Container-based sandboxes for malware analysis: A compromise worth considering

Ayrat Khalimov, Sofiane Benahmed, Rasheed Hussain, S. M. Ahsan Kazmi, Alma Oracevic, Fatima Hussain, Farhan Ahmad, Chaker Abdelaziz Kerrache

Research output: Chapter in Book/Report/Conference proceedingConference Contribution (Conference Proceeding)

11 Citations (Scopus)

Abstract

Malware analysis relies on monitoring the behavior of a suspected application within a confined, controlled and secure environment. These environments are commonly referred to as "Sandboxes" and are often virtualized replicas of a regular system. Hypervisor-based sandboxes were among the most commonly used techniques for malware analysis during the last decade; however, these sandboxes do not often provide the required stealth and transparency to deceive the malware in believing that it is being run in a target machine. This is due to the difference between virtualized systems and bare metal ones; differences which are exploited by the malware as detection artifacts. In this paper, we address the aforementioned problem by exploring the use of container-based environments as an alternative to hypervisor-based sandboxes for malware analysis. More precisely, we explore different ways to monitor containerized applications and make these containers act and look as close to real systems as possible. Our experimental results revealed that Docker containers are a promising option for a sandbox. However, this option comes at the cost of new detection artifacts which make containers subject to fingerprinting through different sources that malware can easily find. We explore these sources and try to address them by various means including system-call introspection. Finally, based on our discoveries, we introduce a container detection tool that will give the research community an opportunity to investigate malware analysis through containers in more details.

Original languageEnglish
Title of host publicationUCC 2019 - Proceedings of the 12th IEEE/ACM International Conference on Utility and Cloud Computing
PublisherAssociation for Computing Machinery (ACM)
Pages219-227
Number of pages9
ISBN (Electronic)9781450368940
DOIs
Publication statusPublished - 2 Dec 2019
Event12th IEEE/ACM International Conference on Utility and Cloud Computing, UCC 2019 - Auckland, New Zealand
Duration: 2 Dec 20195 Dec 2019

Publication series

NameUCC 2019 - Proceedings of the 12th IEEE/ACM International Conference on Utility and Cloud Computing

Conference

Conference12th IEEE/ACM International Conference on Utility and Cloud Computing, UCC 2019
Country/TerritoryNew Zealand
CityAuckland
Period2/12/195/12/19

Bibliographical note

Publisher Copyright:
© 2019 Association for Computing Machinery.

Keywords

  • Application security
  • Containerized application
  • Docker
  • Malware analysis
  • Sandboxes
  • Software security

Fingerprint

Dive into the research topics of 'Container-based sandboxes for malware analysis: A compromise worth considering'. Together they form a unique fingerprint.

Cite this