Hypervisor-based malware protection with AccessMiner

In this paper we discuss the design and implementation of AccessMiner, a system-centric behavioral malware detector. Our system is designed to model the general interactions between benign programs and the underlying operating system (OS). In this way, AccessMiner is able to capture which, and how, OS resources are used by normal applications and detect anomalous behavior in real-time.The advantage of our approach is that it does not require to be trained on malicious samples, and therefore it is able to provide a general detection solution that can be used to protect against both known and unknown malware. To make the system more resilient against tampering from sophisticated attackers, AccessMiner is implemented as a custom hypervisor that sits below the operating system. In this paper we discuss the implementation details and the technical solutions we adopted to optimize the performances and reduce the impact of the system.Our experiments show that in a stable environment AccessMiner can provide a high level of protection (around 90% detection rate with zero false positives) with an acceptable overhead – similar to the one that can be experienced in a state of the art virtual machine environment.