Open Access Open Access  Restricted Access Subscription Access

Virtual Machines Detection Methods Using IP Timestamps Pattern Characteristic


Affiliations
1 Graduate School of Computer Science, Tokyo University of Technology, 1404-1 Katakuramachi, Hachioji, Tokyo, Japan
 

Virtual machines (VMs) are underlying technologies of IT solutions such as cloud computing. VMs provide ease of use through their on-demand characteristics and provide huge benefits in terms of lowering costs and improving scalability. VMs are also being used as malware detection systems, and with the rapidly expanding usage of mobile devices, besides of their usage as honeypots, VMs are coming to be used as emulators for detecting malware in apps. This is due to the limited resources, such as processing power, available in mobile devices. Currently, the security of applications for mobile devices is checked by running them in VM environments before they are released to the end user. We argue that such a process may cause or overlook serious security threats to the end user. In particular, if a piece of malware can detect its current running environment, it may change its behavior such that it doesn't perform malicious operations in environments it suspects to be emulators. In this way, when the malware detects that its running environment is on a VM, it may be able to hide from the security system on the VM. This is a potential security hazard for end users, especially users of mobile devices. In this paper, we present a VM detection method that we argue could be used for remotely detecting VM environments. The detection method works by analyzing the pattern of IP timestamps in replies sent from the target environment. The method does not require any installation of software on the target machine which further increase its potential harm if it were to be used by malware to detect VM environments. In this paper, we also present a technique to disguise a real PC machine such that it shows the similar IP timestamp patterns as the VM. By using this technique, malware may not be able to differentiate between a real machine and a VM, thus providing protection to PC end users.

Keywords

Virtual Machine, Remote Detection, Security, Malware, Mobile Devices, Smartphones.
User
Notifications
Font Size

Abstract Views: 357

PDF Views: 176




  • Virtual Machines Detection Methods Using IP Timestamps Pattern Characteristic

Abstract Views: 357  |  PDF Views: 176

Authors

M. Noorafiza
Graduate School of Computer Science, Tokyo University of Technology, 1404-1 Katakuramachi, Hachioji, Tokyo, Japan
H. Maeda
Graduate School of Computer Science, Tokyo University of Technology, 1404-1 Katakuramachi, Hachioji, Tokyo, Japan
T. Kinoshita
Graduate School of Computer Science, Tokyo University of Technology, 1404-1 Katakuramachi, Hachioji, Tokyo, Japan
R. Uda
Graduate School of Computer Science, Tokyo University of Technology, 1404-1 Katakuramachi, Hachioji, Tokyo, Japan

Abstract


Virtual machines (VMs) are underlying technologies of IT solutions such as cloud computing. VMs provide ease of use through their on-demand characteristics and provide huge benefits in terms of lowering costs and improving scalability. VMs are also being used as malware detection systems, and with the rapidly expanding usage of mobile devices, besides of their usage as honeypots, VMs are coming to be used as emulators for detecting malware in apps. This is due to the limited resources, such as processing power, available in mobile devices. Currently, the security of applications for mobile devices is checked by running them in VM environments before they are released to the end user. We argue that such a process may cause or overlook serious security threats to the end user. In particular, if a piece of malware can detect its current running environment, it may change its behavior such that it doesn't perform malicious operations in environments it suspects to be emulators. In this way, when the malware detects that its running environment is on a VM, it may be able to hide from the security system on the VM. This is a potential security hazard for end users, especially users of mobile devices. In this paper, we present a VM detection method that we argue could be used for remotely detecting VM environments. The detection method works by analyzing the pattern of IP timestamps in replies sent from the target environment. The method does not require any installation of software on the target machine which further increase its potential harm if it were to be used by malware to detect VM environments. In this paper, we also present a technique to disguise a real PC machine such that it shows the similar IP timestamp patterns as the VM. By using this technique, malware may not be able to differentiate between a real machine and a VM, thus providing protection to PC end users.

Keywords


Virtual Machine, Remote Detection, Security, Malware, Mobile Devices, Smartphones.