Graduate School and Research Center in Digital Sciences

Hypervisor-based malware protection with AccessMiner

Fattoria, Aristide; Lanzia, Andrea; Balzarotti, Davide; Kirda, Engin

Computers & Security, 9 April 2015

In this paper we discuss the design and implementation of AccessMiner, a system-centric behavioral malware detector. Our system is designed to model the general interactions between benign programs and the underlying operating system (OS). In this way, AccessMiner is able to capture which, and how, OS resources are used by normal applications and detect anomalous behavior in real-time. The advantage of our approach is that it does not require to be trained on malicious samples, and therefore it is able to provide a general detection solution that can be used to protect against both known and unknown malware. To make the system more resilient against tampering from sophisticated attackers, AccessMiner is implemented as a custom hypervisor that sits below the operating system. In this paper we discuss the implementation details and the technical solutions we adopted to optimize the performances and reduce the impact of the system. Our experiments show that in a stable environment AccessMiner can provide a high level of protection (around 90% detection rate with zero false positives) with an acceptable overhead - similar to the one that can be experienced in a state of the art virtual machine environment.

Document Doi Bibtex

Title:Hypervisor-based malware protection with AccessMiner
Keywords:Malware detection; OS protection; Behavioral-based detection; Hypervisor
Department:Digital Security
Eurecom ref:4547
Copyright: © Elsevier. Personal use of this material is permitted. The definitive version of this paper was published in Computers & Security, 9 April 2015 and is available at :
Bibtex: @article{EURECOM+4547, doi = {}, year = {2015}, month = {04}, title = {{H}ypervisor-based malware protection with {A}ccess{M}iner}, author = {{F}attoria, {A}ristide and {L}anzia, {A}ndrea and {B}alzarotti, {D}avide and {K}irda, {E}ngin}, journal = {{C}omputers \& {S}ecurity, 9 {A}pril 2015}, url = {} }
See also: