TY - GEN
T1 - CLOUDOSCOPE
T2 - 2023 European Interdisciplinary Cybersecurity Conference, EICC 2023
AU - Guri, Mordechai
N1 - Publisher Copyright:
© 2023 Owner/Author.
PY - 2023/6/14
Y1 - 2023/6/14
N2 - Many modern malware employs runtime anti-forensic techniques in order to evade detection. Anti-forensic tactics can be categorized as anti-virtualization (anti-VM), anti-debugging, anti-sandbox, and anti forensic-tools. The detection of such malware is challenging since they do not reveal their malicious behavior and are therefore considered benign. We present CLOUDOSCOPE, a novel architecture for detecting anti-forensic malware using the power of public cloud environments. The method we use involves running samples on bare metal machines, then running and monitoring them in multiple forensic environments deployed in the cloud. That includes virtual machines, debugging, sandboxes, and forensic environments. We identify anti-forensic behavior by comparing results in forensic and non-forensic environments. Anti-forensic malware would expose a difference between bare-metal, non-forensic, and virtualized forensic executions. Furthermore, our method enables the identification of the specific anti-forensic technique(s) used by the malware. We provide background on anti-forensic malware, present the architecture, design and implementation of CLOUDOSCOPE, and the evaluation of our system. Public cloud environments can be used to identify and detect stealthy, anti-forensic malware, as shown in our evaluation.
AB - Many modern malware employs runtime anti-forensic techniques in order to evade detection. Anti-forensic tactics can be categorized as anti-virtualization (anti-VM), anti-debugging, anti-sandbox, and anti forensic-tools. The detection of such malware is challenging since they do not reveal their malicious behavior and are therefore considered benign. We present CLOUDOSCOPE, a novel architecture for detecting anti-forensic malware using the power of public cloud environments. The method we use involves running samples on bare metal machines, then running and monitoring them in multiple forensic environments deployed in the cloud. That includes virtual machines, debugging, sandboxes, and forensic environments. We identify anti-forensic behavior by comparing results in forensic and non-forensic environments. Anti-forensic malware would expose a difference between bare-metal, non-forensic, and virtualized forensic executions. Furthermore, our method enables the identification of the specific anti-forensic technique(s) used by the malware. We provide background on anti-forensic malware, present the architecture, design and implementation of CLOUDOSCOPE, and the evaluation of our system. Public cloud environments can be used to identify and detect stealthy, anti-forensic malware, as shown in our evaluation.
KW - APT
KW - Anti-forensic
KW - anti-VM
KW - anti-debug
KW - anti-sandbox
KW - detection
KW - evasion
KW - malware
KW - public cloud
UR - http://www.scopus.com/inward/record.url?scp=85161371725&partnerID=8YFLogxK
U2 - 10.1145/3590777.3590793
DO - 10.1145/3590777.3590793
M3 - Conference contribution
AN - SCOPUS:85161371725
T3 - ACM International Conference Proceeding Series
SP - 100
EP - 107
BT - Proceedings of the 2023 European Interdisciplinary Cybersecurity Conference, EICC 2023
PB - Association for Computing Machinery
Y2 - 14 June 2023 through 15 June 2023
ER -