Dynamic malware detection and recording using virtual machine introspection

Detecting and collecting malware samples is considered to be a milestone in computer security. Recording entire Virtual Machine (VM) activities requires considerable resources and it is not the wiser choice too. Our approach is combination of Virtual machine introspection (VMI), file system clustering, malware activity recording. The proposed framework consists of four steps. In initial step possible executable codes are detected using clustering algorithm. Next step monitors process and information flow for these executables using VMI. The data and information flow graph is generated for such processes. Malicious graphs among all are detected in next step. Final step comprises of recording malicious graphs and commitment of VM. We have implemented the prototype of this framework on leading hypervisor for Windows OS. Experimental results shows that it is better way to detect and store malicious processes than storing entire VM. We believe it as a cost effective intelligent solution for malware recording.