Abstract
Malware analysis relies on monitoring the behavior of a suspected application within a confined, controlled and secure environment. These environments are commonly referred to as "Sandboxes" and are often virtualized replicas of a regular system. Hypervisor-based sandboxes were among the most commonly used techniques for malware analysis during the last decade; however, these sandboxes do not often provide the required stealth and transparency to deceive the malware in believing that it is being run in a target machine. This is due to the difference between virtualized systems and bare metal ones; differences which are exploited by the malware as detection artifacts. In this paper, we address the aforementioned problem by exploring the use of container-based environments as an alternative to hypervisor-based sandboxes for malware analysis. More precisely, we explore different ways to monitor containerized applications and make these containers act and look as close to real systems as possible. Our experimental results revealed that Docker containers are a promising option for a sandbox. However, this option comes at the cost of new detection artifacts which make containers subject to fingerprinting through different sources that malware can easily find. We explore these sources and try to address them by various means including system-call introspection. Finally, based on our discoveries, we introduce a container detection tool that will give the research community an opportunity to investigate malware analysis through containers in more details.
Original language | English |
---|---|
Title of host publication | Proceedings of the 12th IEEE/ACM International Conference on Utility and Cloud Computing (UCC '19) |
Publisher | Association for Computing Machinery, Inc |
Pages | 219-227 |
Number of pages | 9 |
ISBN (Print) | 9781450368940 |
DOIs | |
Publication status | Published - 2 Dec 2019 |
Externally published | Yes |
Event | 12th IEEE/ACM International Conference on Utility and Cloud Computing - Auckland, New Zealand Duration: 2 Dec 2019 → 5 Dec 2019 Conference number: 12 |
Conference
Conference | 12th IEEE/ACM International Conference on Utility and Cloud Computing |
---|---|
Abbreviated title | UCC 2019 |
Country/Territory | New Zealand |
City | Auckland |
Period | 2/12/19 → 5/12/19 |