Malware Detection in Cloud Computing Infrastructures

Cloud services are prominent within the private, public and commercial domains. Many of these services are expected to be always on and have a critical nature; therefore, security and resilience are increasingly important aspects. In order to remain resilient, a cloud needs to possess the ability to react not only to known threats, but also to new challenges that target cloud infrastructures. In this paper we introduce and discuss an online cloud anomaly detection approach, comprising dedicated detection components of our cloud resilience architecture. More specifically, we exhibit the applicability of novelty detection under the one-class support Vector Machine (SVM) formulation at the hypervisor level, through the utilisation of features gathered at the system and network levels of a cloud node. We demonstrate that our scheme can reach a high detection accuracy of over <inline-formula><tex-math notation="LaTeX"> $90$</tex-math><alternatives><inline-graphic xlink:type="simple" xlink:href="watson-ieq1-2457918.gif"/></alternatives></inline-formula> percent whilst detecting various types of malware and DoS attacks. Furthermore, we evaluate the merits of considering not only system-level data, but also network-level data depending on the attack type. Finally, the paper shows that our approach to detection using dedicated monitoring components per VM is particularly applicable to cloud scenarios and leads to a flexible detection system capable of detecting new malware strains with no prior knowledge of their functionality or their underlying instructions.

[1]  Amr M. Youssef,et al.  On the analysis of the Zeus botnet crimeware toolkit , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[2]  Petros Spachos,et al.  Malware detection in the cloud under Ensemble Empirical Mode Decomposition , 2015, 2015 International Conference on Computing, Networking and Communications (ICNC).

[3]  Hema A. Murthy,et al.  Multi-level Network Resilience: Traffic Analysis, Anomaly Detection and Simulation , 2011 .

[4]  Vanish Talwar,et al.  Statistical techniques for online anomaly detection in data centers , 2011, 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops.

[5]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[6]  Yizhang Guan,et al.  A CP Intrusion Detection Strategy on Cloud Computing , 2009 .

[7]  Vanish Talwar,et al.  Online detection of utility cloud anomalies using metric distributions , 2010, 2010 IEEE Network Operations and Management Symposium - NOMS 2010.

[8]  Lori M. Kaufman,et al.  Data Security in the World of Cloud Computing , 2009, IEEE Security & Privacy.

[9]  Nils Gruschka,et al.  Attack Surfaces: A Taxonomy for Attacks on Cloud Services , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[10]  Andreas Mauthe,et al.  Traffic anomaly diagnosis in Internet backbone networks: A survey , 2014, Comput. Networks.

[11]  Hyong S. Kim,et al.  Fault diagnosis in DSL networks using support vector machines , 2015, Comput. Commun..

[12]  Bernhard Schölkopf,et al.  Support Vector Method for Novelty Detection , 1999, NIPS.

[13]  Daniele Sgandurra,et al.  Cloud security is not (just) virtualization security: a short paper , 2009, CCSW '09.

[14]  Mohamed Almorsy,et al.  CloudSec: A security monitoring appliance for Virtual Machines in the IaaS cloud model , 2011, 2011 5th International Conference on Network and System Security.

[15]  Christoph Meinel,et al.  Intrusion Detection in the Cloud , 2009, 2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing.

[16]  Jianguo Liu,et al.  AAD: Adaptive Anomaly Detection System for Cloud Computing Infrastructures , 2012, 2012 IEEE 31st Symposium on Reliable Distributed Systems.

[17]  Chengwei Wang,et al.  EbAT: online methods for detecting utility cloud anomalies , 2009, MDS '09.

[18]  Song Fu,et al.  Exploring Time and Frequency Domains for Accurate and Automated Anomaly Detection in Cloud Computing Systems , 2013, 2013 IEEE 19th Pacific Rim International Symposium on Dependable Computing.

[19]  M KaufmanLori Data Security in the World of Cloud Computing , 2009, S&P 2009.

[20]  Zhuoqing Morley Mao,et al.  Automated Classification and Analysis of Internet Malware , 2007, RAID.

[21]  David Hutchison,et al.  Malware analysis in cloud computing: Network and system characteristics , 2013, 2013 IEEE Globecom Workshops (GC Wkshps).

[22]  Sheng-Hsun Hsu,et al.  Application of SVM and ANN for intrusion detection , 2005, Comput. Oper. Res..

[23]  Roberto Bifulco,et al.  Integrating a network IDS into an open source Cloud Computing environment , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[24]  Brian Hay,et al.  Forensics examination of volatile system data using virtual introspection , 2008, OPSR.

[25]  Yanqing Zhang,et al.  SVMs Modeling for Highly Imbalanced Classification , 2009, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[26]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[27]  David Hutchison,et al.  Towards a Distributed, Self-organising Approach to Malware Detection in Cloud Computing , 2013, IWSOS.

[28]  Min-Woo Park,et al.  Multi-level Intrusion Detection System and log management in Cloud Computing , 2011, 13th International Conference on Advanced Communication Technology (ICACT2011).

[29]  Song Fu,et al.  Adaptive Anomaly Identification by Exploring Metric Subspace in Cloud Computing Infrastructures , 2013, 2013 IEEE 32nd International Symposium on Reliable Distributed Systems.

[30]  Jeffrey S. Chase,et al.  Correlating Instrumentation Data to System States: A Building Block for Automated Diagnosis and Control , 2004, OSDI.

[31]  David Hutchison,et al.  Resilience and survivability in communication networks: Strategies, principles, and survey of disciplines , 2010, Comput. Networks.

[32]  David Hutchison,et al.  Assessing the impact of intra-cloud live migration on anomaly detection , 2014, 2014 IEEE 3rd International Conference on Cloud Networking (CloudNet).

[33]  Paramvir Bahl,et al.  Towards highly reliable enterprise network services via inference of multi-level dependencies , 2007, SIGCOMM '07.