| Today's malware has grown from simple applications running in the background to complex tools embedded themselves into operating systems for control and stealth. Most malware encountered today incorporates rootkit-like stealth techniques or includes a rootkit to prevent intrusion detection systems from finding it.;Steath and evasion are focused on evading malware detectors running within the operating system, which depend on the OS for information. By subverting the low-level APIs security tools rely on, malware can leverage the trust placed in the OS. To impose security, we must ensure the integrity of the layer of the system that provides information, and all levels below it. Lower layers thus require less total protection. The operating system and BIOS are not the lowest level from which we can extract information we need. By instrumenting hardware, we can view the raw data and state that the software manipulates and reports. However, this is difficult and invasive, especially for a broad range of data.;In this work, we present an intrusion detection system that operates on the data available through virtual machine introspection. We effectively instrument virtual hardware, allowing all software on the guest to be untrusted without requiring changes to the physical system. We extract features from the virtual machine's memory, using known Windows and x86 data structures. The IDS utilizes machine learning to model normal and malicious activity based on this information. We find that even with rootkit-like security tools included in the model of normal activity, we are able to accurately identify when malware is running on the system, with false positive rates below 2% and false negative rates below 4%. We show that our system is effective when using either a support vector machine or the k-nearest neighbors algorithm. |
