{"title":"Osiris:一个在虚拟机监控层实现的恶意软件行为捕获系统","authors":"Ying Cao, Jiachen Liu, Qiguang Miao, Weisheng Li","doi":"10.1109/CIS.2012.126","DOIUrl":null,"url":null,"abstract":"Capturing behavior of malware is one of the essential prerequisites for dynamic malware analysis. In this paper, we study and design a system called Osiris, which makes use of virtual machine technique to capture malware behavior. In particularly, we monitor Windows API calls invoked by the process under analysis (or target program) to rebuild its behaviors. The monitor is implemented at the virtual machine manager layer rather than inside the Guest OS, which is an innovation compared to other available methods. Qemu, an open-source system emulator, is used as the emulator component of Osiris. By modifying Qemu's translation process, an API analysis framework is inserted to intercept API calls. Besides this, Osiris also collects security relevant OS kernel data directly from virtual memory for further analysis. Osiris has advantages over previous systems in that it requires no complex analysis environment and does not interfere the execution of target programs. It overcomes the deficiencies previous ones employed that the information collected is incomplete and imprecise. These features make Osiris an ideal tool for automatic malware analysis. It can provide fine data for behavior-based malware detection.","PeriodicalId":294394,"journal":{"name":"2012 Eighth International Conference on Computational Intelligence and Security","volume":"54 6 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2012-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"14","resultStr":"{\"title\":\"Osiris: A Malware Behavior Capturing System Implemented at Virtual Machine Monitor Layer\",\"authors\":\"Ying Cao, Jiachen Liu, Qiguang Miao, Weisheng Li\",\"doi\":\"10.1109/CIS.2012.126\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Capturing behavior of malware is one of the essential prerequisites for dynamic malware analysis. In this paper, we study and design a system called Osiris, which makes use of virtual machine technique to capture malware behavior. In particularly, we monitor Windows API calls invoked by the process under analysis (or target program) to rebuild its behaviors. The monitor is implemented at the virtual machine manager layer rather than inside the Guest OS, which is an innovation compared to other available methods. Qemu, an open-source system emulator, is used as the emulator component of Osiris. By modifying Qemu's translation process, an API analysis framework is inserted to intercept API calls. Besides this, Osiris also collects security relevant OS kernel data directly from virtual memory for further analysis. Osiris has advantages over previous systems in that it requires no complex analysis environment and does not interfere the execution of target programs. It overcomes the deficiencies previous ones employed that the information collected is incomplete and imprecise. These features make Osiris an ideal tool for automatic malware analysis. It can provide fine data for behavior-based malware detection.\",\"PeriodicalId\":294394,\"journal\":{\"name\":\"2012 Eighth International Conference on Computational Intelligence and Security\",\"volume\":\"54 6 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2012-11-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"14\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2012 Eighth International Conference on Computational Intelligence and Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/CIS.2012.126\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2012 Eighth International Conference on Computational Intelligence and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CIS.2012.126","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Osiris: A Malware Behavior Capturing System Implemented at Virtual Machine Monitor Layer
Capturing behavior of malware is one of the essential prerequisites for dynamic malware analysis. In this paper, we study and design a system called Osiris, which makes use of virtual machine technique to capture malware behavior. In particularly, we monitor Windows API calls invoked by the process under analysis (or target program) to rebuild its behaviors. The monitor is implemented at the virtual machine manager layer rather than inside the Guest OS, which is an innovation compared to other available methods. Qemu, an open-source system emulator, is used as the emulator component of Osiris. By modifying Qemu's translation process, an API analysis framework is inserted to intercept API calls. Besides this, Osiris also collects security relevant OS kernel data directly from virtual memory for further analysis. Osiris has advantages over previous systems in that it requires no complex analysis environment and does not interfere the execution of target programs. It overcomes the deficiencies previous ones employed that the information collected is incomplete and imprecise. These features make Osiris an ideal tool for automatic malware analysis. It can provide fine data for behavior-based malware detection.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
