[J]. Neural Computation, 1997, 9(8): 1735-1780. doi: 10.1162/neco.1997.9.8.1735 pmid: 9377276
[11]	TAN Liuyan, RUAN Shuhua, YANG Min, et al. Educational Data Classification Based on Deep Learning[J]. Netinfo Security, 2023, 23(3): 96-102.
[12]	DEY R, SALEM F M. Gate-Variants of Gated Recurrent Unit (GRU) Neural Networks[EB/OL]. (2017-10-02)[2023-08-01]. https://ieeexplore.ieee.org/document/8053243.
[13]	KUMAR R, CHARU S. An Importance of Using Virtualization Technology in Cloud Computing[J]. Global Journal of Computers & Technology, 2015, 1(2): 2623-2634.
[14]	ZHANG Jixin, ZHANG Kehuan, QIN Zheng, et al. Sensitive System Calls Based Packed Malware Variants Detection Using Principal Component Initialized Multilayers Neural Networks[J]. Cybersecurity, 2018(10): 21-34.
[15]	RABADI D, TEO S G. Advanced Windows Methods on Malware Detection and Classification[C]// ACM. The 36th Annual Computer Security Applications Conference (ACSAC’20). New York: ACM, 2020: 54-68.

沙箱结构	参数名称	具体参数
Guest	操作系统	Linux Ubuntu18.04
	内存	4 GB
	CPU	4核
	开源工具	HVMI
	开发语言	C、Python3.6.8
Target	操作系统	Linux Ubuntu18.04
	内存	4 GB
	CPU	2核
Host	操作系统	Linux Ubuntu18.04
	内存	8 GB
	CPU	6核
	软件版本	Qemu4.2.1、kvm

实验环境	具体信息
操作系统	Ubuntu
CPU	Intel(R) Xeon(R) Platinum 8369 B CPU @2.90 GHz
GPU	A100(80 GB)
内存	128 GB
开发语言	Python 3.10.11
深度学习框架	Keras2.2.5

恶意行为	系统指令污染	服务创建/自启动	敏感文件读取	文件创建	删除文件	文件权限更改	获取系统相关信息	Bash执行命令	休眠躲避
微步	—	√	√	√	√	—	√	—	—
阿里云	√	√	√	√	—	√	√	√	√
HVMI	√	√	√	√	√	√	√	√	√

恶意行为	服务创建/自启动	创建守护进程	获取系统相关信息	查看网络配置	修改进程命令行
微步	—	—	—	√	—
阿里云	√	√	√	—	√
HVMI	√	√	√	√	—

恶意行为	反调试	敏感文件读取	文件权限更改	获取系统相关信息	Bash执行命令
微步	√	√	—	√	—
阿里云	—	√	√	—	√
HVMI	√	√	√	√	√