Sequence-Based Analysis of Static Probe Instrumentation Data for a VMM-Based Anomaly Detection System

In this work, we propose a framework for a Virtual Machine Monitor (VMM)-based Anomaly Detection System (ADS). This framework uses a sequence-based analysis Hidden Markov Model (HMM) on static probe instrumentation data collected within the VMM. Long observations are split into multiple, uniformed-length, small sequences. The list of likelihood score of sequences in the new observation is compared to a reference list of likelihood scores created from a normal scenario dataset. Statistical distance values from both lists are used to predict the new observation anomaly status. We evaluated the effectiveness of the approach over multiple statistical distance measures and multiple sequence lengths. We also compared our sequence-based analysis results with a frequency-based analysis results that used the One-Class Support Vector Machine (OC-SVM). The results show that the HMM sequence-based analysis can distinguish normal datasets from anomalous datasets better than the OC-SVM frequency-based analysis.

[1]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[2]  Bernhard Plattner,et al.  Network anomaly detection in the cloud: The challenges of virtual service migration , 2014, 2014 IEEE International Conference on Communications (ICC).

[3]  Kanishka Bhaduri,et al.  Detecting Abnormal Machine Characteristics in Cloud Infrastructures , 2011, 2011 IEEE 11th International Conference on Data Mining Workshops.

[4]  Marius Kloft,et al.  Hidden Markov Anomaly Detection , 2015, ICML.

[5]  Karama Kanoun,et al.  An Anomaly Detection Approach for Scale-Out Storage Systems , 2014, 2014 IEEE 26th International Symposium on Computer Architecture and High Performance Computing.

[6]  Antonio Gomariz,et al.  VMSP: Efficient Vertical Mining of Maximal Sequential Patterns , 2014, Canadian Conference on AI.

[7]  Lei Liu,et al.  An LOF-Based Adaptive Anomaly Detection Scheme for Cloud Computing , 2013, 2013 IEEE 37th Annual Computer Software and Applications Conference Workshops.

[8]  L. Baum,et al.  Statistical Inference for Probabilistic Functions of Finite State Markov Chains , 1966 .

[9]  Daniele Sgandurra,et al.  Evolution of Attacks, Threat Models, and Solutions for Virtualized Systems , 2016, ACM Comput. Surv..

[10]  Youki Kadobayashi,et al.  Leveraging Static Probe Instrumentation for VM-based Anomaly Detection System , 2015, ICICS.

[11]  Youki Kadobayashi,et al.  Network-based mimicry anomaly detection using divergence measures , 2015, 2015 International Symposium on Networks, Computers and Communications (ISNCC).

[12]  Xiaohui Gu,et al.  UBL: unsupervised behavior learning for predicting performance anomalies in virtualized cloud systems , 2012, ICAC '12.

[13]  Engin Kirda,et al.  A security analysis of Amazon's Elastic Compute Cloud service , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN 2012).

[14]  Stephen D. Wolthusen,et al.  Anomaly Detection for Ephemeral Cloud IaaS Virtual Machines , 2013, NSS.

[15]  Vanish Talwar,et al.  Statistical techniques for online anomaly detection in data centers , 2011, 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops.

[16]  David Lie,et al.  Using VMM-based sensors to monitor honeypots , 2006, VEE '06.

[17]  Hong Liu,et al.  A behavioral anomaly detection strategy based on time series process portraits for desktop virtualization systems , 2015, Cluster Computing.

[18]  Zhi Wang,et al.  DKSM: Subverting Virtual Machine Introspection for Fun and Profit , 2010, 2010 29th IEEE Symposium on Reliable Distributed Systems.

[19]  Min Chen,et al.  Statistical Learning for Anomaly Detection in Cloud Server Systems: A Multi-Order Markov Chain Framework , 2018, IEEE Transactions on Cloud Computing.

[20]  Charu C. Aggarwal,et al.  Outlier Analysis , 2013, Springer New York.

[21]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[22]  Martin Knahl,et al.  Anomaly Detection in IaaS Clouds , 2013, 2013 IEEE 5th International Conference on Cloud Computing Technology and Science.

[23]  Luca De Angelis,et al.  Model selection in hidden Markov models: a simulation study , 2010 .

[24]  Arun Kejariwal,et al.  A Novel Technique for Long-Term Anomaly Detection in the Cloud , 2014, HotCloud.

[25]  Dongxia Wang,et al.  DAC‐Hmm: detecting anomaly in cloud systems with hidden Markov models , 2015, Concurr. Comput. Pract. Exp..

[26]  I. Vajda,et al.  A new class of metric divergences on probability spaces and its applicability in statistics , 2003 .