A Framework for Detecting Malware in Cloud by Identifying Symptoms

Security is seen as one of the major challenges of the Cloud computing. Recent malware are not only becoming more sophisticated, but have also demonstrated a trend to make use of components, which can easily be distributed through the Internet to develop newer and better malware. As a result, the key problem facing Cloud security is to cope with identifying diverse sets of malware. This paper presents a method of detecting malware by identifying the symptoms of malicious behaviour as opposed to looking for the malware itself. This can be compared to the use of symptoms in human pathology, in which study of symptoms direct physicians to diagnosis of a disease or possible causes of illnesses. The main advantage of shifting the attention to the symptoms is that a wide range of malicious behaviour can result in the same set of symptoms. We propose the creation of Forensic Virtual Machines (FVM), which are mini Virtual Machines (VM) that can monitor other VMs to discover the symptoms. In this paper, we shall present a framework to support the FVMs so that they collaborate with each other in identifying symptoms by exchanging messages via secure channels. The FVMs report to a Command & Control module that collects and correlates the information so that suitable remedial actions can take place in real-time. The Command & Control can be compared to the physician who infers possibility of an illness from the occurring symptoms. In addition, as FVMs make use of the computational resources of the system we will present an algorithm for sharing of the FVMs so that they can be guided to search for the symptoms in the VMs with higher priority.

[1]  Amr M. Youssef,et al.  On the analysis of the Zeus botnet crimeware toolkit , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[2]  Chengyu Song,et al.  Studying Malicious Websites and the Underground Economy on the Chinese Web , 2008, WEIS.

[3]  R. P. Goldberg,et al.  Virtual Machine Technology: A Bridge From Large Mainframes To Networks Of Small Computers , 1979 .

[4]  Steven Gianvecchio,et al.  Mimimorphism: a new approach to binary code obfuscation , 2010, CCS '10.

[5]  Tim Mather,et al.  Cloud Security and Privacy - An Enterprise Perspective on Risks and Compliance , 2009, Theory in practice.

[6]  Shigeru Chiba,et al.  HyperSpector: virtual distributed monitoring environments for secure intrusion detection , 2005, VEE '05.

[7]  Rui Yang,et al.  Malware variants identification based on byte frequency , 2010, 2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing.

[8]  Adi Shamir,et al.  Playing "Hide and Seek" with Stored Keys , 1999, Financial Cryptography.

[9]  Stefan Savage,et al.  An inquiry into the nature and causes of the wealth of internet miscreants , 2007, CCS '07.

[10]  Robert P. Goldberg,et al.  Survey of virtual machine research , 1974, Computer.

[11]  Matt Bishop,et al.  Investigating the Implications of Virtual Machine Introspection for Digital Forensics , 2009, 2009 International Conference on Availability, Reliability and Security.

[12]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[13]  Jaziar Radianti,et al.  Eliciting Information on the Vulnerability Black Market from Interviews , 2010, 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies.

[14]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[15]  David E. Williams,et al.  Virtualization with Xen: Including XenEnterprise, XenServer, and XenExpress , 2007 .

[16]  Brendan Dolan-Gavitt,et al.  Leveraging Forensic Tools for Virtual Machine Introspection , 2011 .