Container-based Sandboxes for Malware Analysis: A Compromise Worth Considering

Ayrat Khalimov, Sofiane Benahmed, Rasheed Hussain, S. M. Ahsan Kazmi, Alma Oracevic, Fatima Hussain, Farhan Ahmad, Chaker Abdelaziz Kerrache

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

10 Citations (Scopus)

Abstract

Malware analysis relies on monitoring the behavior of a suspected application within a confined, controlled and secure environment. These environments are commonly referred to as "Sandboxes" and are often virtualized replicas of a regular system. Hypervisor-based sandboxes were among the most commonly used techniques for malware analysis during the last decade; however, these sandboxes do not often provide the required stealth and transparency to deceive the malware in believing that it is being run in a target machine. This is due to the difference between virtualized systems and bare metal ones; differences which are exploited by the malware as detection artifacts. In this paper, we address the aforementioned problem by exploring the use of container-based environments as an alternative to hypervisor-based sandboxes for malware analysis. More precisely, we explore different ways to monitor containerized applications and make these containers act and look as close to real systems as possible. Our experimental results revealed that Docker containers are a promising option for a sandbox. However, this option comes at the cost of new detection artifacts which make containers subject to fingerprinting through different sources that malware can easily find. We explore these sources and try to address them by various means including system-call introspection. Finally, based on our discoveries, we introduce a container detection tool that will give the research community an opportunity to investigate malware analysis through containers in more details.

Original languageEnglish
Title of host publicationProceedings of the 12th IEEE/ACM International Conference on Utility and Cloud Computing (UCC '19)
PublisherAssociation for Computing Machinery, Inc
Pages219-227
Number of pages9
ISBN (Print)9781450368940
DOIs
Publication statusPublished - 2 Dec 2019
Externally publishedYes
Event12th IEEE/ACM International Conference on Utility and Cloud Computing - Auckland, New Zealand
Duration: 2 Dec 20195 Dec 2019
Conference number: 12

Conference

Conference12th IEEE/ACM International Conference on Utility and Cloud Computing
Abbreviated titleUCC 2019
Country/TerritoryNew Zealand
CityAuckland
Period2/12/195/12/19

Cite this