Open AccessCompression of Virtual-Machine Memory in Dynamic Malware Analysis
Author(s) -
James E. Fowler
Publication year - 2017
Publication title -
the journal of digital forensics, security and law
Language(s) - English
Resource type - Journals
eISSN - 1558-7223
pISSN - 1558-7215
DOI - 10.15394/jdfsl.2017.1437
Subject(s) - executable , malware , computer science , lossless compression , virtual machine , malware analysis , encoding (memory) , coding (social sciences) , compression (physics) , virtual memory , operating system , data compression , artificial intelligence , memory management , semiconductor memory , statistics , materials science , mathematics , composite material
Lossless compression of memory dumps from virtual machines that run malware samples is considered with the goal of significantly reducing archival costs in dynamic-malware-analysis applications. Given that, in such dynamic-analysis scenarios, malware samples are typically run in virtual machines just long enough to activate any self-decryption or other detection-avoidance maneuvers, the virtual-machine memory typically changes little from that of the baseline state, with the difference being attributable in large degree to the loading of additional executables and libraries. Consequently, delta coding is proposed to compress the current virtual-machine memory dump by coding its differences with respect to a predicted memory image formed by loading the same executables and libraries into the baseline memory. Experimental results reveal a significant improvement in compression efficiency as compared to straightforward delta encoding without such predictive executable/library loading.
Accelerating Research
Robert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom
Address
John Eccles HouseRobert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom