research-article

Container-based Sandboxes for Malware Analysis: A Compromise Worth Considering

Authors:

Ayrat Khalimov,

Sofiane Benahmed,

Rasheed Hussain,

S.M. Ahsan Kazmi,

Fatima Hussain,

Chaker Abdelaziz KerracheAuthors Info & Claims

UCC'19: Proceedings of the 12th IEEE/ACM International Conference on Utility and Cloud Computing

Pages 219 - 227

https://doi.org/10.1145/3344341.3368810

Published: 02 December 2019 Publication History

Abstract

Malware analysis relies on monitoring the behavior of a suspected application within a confined, controlled and secure environment. These environments are commonly referred to as "Sandboxes'' and are often virtualized replicas of a regular system. Hypervisor-based sandboxes were among the most commonly used techniques for malware analysis during the last decade; however, these sandboxes do not often provide the required stealth and transparency to deceive the malware in believing that it is being run in a target machine. This is due to the difference between virtualized systems and bare metal ones; differences which are exploited by the malware as detection artifacts. In this paper, we address the aforementioned problem by exploring the use of container-based environments as an alternative to hypervisor-based sandboxes for malware analysis. More precisely, we explore different ways to monitor containerized applications and make these containers act and look as close to real systems as possible. Our experimental results revealed that Docker containers are a promising option for a sandbox. However, this option comes at the cost of new detection artifacts which make containers subject to fingerprinting through different sources that malware can easily find. We explore these sources and try to address them by various means including system-call introspection. Finally, based on our discoveries, we introduce a container detection tool that will give the research community an opportunity to investigate malware analysis through containers in more details.

References

[1]

[n. d.]. BSTJ version of C.ACM Unix paper. https://www.bell-labs.com/usr/dmr/ www/cacm.html. (Accessed on 09/09/2019).

[2]

[n. d.]. capabilities(7) - Linux manual page. http://man7.org/linux/man-pages/ man7/capabilities.7.html. (Accessed on 08/31/2019).

[3]

[n. d.]. dockercon-workshop/capabilities at master Â riyazdf/dockerconworkshop Â GitHub. https://github.com/riyazdf/dockercon-workshop/tree/ master/capabilities. (Accessed on 08/31/2019).

[4]

[n. d.]. GitHub - draios/sysdig: Linux system exploration and troubleshooting tool with first class support for containers. https://github.com/draios/sysdig. (Accessed on 08/31/2019).

[5]

[n. d.]. GitHub - iovisor/bcc: BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more. https://github.com/iovisor/bcc. (Accessed on 08/31/2019).

[6]

[n. d.]. GitHub - strace/strace: strace is a diagnostic, debugging and instructional userspace utility for Linux. https://github.com/strace/strace. (Accessed on 08/31/2019).

[7]

[n. d.]. Hard links and Unix file system nodes (inodes). http://teaching.idallen. com/dat2330/04f/notes/links_and_inodes.html. (Accessed on 09/09/2019).

[8]

[n. d.]. Malware VM detection techniques evolving: an analysis of GravityRAT | So Long, and Thanks for All the Fish. https://www.andreafortuna.org/2018/05/ 21/malware-vm-detection-techniques-evolving-an-analysis-of-gravityrat/. (Accessed on 08/31/2019).

[9]

[n. d.]. Seccomp security profiles for Docker | Docker Documentation. https: //docs.docker.com/engine/security/seccomp/. (Accessed on 08/31/2019).

[10]

[n. d.]. SystemTap Filtering and Analyzing System Data | System Analysis and Tuning Guide | openSUSE Leap 15.1. https://doc.opensuse.org/documentation/ leap/tuning/html/book.sle.tuning/cha.tuning.systemtap.html. (Accessed on 08/31/2019).

[11]

[n. d.]. What are Containers and their benefits | Google Cloud. https://cloud. google.com/containers/. (Accessed on 09/02/2019).

[12]

[n. d.]. What is a Container? | Docker. https://www.docker.com/resources/whatcontainer. (Accessed on 08/31/2019).

[13]

Amr S Abed, Charles Clancy, and David S Levy. 2015. Intrusion detection system for applications using linux containers. In International Workshop on Security and Trust Management. Springer, 123--135.

Digital Library

[14]

Amir Afianian, Salman Niksefat, Babak Sadeghiyan, and David Baptiste. 2018. Malware Dynamic Analysis Evasion Techniques: A Survey. CoRR abs/1811.01190 (2018). arXiv:1811.01190 http://arxiv.org/abs/1811.01190

[15]

S. Agarwal and G. Raj. 2018. FRAME: Framework for Real Time Analysis of Malware. In 2018 8th International Conference on Cloud Computing, Data Science Engineering (Confluence). 14--15. https://doi.org/10.1109/CONFLUENCE.2018. 8442771

[16]

D. Bernstein. 2014. Containers and Cloud: From LXC to Docker to Kubernetes. IEEE Cloud Computing 1, 3 (Sep. 2014), 81--84. https://doi.org/10.1109/MCC.2014. 51

[17]

Camille Coti and Nicolas Greneche. 2015. Os-level failure injection with systemtap. arXiv preprint arXiv:1502.01509 (2015).

[18]

Yu Feng, Saswat Anand, Isil Dillig, and Alex Aiken. 2014. Apposcopy: Semanticsbased detection of android malware through static analysis. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering. ACM, 576--587.

Digital Library

[19]

Anssi Matti Helin et al. 2016. Virtual machine introspection in malware analysis. (2016).

[20]

Alexander Kedrowitsch, Danfeng Daphne Yao, Gang Wang, and Kirk Cameron. 2017. A first look: Using linux containers for deceptive honeypots. In Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense. ACM, 15--22.

Digital Library

[21]

Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2014. BareCloud: Bare-metal Analysis-based Evasive Malware Detection. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA, 287-- 301. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/ presentation/kirat

Digital Library

[22]

DavidMKoster, Jason A Nikolai, Adam D Reznechek, and Andrew T Thorstensen. 2017. Implementing cloud based malware container protection. US Patent 9,794,287.

[23]

Michael Sikorski and Andrew Honig. 2012. Practical malware analysis: the handson guide to dissecting malicious software. no starch press.

[24]

Alan Sill. 2016. The design and architecture of microservices. IEEE Cloud Computing 3, 5 (2016), 76--80.

[25]

O. Surnin, F. Hussain, R. Hussain, S. Ostrovskaya, A. Polovinkin, J. Lee, and X. Fernando. 2019. Probabilistic Estimation of Honeypot Detection in Internet of Things Environments. In 2019 International Conference on Computing, Networking and Communications (ICNC). 191--196. https://doi.org/10.1109/ICCNC.2019.8685566

[26]

Daniele Ucci, Leonardo Aniello, and Roberto Baldoni. 2019. Survey of machine learning techniques for malware analysis. Computers & Security 81 (2019), 123 -- 147. https://doi.org/10.1016/j.cose.2018.11.001

[27]

C. Willems, T. Holz, and F. Freiling. 2007. Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security Privacy 5, 2 (March 2007), 32--39. https://doi.org/10.1109/MSP.2007.45

Digital Library

[28]

Xu Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario. 2008. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN). 177--186. https://doi.org/10.1109/DSN.2008.4630086

[29]

Akira Yokoyama, Kou Ishii, Rui Tanabe, Yinmin Papa, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, Daisuke Inoue, Michael Brengel, Michael Backes, et al. 2016. SandPrint: fingerprinting malware sandboxes to provide intelligence for sandbox evasion. In International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 165--187.

[30]

Lenny Zeltser. [n. d.]. Docker Containers for Malware Analysis. https://zeltser. com/media/archive/docker.pdf. (Accessed on 08/31/2019).

Cited By

Klivan SHöltervennhoff SPanskus RMarky KFahl S(2024)Everyone for Themselves? A Qualitative Study about Individual Security Setups of Open Source Software Contributors2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00214(1065-1082)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00214
Gond BShahnawaz MRajneekant Mohapatra D(2024)NLP-Driven Malware Classification: A Jaccard Similarity Approach2024 IEEE International Conference on Information Technology, Electronics and Intelligent Communication Systems (ICITEICS)10.1109/ICITEICS61368.2024.10624953(1-8)Online publication date: 28-Jun-2024
https://doi.org/10.1109/ICITEICS61368.2024.10624953
Li NXu MLi QLiu JBao SLi YLi JZheng H(2023)A review of security issues and solutions for precision health in Internet-of-Medical-Things systemsSecurity and Safety10.1051/sands/20220102(2022010)Online publication date: 31-Jan-2023
https://doi.org/10.1051/sands/2022010
Show More Cited By

Index Terms

Container-based Sandboxes for Malware Analysis: A Compromise Worth Considering
1. Security and privacy
  1. Systems security
    1. Distributed systems security
    2. Operating systems security
      1. Virtualization and security
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime
      1. Malware / spyware crime

Recommendations

A Survey on malware analysis and mitigation techniques
Abstract
In recent days, malwares are advanced, sophisticatedly engineered to attack the target. Most of such advanced malwares are highly persistent and capable of escaping from the security systems. This paper explores such an advanced ...
The Detection of 8 Type Malware botnet using Hybrid Malware Analysis in Executable File Windows Operating Systems
ICEC '15: Proceedings of the 17th International Conference on Electronic Commerce 2015

Nowadays a lot of botnet are being used for the purpose of cybercrime such as distributed denial of services (DDos) or information stealing. Botnet is a collection of computers connected through Internet that has been taken over by an attacker using ...
A framework for metamorphic malware analysis and real-time detection

Metamorphism is a technique that mutates the binary code using different obfuscations. It is difficult to write a new metamorphic malware and in general malware writers reuse old malware. To hide detection the malware writers change the obfuscations (...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

UCC'19: Proceedings of the 12th IEEE/ACM International Conference on Utility and Cloud Computing

December 2019

307 pages

ISBN:9781450368940

DOI:10.1145/3344341

General Chairs:
Kenneth Johnson
Auckland University of Technology, New Zealand
,
Josef Spillner
Zurich University of Applied Sciences, Switzerland
,
Program Chairs:
Dalibor Klusáček
CESNET
,
Ashiq Anjum
University of Derby

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGARCH: ACM Special Interest Group on Computer Architecture
IEEE TCSC: IEEE Technical Committee on Scalable Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 December 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

UCC '19

Sponsor:

SIGARCH
IEEE TCSC

UCC '19: IEEE/ACM 12th International Conference on Utility and Cloud Computing

December 2 - 5, 2019

Auckland, New Zealand

Acceptance Rates

Overall Acceptance Rate 38 of 125 submissions, 30%

Upcoming Conference

UCC '24

Sponsor:
sigarch

2024 IEEE/ACM 17th International Conference on Utility and Cloud Computing

December 16 - 19, 2024

Sharjah , United Arab Emirates

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
653
Total Downloads

Downloads (Last 12 months)94
Downloads (Last 6 weeks)9

Reflects downloads up to 14 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Klivan SHöltervennhoff SPanskus RMarky KFahl S(2024)Everyone for Themselves? A Qualitative Study about Individual Security Setups of Open Source Software Contributors2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00214(1065-1082)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00214
Gond BShahnawaz MRajneekant Mohapatra D(2024)NLP-Driven Malware Classification: A Jaccard Similarity Approach2024 IEEE International Conference on Information Technology, Electronics and Intelligent Communication Systems (ICITEICS)10.1109/ICITEICS61368.2024.10624953(1-8)Online publication date: 28-Jun-2024
https://doi.org/10.1109/ICITEICS61368.2024.10624953
Li NXu MLi QLiu JBao SLi YLi JZheng H(2023)A review of security issues and solutions for precision health in Internet-of-Medical-Things systemsSecurity and Safety10.1051/sands/20220102(2022010)Online publication date: 31-Jan-2023
https://doi.org/10.1051/sands/2022010
Leite BDe Sa AMachado R(2022)Evasion Techniques for VM-based Black-Box Software Analysis2022 IEEE International Workshop on Metrology for Industry 4.0 & IoT (MetroInd4.0&IoT)10.1109/MetroInd4.0IoT54413.2022.9831535(311-316)Online publication date: 7-Jun-2022
https://doi.org/10.1109/MetroInd4.0IoT54413.2022.9831535
Vurdelja IBlažić IBojić DDrašković D(2021)An automated framework for runtime analysis of malicious executables on LinuxTelfor Journal10.5937/telfor2102087V13:2(87-91)Online publication date: 2021
https://doi.org/10.5937/telfor2102087V
Song WMing JJiang LXiang YPan XFu JPeng GKim YKim JVigna GShi E(2021)Towards Transparent and Stealthy Android OS Sandboxing via Customizable Container-Based VirtualizationProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484544(2858-2874)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484544
Guo ZShen YBashir AImran MKumar NZhang DYu K(2021)Robust Spammer Detection Using Collaborative Neural Network in Internet-of-Things ApplicationsIEEE Internet of Things Journal10.1109/JIOT.2020.30038028:12(9549-9558)Online publication date: 15-Jun-2021
https://doi.org/10.1109/JIOT.2020.3003802
Jolak RRosenstatter TMohamad MStrandberg KSangchoolie BNowdehi NScandariato R(2021)CONSERVE: A framework for the selection of techniques for monitoring containers securityJournal of Systems and Software10.1016/j.jss.2021.111158(111158)Online publication date: Dec-2021
https://doi.org/10.1016/j.jss.2021.111158
Peinado Gomez GMongay Batalla JMiche YHoltmanns SMavromoustakis CMastorakis GHaider N(2021)Security policies definition and enforcement utilizing policy control function framework in 5GComputer Communications10.1016/j.comcom.2021.03.024172:C(226-237)Online publication date: 15-Apr-2021
https://dl.acm.org/doi/10.1016/j.comcom.2021.03.024

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents