Skip to main content
SpringerLink
Log in

Malware detection for container runtime based on virtual machine introspection

  • Published:
The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

The isolation technique of containers introduces uncertain security risks to malware detection in the current container environment. In this paper, we propose a framework called Malware Detection for Container Runtime based on Virtual Machine Introspection (MDCRV) to detect in-container malware. MDCRV can automatically export the memory snapshots by using virtual machine introspection in container-in-virtual-machine architecture and reconstruct container semantics from memory snapshots. Although in-container malware might escape from the isolating measures of the container, our detecting program which benefits from the isolation of the hypervisor still can work well. Additionally, we propose a container process visualization approach to improve the efficiency of analyzing the binary execution information of container runtime. We convert the live processes of in-container malware and benign application to grayscale images and employ the convolutional neural network to extract malware features from the self-constructed dataset. The experimental results show that MDCRV achieves high accuracy while improving security.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Algorithm 1
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

Data availability

Not applicable.

References

  1. Fareghzadeh N, Seyyedi MA, Mohsenzadeh M (2018) Dynamic performance isolation management for cloud computing services. J Supercomput 74:417–455

    Article  Google Scholar 

  2. Cimpanu C (2018) Backdoored Docker Images. https://www.bleepingcomputer.com/news/security/17-backdoored-docker-images-removed-from-docker-hub/. Accessed 2 Jan 2023

  3. Firecracker container https://github.com/firecracker-microvm/firecracker/. Accessed 2 Jan 2023

  4. Kata containers https://katacontainers.io. Accessed: 2 Jan 2023

  5. Wang X, Du J, Liu H (2022) Performance and isolation analysis of runc, gvisor and kata containers runtimes. Clust Comput 25(2):1497–1513

    Article  Google Scholar 

  6. Mavridis I, Karatza H (2021) Orchestrated sandboxed containers, unikernels, and virtual machines for isolation-enhanced multitenant workloads and serverless computing in cloud. Concurr Comput Pract Exp 35(11):e6365

    Article  Google Scholar 

  7. Garfinkel T, Rosenblum M et al (2003) A virtual machine introspection based architecture for intrusion detection. In: Ndss, vol. 3, pp. 191–206. San Diega, CA

  8. Nataraj L, Karthikeyan S, Jacob G, Manjunath BS (2011) Malware images: visualization and automatic classification. In: Proceedings of the 8th International Symposium on Visualization for Cyber Security, pp. 1–7

  9. Cui Z, Du L, Wang P, Cai X, Zhang W (2019) Malicious code detection based on cnns and multi-objective algorithm. J Parallel Distrib Comput 129:50–58

    Article  Google Scholar 

  10. Karn RR, Kudva P, Huang H, Suneja S, Elfadel IM (2020) Cryptomining detection in container clouds using system calls and explainable machine learning. IEEE Trans Parallel Distrib Syst 32(3):674–691

    Article  Google Scholar 

  11. Doan T-P, Jung S (2022) Davs: Dockerfile analysis for container image vulnerability scanning. CMC-Comput Mater Contin 72(1):1699–1711

    Google Scholar 

  12. Lin X, Lei L, Wang Y, Jing J, Sun K, Zhou Q (2018) A measurement study on linux container security: Attacks and countermeasures. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 418–429

  13. Zhan D, Ye L, Fang B, Du X, Su S (2016) Cfwatcher: a novel target-based real-time approach to monitor critical files using vmi. In: 2016 IEEE International Conference on Communications (ICC), pp. 1–6. IEEE

  14. Dangl T, Taubmann B, Reiser HP (2021) Rapidvmi: Fast and multi-core aware active virtual machine introspection. In: Proceedings of the 16th International Conference on Availability, Reliability and Security, pp. 1–10

  15. Mishra P, Varadharajan V, Pilli ES, Tupakula U (2018) Vmguard: a vmi-based security architecture for intrusion detection in cloud environment. IEEE Trans Cloud Comput 8(3):957–971

    Google Scholar 

  16. Tang F, Ma B, Li J, Zhang F, Su J, Ma J (2020) Ransomspector: an introspection-based approach to detect crypto ransomware. Comput Secur 97:101997

    Article  Google Scholar 

  17. Yu Z, Ye L, Zhang H, Zhan D, Su S, Tian Z (2021) A container-oriented virtual-machine-introspection-based security monitor to secure containers in cloud computing. In: Artificial Intelligence and Security: 7th International Conference, ICAIS 2021, Dublin, Ireland, July 19–23, 2021, Proceedings, Part II 7, pp. 102–111. Springer

  18. Libvmi https://github.com/libvmi/libvmi. Accessed 22 Dec 2022

  19. Volatility. https://www.volatilityfoundation.org. Accessed 22 Dec 2022

  20. Li S, Zhou Q, Zhou R, Lv Q (2022) Intelligent malware detection based on graph convolutional network. J Supercomput 78(3):4182–4198

    Article  Google Scholar 

  21. Feng P, Yang L, Lu D, Xi N, Ma J (2023) Bejagnn: behavior-based java malware detection via graph neural network. J Supercomput. https://doi.org/10.1007/s11227-023-05243-x

    Article  Google Scholar 

  22. Mallik A, Khetarpal A, Kumar S (2022) Conrec: malware classification using convolutional recurrence. J Comput Virol Hacking Tech 18(4):297–313

    Article  Google Scholar 

  23. Simonyan K, Zisserman A (2014) Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556

  24. Du S, Zhang B, Zhang P, Xiang P (2021) An improved bounding box regression loss function based on ciou loss for multi-scale object detection. In: 2021 IEEE 2nd International Conference on Pattern Recognition and Machine Learning (PRML), pp. 92–98. IEEE

  25. Dash. https://github.com/berrywallet/bitcore-node-dash-docker. Accessed 20 Dec 2022

  26. Bitcoin. https://github.com/amacneil/docker-bitcoin. Accessed 20 Dec 2022

  27. Bytecoin. https://github.com/RafalSladek/bytecoin-docker. Accessed 20 Dec 2022

  28. Duino. https://github.com/revoxhere/duino-coin. Accessed 20 Dec 2022

  29. Litecoin. https://github.com/sreekanthgs/litecoin-docker. Accessed 20 Dec 2022

  30. Vertcoin. https://github.com/lukechilds/docker-vertcoind. Accessed 20 Dec 2022

  31. Virusshare. https://www.virusshare.com. Accessed 22 Dec 2022

  32. Virussamples. https://www.virussamples.com. Accessed 22 Dec 2022

  33. Li H, Zhan D, Liu T, Ye L (2019) Using deep-learning-based memory analysis for malware detection in cloud. In: 2019 IEEE 16th International Conference on Mobile Ad Hoc and Sensor Systems Workshops (MASSW), pp. 1–6. IEEE

Download references

Funding

Natural Science Foundation of Hebei Province (F2021201049).

Author information

Authors and Affiliations

  1. School of Cyber Security and Computer, Hebei University, Baoding, 071002, People’s Republic of China

    Xinfeng He & Riyang Li

  2. Key Lab on High Trusted Information System of Hebei Province, Baoding, 071002, People’s Republic of China

    Xinfeng He & Riyang Li

Authors
  1. Xinfeng He
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Riyang Li
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

Mr. He and Mr. Li wrote the main manuscript text. Mr. Li did experiments and prepared figures and tables. All authors reviewed the manuscript.

Corresponding author

Correspondence to Riyang Li.

Ethics declarations

Ethical approval

Not applicable.

Conflict of interest

Not applicable.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

He, X., Li, R. Malware detection for container runtime based on virtual machine introspection. J Supercomput 80, 7245–7268 (2024). https://doi.org/10.1007/s11227-023-05727-w

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-023-05727-w

Keywords

Search

Navigation