Container-based Sandboxes for Malware Analysis: A Compromise Worth Considering

Ayrat Khalimov, Sofiane Benahmed, Rasheed Hussain, S.M.A. Kazmi, Alma Oracevic, Fatima Hussain, Farhan Ahmad, Chaker Abdelaziz Kerrache

Research output: Chapter in Book/Report/Conference proceedingConference proceeding

Abstract

Malware analysis relies on monitoring the behavior of a suspected application within a confined, controlled and secure environment. These environments are commonly referred to as "Sandboxes'' and are often virtualized replicas of a regular system. Hypervisor-based sandboxes were among the most commonly used techniques for malware analysis during the last decade; however, these sandboxes do not often provide the required stealth and transparency to deceive the malware in believing that it is being run in a target machine. This is due to the difference between virtualized systems and bare metal ones; differences which are exploited by the malware as detection artifacts. In this paper, we address the aforementioned problem by exploring the use of container-based environments as an alternative to hypervisor-based sandboxes for malware analysis. More precisely, we explore different ways to monitor containerized applications and make these containers act and look as close to real systems as possible. Our experimental results revealed that Docker containers are a promising option for a sandbox. However, this option comes at the cost of new detection artifacts which make containers subject to fingerprinting through different sources that malware can easily find. We explore these sources and try to address them by various means including system-call introspection. Finally, based on our discoveries, we introduce a container detection tool that will give the research community an opportunity to investigate malware analysis through containers in more details.
Original languageEnglish
Title of host publicationUCC'19
Subtitle of host publicationProceedings of the 12th IEEE/ACM International Conference on Utility and Cloud Computing
Place of PublicationNew York
PublisherAssociation for Computing Machinery (ACM)
Pages219-227
Number of pages9
ISBN (Electronic)978-1-4503-6894-0
DOIs
Publication statusPublished - Dec 2019
Externally publishedYes
Event12th IEEE/ACM International Conference on Utility and Cloud Computing - Auckland, New Zealand
Duration: 2 Dec 20195 Dec 2019
https://dl.acm.org/doi/proceedings/10.1145/3344341

Conference

Conference12th IEEE/ACM International Conference on Utility and Cloud Computing
Abbreviated titleUCC'19
CountryNew Zealand
CityAuckland
Period2/12/195/12/19
Internet address

Fingerprint Dive into the research topics of 'Container-based Sandboxes for Malware Analysis: A Compromise Worth Considering'. Together they form a unique fingerprint.

Cite this