"Execution Time Measurement of Virtual Machine Volatile Artifacts Analyzers"
| Title | "Execution Time Measurement of Virtual Machine Volatile Artifacts Analyzers" |
| Publication Type | Conference Paper |
| Year of Publication | 2015 |
| Authors | A. K. M. A., J. C. D. |
| Conference Name | 2015 IEEE 21st International Conference on Parallel and Distributed Systems (ICPADS) |
| Date Published | Dec |
| Publisher | IEEE |
| ISBN Number | 978-0-7695-5785-4 |
| Accession Number | 15720953 |
| Keywords | advanced persistent threat, advanced persistent threats, captured memory dump analysis, digital forensics, execution time measurement, hypervisor, intrusion detection system, invasive software, Kernel, LibVMI open source tool, live virtual machine RAM dump, Malware, memory forensic analysis, memory forensic analysis tool, pubcrawl170101, public domain software, Random access memory, rootkit, semantic gap, Semantics, spyware, storage management, virtual infrastructure privileged access, virtual machine introspection, Virtual machine monitors, virtual machine volatile artifact analyzers, virtual machines, Virtual machining, virtualisation, virtualization environment |
| Abstract | Due to a rapid revaluation in a virtualization environment, Virtual Machines (VMs) are target point for an attacker to gain privileged access of the virtual infrastructure. The Advanced Persistent Threats (APTs) such as malware, rootkit, spyware, etc. are more potent to bypass the existing defense mechanisms designed for VM. To address this issue, Virtual Machine Introspection (VMI) emerged as a promising approach that monitors run state of the VM externally from hypervisor. However, limitation of VMI lies with semantic gap. An open source tool called LibVMI address the semantic gap. Memory Forensic Analysis (MFA) tool such as Volatility can also be used to address the semantic gap. But, it needs to capture a memory dump (RAM) as input. Memory dump acquires time and its analysis time is highly crucial if Intrusion Detection System IDS (IDS) depends on the data supplied by FAM or VMI tool. In this work, live virtual machine RAM dump acquire time of LibVMI is measured. In addition, captured memory dump analysis time consumed by Volatility is measured and compared with other memory analyzer such as Rekall. It is observed through experimental results that, Rekall takes more execution time as compared to Volatility for most of the plugins. Further, Volatility and Rekall are compared with LibVMI. It is noticed that examining the volatile data through LibVMI is faster as it eliminates memory dump acquire time. |
| URL | http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7384310&isnumber=7384203 |
| DOI | 10.1109/ICPADS.2015.47 |
| Citation Key | 7384310 |
- public domain software
- virtualization environment
- virtualisation
- Virtual machining
- virtual machines
- virtual machine volatile artifact analyzers
- Virtual machine monitors
- virtual machine introspection
- virtual infrastructure privileged access
- storage management
- spyware
- Semantics
- semantic gap
- rootkit
- Random access memory
- advanced persistent threat
- pubcrawl170101
- memory forensic analysis tool
- memory forensic analysis
- malware
- live virtual machine RAM dump
- LibVMI open source tool
- Kernel
- invasive software
- intrusion detection system
- hypervisor
- execution time measurement
- Digital Forensics
- captured memory dump analysis
- advanced persistent threats