Dynamic Malware Analysis: Contrast between Physical and Virtual Environment

Abstract

Dynamic malware analysis is essential to develop optimal intrusion detection systems. Performing this process from a virtual environment provides the advantage of containing the malware damage, so the real machine is not affected. However, it is suspected that the behavior of malware may vary when it is being executed in a virtual environment thus invalidating the results obtained when analyzing malware in these environments. In this work we dynamically analyze the behavior of nine different malware samples based on the network traffic generated by each of them. Then, this behavior was compared with ones previously registered from a physical environment. The results obtained show that malware behavior differs significantly in these two environments.