Abstract
The isolation technique of containers introduces uncertain security risks to malware detection in the current container environment. In this paper, we propose a framework called Malware Detection for Container Runtime based on Virtual Machine Introspection (MDCRV) to detect in-container malware. MDCRV can automatically export the memory snapshots by using virtual machine introspection in container-in-virtual-machine architecture and reconstruct container semantics from memory snapshots. Although in-container malware might escape from the isolating measures of the container, our detecting program which benefits from the isolation of the hypervisor still can work well. Additionally, we propose a container process visualization approach to improve the efficiency of analyzing the binary execution information of container runtime. We convert the live processes of in-container malware and benign application to grayscale images and employ the convolutional neural network to extract malware features from the self-constructed dataset. The experimental results show that MDCRV achieves high accuracy while improving security.
Similar content being viewed by others
Data availability
Not applicable.
References
Fareghzadeh N, Seyyedi MA, Mohsenzadeh M (2018) Dynamic performance isolation management for cloud computing services. J Supercomput 74:417–455
Cimpanu C (2018) Backdoored Docker Images. https://www.bleepingcomputer.com/news/security/17-backdoored-docker-images-removed-from-docker-hub/. Accessed 2 Jan 2023
Firecracker container https://github.com/firecracker-microvm/firecracker/. Accessed 2 Jan 2023
Kata containers https://katacontainers.io. Accessed: 2 Jan 2023
Wang X, Du J, Liu H (2022) Performance and isolation analysis of runc, gvisor and kata containers runtimes. Clust Comput 25(2):1497–1513
Mavridis I, Karatza H (2021) Orchestrated sandboxed containers, unikernels, and virtual machines for isolation-enhanced multitenant workloads and serverless computing in cloud. Concurr Comput Pract Exp 35(11):e6365
Garfinkel T, Rosenblum M et al (2003) A virtual machine introspection based architecture for intrusion detection. In: Ndss, vol. 3, pp. 191–206. San Diega, CA
Nataraj L, Karthikeyan S, Jacob G, Manjunath BS (2011) Malware images: visualization and automatic classification. In: Proceedings of the 8th International Symposium on Visualization for Cyber Security, pp. 1–7
Cui Z, Du L, Wang P, Cai X, Zhang W (2019) Malicious code detection based on cnns and multi-objective algorithm. J Parallel Distrib Comput 129:50–58
Karn RR, Kudva P, Huang H, Suneja S, Elfadel IM (2020) Cryptomining detection in container clouds using system calls and explainable machine learning. IEEE Trans Parallel Distrib Syst 32(3):674–691
Doan T-P, Jung S (2022) Davs: Dockerfile analysis for container image vulnerability scanning. CMC-Comput Mater Contin 72(1):1699–1711
Lin X, Lei L, Wang Y, Jing J, Sun K, Zhou Q (2018) A measurement study on linux container security: Attacks and countermeasures. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 418–429
Zhan D, Ye L, Fang B, Du X, Su S (2016) Cfwatcher: a novel target-based real-time approach to monitor critical files using vmi. In: 2016 IEEE International Conference on Communications (ICC), pp. 1–6. IEEE
Dangl T, Taubmann B, Reiser HP (2021) Rapidvmi: Fast and multi-core aware active virtual machine introspection. In: Proceedings of the 16th International Conference on Availability, Reliability and Security, pp. 1–10
Mishra P, Varadharajan V, Pilli ES, Tupakula U (2018) Vmguard: a vmi-based security architecture for intrusion detection in cloud environment. IEEE Trans Cloud Comput 8(3):957–971
Tang F, Ma B, Li J, Zhang F, Su J, Ma J (2020) Ransomspector: an introspection-based approach to detect crypto ransomware. Comput Secur 97:101997
Yu Z, Ye L, Zhang H, Zhan D, Su S, Tian Z (2021) A container-oriented virtual-machine-introspection-based security monitor to secure containers in cloud computing. In: Artificial Intelligence and Security: 7th International Conference, ICAIS 2021, Dublin, Ireland, July 19–23, 2021, Proceedings, Part II 7, pp. 102–111. Springer
Libvmi https://github.com/libvmi/libvmi. Accessed 22 Dec 2022
Volatility. https://www.volatilityfoundation.org. Accessed 22 Dec 2022
Li S, Zhou Q, Zhou R, Lv Q (2022) Intelligent malware detection based on graph convolutional network. J Supercomput 78(3):4182–4198
Feng P, Yang L, Lu D, Xi N, Ma J (2023) Bejagnn: behavior-based java malware detection via graph neural network. J Supercomput. https://doi.org/10.1007/s11227-023-05243-x
Mallik A, Khetarpal A, Kumar S (2022) Conrec: malware classification using convolutional recurrence. J Comput Virol Hacking Tech 18(4):297–313
Simonyan K, Zisserman A (2014) Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556
Du S, Zhang B, Zhang P, Xiang P (2021) An improved bounding box regression loss function based on ciou loss for multi-scale object detection. In: 2021 IEEE 2nd International Conference on Pattern Recognition and Machine Learning (PRML), pp. 92–98. IEEE
Dash. https://github.com/berrywallet/bitcore-node-dash-docker. Accessed 20 Dec 2022
Bitcoin. https://github.com/amacneil/docker-bitcoin. Accessed 20 Dec 2022
Bytecoin. https://github.com/RafalSladek/bytecoin-docker. Accessed 20 Dec 2022
Duino. https://github.com/revoxhere/duino-coin. Accessed 20 Dec 2022
Litecoin. https://github.com/sreekanthgs/litecoin-docker. Accessed 20 Dec 2022
Vertcoin. https://github.com/lukechilds/docker-vertcoind. Accessed 20 Dec 2022
Virusshare. https://www.virusshare.com. Accessed 22 Dec 2022
Virussamples. https://www.virussamples.com. Accessed 22 Dec 2022
Li H, Zhan D, Liu T, Ye L (2019) Using deep-learning-based memory analysis for malware detection in cloud. In: 2019 IEEE 16th International Conference on Mobile Ad Hoc and Sensor Systems Workshops (MASSW), pp. 1–6. IEEE
Funding
Natural Science Foundation of Hebei Province (F2021201049).
Author information
Authors and Affiliations
Contributions
Mr. He and Mr. Li wrote the main manuscript text. Mr. Li did experiments and prepared figures and tables. All authors reviewed the manuscript.
Corresponding author
Ethics declarations
Ethical approval
Not applicable.
Conflict of interest
Not applicable.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
He, X., Li, R. Malware detection for container runtime based on virtual machine introspection. J Supercomput 80, 7245–7268 (2024). https://doi.org/10.1007/s11227-023-05727-w
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-023-05727-w