Malware analysis system using process-level virtualization

We have developed a malware analysis system based on process-level virtualization. Our BitSaucer system can dynamically generate a number of virtual execution environments as honeypots on one machine. It confines malware by creating a virtual file tree in a virtual execution environment and by redirecting outgoing network communication to another virtual execution environment on the same machine. BitSaucer has minimal resource consumption and runtime overhead. Even when 1000 virtual execution environments were hosted on one machine, the applications running in the environments worked as well as they normally do. We deployed a honeypot on the Internet and collected information related to actual attacks. Experimental results showed that BitSaucer had better performance on the ApacheBench benchmark than a naive honeypot system based on a virtual machine monitor.