System Of Malware Tracking Based On Virtualization Platform

Malicious software (i.e., Malware) creeps into users’ computers, proceeding damageactivity or collecting users’ privacy, which has caused millions of dollars in damage.Nowadays, it is harder to detect malware as it is getting increasingly stealthy. Astraditional host-based anti-malware systems run inside the very hosts they are protection,which make them vulnerable to counter-detection and subversion by malware. Dynamicaltaint tracking technology is an efficient method to detect malware, but as it is mainlyimplemented in QEMU, which needs to track all the system-level instructions, resulting inconsiderable execution overhead, and can’t be to detect malware behavior on-line.In this paper, we propose a system of malware tracking based on virtualizationplatform, which implements the detection system out of the protected system and proposesview comparison-based malware detection technology through high-level semanticreconstruction. The proposed detection system detects malware out of the system, whichmakes up for the traditional anti-malware systems’ deficiencies. At the same time, theproposed system designs and implements “on demand tracking” technology---Guest VMruns mostly in virtualized mode, with a very small execution overhead, and then switchesinto emulation mode when instructions access tainted data, and finally switches back intovirtualized mode after taint tracking finish. This technology avoids tracking most generalinstructions and reduces the system’s performance overhead. Finally the system protectsusers’ privacy through sensitive information tracking.Testing results show that we can detect most rootkits through view comparison-basedmalware detection technology, stack smashing attacks, heap corruption attacks and formatstring attacks through dynamic taint tracking and protect users’ privacy by taintingsensitive information. Compared to Xen Linux, Protected VM’s average performanceoverhead is less than10%, and Transition VM’s average performance overhead is less than15%, which is acceptable. Time of system doing taint tracking is little, so this performanceoverhead on the overall system operation will not cause too much impact.