Malware detection for container runtime based on virtual machine introspection

• Published in: The Journal of supercomputing Vol. 80; no. 6; pp. 7245 - 7268
• Main Authors: He, Xinfeng, Li, Riyang
• Format: Journal Article
• Language: English
• Published: New York Springer US 01.04.2024; Springer Nature B.V
• Subjects: Artificial neural networks; Compilers; Computer Science; Containers; Cybersecurity; Interpreters; Malware; Processor Architectures; Programming Languages; Run time (computers); Semantics; Virtual environments; Virtual memory systems; Container escape; Container; Malware detection; Convolutional neural network; Virtual machine introspection
• ISSN: 0920-8542; 1573-0484
• DOI: 10.1007/s11227-023-05727-w

The isolation technique of containers introduces uncertain security risks to malware detection in the current container environment. In this paper, we propose a framework called Malware Detection for Container Runtime based on Virtual Machine Introspection (MDCRV) to detect in-container malware. MDCRV can automatically export the memory snapshots by using virtual machine introspection in container-in-virtual-machine architecture and reconstruct container semantics from memory snapshots. Although in-container malware might escape from the isolating measures of the container, our detecting program which benefits from the isolation of the hypervisor still can work well. Additionally, we propose a container process visualization approach to improve the efficiency of analyzing the binary execution information of container runtime. We convert the live processes of in-container malware and benign application to grayscale images and employ the convolutional neural network to extract malware features from the self-constructed dataset. The experimental results show that MDCRV achieves high accuracy while improving security.