CLOUDOSCOPE: Detecting Anti-Forensic Malware using Public Cloud Environments

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Many modern malware employs runtime anti-forensic techniques in order to evade detection. Anti-forensic tactics can be categorized as anti-virtualization (anti-VM), anti-debugging, anti-sandbox, and anti forensic-tools. The detection of such malware is challenging since they do not reveal their malicious behavior and are therefore considered benign. We present CLOUDOSCOPE, a novel architecture for detecting anti-forensic malware using the power of public cloud environments. The method we use involves running samples on bare metal machines, then running and monitoring them in multiple forensic environments deployed in the cloud. That includes virtual machines, debugging, sandboxes, and forensic environments. We identify anti-forensic behavior by comparing results in forensic and non-forensic environments. Anti-forensic malware would expose a difference between bare-metal, non-forensic, and virtualized forensic executions. Furthermore, our method enables the identification of the specific anti-forensic technique(s) used by the malware. We provide background on anti-forensic malware, present the architecture, design and implementation of CLOUDOSCOPE, and the evaluation of our system. Public cloud environments can be used to identify and detect stealthy, anti-forensic malware, as shown in our evaluation.

Original languageEnglish
Title of host publicationProceedings of the 2023 European Interdisciplinary Cybersecurity Conference, EICC 2023
PublisherAssociation for Computing Machinery
Pages100-107
Number of pages8
ISBN (Electronic)9781450398299
DOIs
StatePublished - 14 Jun 2023
Event2023 European Interdisciplinary Cybersecurity Conference, EICC 2023 - Stavanger, Norway
Duration: 14 Jun 202315 Jun 2023

Publication series

NameACM International Conference Proceeding Series

Conference

Conference2023 European Interdisciplinary Cybersecurity Conference, EICC 2023
Country/TerritoryNorway
CityStavanger
Period14/06/2315/06/23

Keywords

  • APT
  • Anti-forensic
  • anti-VM
  • anti-debug
  • anti-sandbox
  • detection
  • evasion
  • malware
  • public cloud

ASJC Scopus subject areas

  • Human-Computer Interaction
  • Computer Networks and Communications
  • Computer Vision and Pattern Recognition
  • Software

Fingerprint

Dive into the research topics of 'CLOUDOSCOPE: Detecting Anti-Forensic Malware using Public Cloud Environments'. Together they form a unique fingerprint.

Cite this