Title: HEMC: a dynamic behaviour analysis system for malware based on hardware virtualisation

Authors: Zhenquan Ding; Hui Xu; Lei Cui; Haiqiang Fei; Yongji Liu; Zhiyu Hao

Addresses: School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China; Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China ' Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China ' Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China ' School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China; Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China ' School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China; Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China ' Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

Abstract: Since many malwares disguise themselves by encrypting, obfuscating and recompiling, it is not easy for static analysis methods to recognise new or unknown malwares. This paper proposes a novel dynamic analysis technology based on hardware virtualisation to analyse more malwares with lower computational resources. Firstly, it intercepts the system-call functions to achieve on-demand behaviour analysis by setting special permissions in their physical addresses, which can be dynamically acquired when system-call functions are loaded into memory, as well as only monitoring high-risk functions, which take a small part of the whole functions. Then, this paper utilises copy-on-write technique and incremental image capability to reduce hard drive consumption and hard disk replication time. Finally, this paper proposes a novel approach to capture the return value of system-call functions to deeply analyse the poisoned results of malware samples. Meanwhile, a prototype system, called HEMC, is implemented based on QEMU/KVM . The experiments demonstrate that proposed methods outperform existing methods in efficiency and performance on malware dynamic analysis.

Keywords: malware; dynamic analysis; hardware virtualisation; high-risk functions.

DOI: 10.1504/IJICS.2023.135899

International Journal of Information and Computer Security, 2023 Vol.22 No.3/4, pp.390 - 410

Received: 08 Feb 2022
Accepted: 15 Aug 2022

Published online: 09 Jan 2024 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article