A Layered Malware Detection Model Using VMM

Virtual machine monitor (VMM)-based anti-malware systems have recently become a popular research topic in finding ways of overcoming the fundamental limitations of traditional host-based anti-malware systems, which are likely to be deceived and attacked by malicious codes. This paper analyzes existing VMM-based models of malware detection. "Out-of-the-box" detection, active defense model, or In-VM models have the same defects: (1) on top of the VMM, two virtual machines are used, one by the user (Guest OS) and the other as monitor (Host OS), and (2) users cannot directly view the detection results nor configure detection system in the Guest OS. A layered detection model is proposed to overcome these issues, the bottom layer is responsible for security for the layers above it. Detection results can be directly displayed in the Guest OS, and users can view and configure the detection system. Furthermore, the detection model can isolate malware attacks to the detection system in the Guest OS. Experiment results show the validity of the proposed detection model.