Full Program »
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Presentation 2.6MB |
In this paper we present DRAKVUF, a novel dynamic malware analysis system designed to address these challenges by building on the latest hardware virtualization extensions and the Xen hypervisor. We present a technique for improving stealth by initiating the execution of malware samples without leaving any trace in the analysis machine. We also present novel techniques to eliminate blind-spots created by kernel-mode rootkits by extending the scope of monitoring to include kernel internal functions, and to monitor file-system accesses through the kernel's heap allocations. With extensive tests performed on recent malware samples we show that DRAKVUF achieves significant improvements in conserving hardware resources while providing a stealthy, in-depth view into the behavior of modern malware.
Author(s):
Tamas Lengyel
University of Connecticut
United States
Steve Maresca
Zentific, LLC
United States
Bryan Payne
Nebula, Inc.
United States
George Webster
TUM
Germany
Sebastian Vogl
TUM
Germany
Aggelos Kiayias
University of Athens
Greece