Efficient spear-phishing threat detection using hypervisor monitor
| Title | Efficient spear-phishing threat detection using hypervisor monitor |
| Publication Type | Conference Paper |
| Year of Publication | 2015 |
| Authors | Lin, C. H., Tien, C. W., Chen, C. W., Tien, C. W., Pao, H. K. |
| Conference Name | 2015 International Carnahan Conference on Security Technology (ICCST) |
| Publisher | IEEE |
| ISBN Number | 978-1-4799-8691-0 |
| Keywords | antievasion sandbox, CIA, cloud computing, cloud-threat inspection appliance, commercial antivirus software, Computer crime, cyber security, cyber security threats, detection engine, document handling, document prefiltering algorithm, Electronic mail, fake emails, hackers, hardware-assisted virtualization, hardware-assisted virtualization technology, hypervisor kernel, hypervisor monitor, invasive software, malicious activities, malicious attachments, Malware, Monitoring, PDF format structures, Portable document format, pubcrawl170109, Spear-phishing, spear-phishing attack, spear-phishing threat detection, transparent hypervisor monitor, unsolicited e-mail, URL links, user accounts, Virtual machine monitors, virtualisation, virtualization |
| Abstract | In recent years, cyber security threats have become increasingly dangerous. Hackers have fabricated fake emails to spoof specific users into clicking on malicious attachments or URL links in them. This kind of threat is called a spear-phishing attack. Because spear-phishing attacks use unknown exploits to trigger malicious activities, it is difficult to effectively defend against them. Thus, this study focuses on the challenges faced, and we develop a Cloud-threat Inspection Appliance (CIA) system to defend against spear-phishing threats. With the advantages of hardware-assisted virtualization technology, we use the CIA to develop a transparent hypervisor monitor that conceals the presence of the detection engine in the hypervisor kernel. In addition, the CIA also designs a document pre-filtering algorithm to enhance system performance. By inspecting PDF format structures, the proposed CIA was able to filter 77% of PDF attachments and prevent them from all being sent into the hypervisor monitor for deeper analysis. Finally, we tested CIA in real-world scenarios. The hypervisor monitor was shown to be a better anti-evasion sandbox than commercial ones. During 2014, CIA inspected 780,000 mails in a company with 200 user accounts, and found 65 unknown samples that were not detected by commercial anti-virus software. |
| URL | https://ieeexplore.ieee.org/document/7389700/ |
| DOI | 10.1109/CCST.2015.7389700 |
| Citation Key | lin_efficient_2015 |
- spear-phishing attack
- malicious activities
- malicious attachments
- malware
- Monitoring
- PDF format structures
- Portable document format
- pubcrawl170109
- Spear-phishing
- invasive software
- spear-phishing threat detection
- transparent hypervisor monitor
- unsolicited e-mail
- URL links
- user accounts
- Virtual machine monitors
- virtualisation
- Virtualization
- document handling
- CIA
- Cloud Computing
- cloud-threat inspection appliance
- commercial antivirus software
- Computer crime
- cyber security
- cyber security threats
- detection engine
- antievasion sandbox
- document prefiltering algorithm
- Electronic mail
- fake emails
- hackers
- hardware-assisted virtualization
- hardware-assisted virtualization technology
- hypervisor kernel
- hypervisor monitor