KVMInspector: KVM Based introspection approach to detect malware in cloud environment

Abstract Cloud security is of paramount importance in this new era of computing. There are various security challenges in which researchers are still working on. Malware detection is one such domain. However, most of the work, mainly focuses on In-VM security techniques which can be evaded easily by malicious users. In this paper, we have proposed a dynamic analysis based introspection approach, called KVMInspector to detect malware in KVM-based cloud environment. The KVMInspector is deployed both inside and outside the VM at the KVM-layer and hence is more robust to attacks. LibVMI and Nitro libraries are used to extract the low-level details of a running virtual machine by viewing its memory, trapping hardware events, and accessing the vCPU registers from KVM. The KVMInspector first performs the process verification at KVM layer to provide a basic security check. After then, a detailed behaviour analysis is carried out to learn the dynamic (run-time) behaviour of the monitored programs using machine learning techniques as an advanced security check. A preliminary analysis has been performed using University of New Maxico (UNM) & University of California dataset and results seem to be promising.

[1]  Efstathios Stamatatos,et al.  Syntactic N-grams as machine learning features for natural language processing , 2014, Expert Syst. Appl..

[2]  Stephen D. Wolthusen,et al.  Detecting anomalies in IaaS environments through virtual machine host system call analysis , 2012, 2012 International Conference for Internet Technology and Secured Transactions.

[3]  Marino Miculan,et al.  Unobservable intrusion detection based on call traces in paravirtualized systems , 2011, Proceedings of the International Conference on Security and Cryptography.

[4]  Christopher Krügel,et al.  BareCloud: Bare-metal Analysis-based Evasive Malware Detection , 2014, USENIX Security Symposium.

[5]  Haibo He,et al.  ADASYN: Adaptive synthetic sampling approach for imbalanced learning , 2008, 2008 IEEE International Joint Conference on Neural Networks (IEEE World Congress on Computational Intelligence).

[6]  Ram Mahesh Yadav,et al.  Effective analysis of malware detection in cloud computing , 2019, Comput. Secur..

[7]  Vijay Varadharajan,et al.  VMGuard: A VMI-Based Security Architecture for Intrusion Detection in Cloud Environment , 2020, IEEE Transactions on Cloud Computing.

[8]  Ravi S. Sandhu,et al.  Online Malware Detection in Cloud Auto-scaling Systems Using Shallow Convolutional Neural Networks , 2019, DBSec.

[9]  Zhi-Hua Zhou,et al.  ML-KNN: A lazy learning approach to multi-label learning , 2007, Pattern Recognit..

[10]  Vijay Varadharajan,et al.  A Detailed Investigation and Analysis of Using Machine Learning Techniques for Intrusion Detection , 2019, IEEE Communications Surveys & Tutorials.

[11]  V. Rao Vemuri,et al.  Use of K-Nearest Neighbor classifier for intrusion detection , 2002, Comput. Secur..

[12]  Jens Myrup Pedersen,et al.  On the ground truth problem of malicious DNS traffic analysis , 2015, Comput. Secur..

[13]  Huan Liu,et al.  Feature Selection for Classification , 1997, Intell. Data Anal..

[14]  Mahesh Pal,et al.  Random forest classifier for remote sensing classification , 2005 .

[15]  Irina Rish,et al.  An empirical study of the naive Bayes classifier , 2001 .

[16]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[17]  Vijay Varadharajan,et al.  Securing Virtual Machines from Anomalies Using Program-Behavior Analysis in Cloud Environment , 2016, 2016 IEEE 18th International Conference on High Performance Computing and Communications; IEEE 14th International Conference on Smart City; IEEE 2nd International Conference on Data Science and Systems (HPCC/SmartCity/DSS).

[18]  Padam Kumar,et al.  An Immediate System Call Sequence Based Approach for Detecting Malicious Program Executions in Cloud Environment , 2015, Wirel. Pers. Commun..

[19]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[20]  Christopher Krügel,et al.  Detecting kernel-level rootkits through binary analysis , 2004, 20th Annual Computer Security Applications Conference.

[21]  Claudia Eckert,et al.  Nitro: Hardware-Based System Call Tracing for Virtual Machines , 2011, IWSEC.

[22]  Florin Cutzu,et al.  Polychotomous Classification with Pairwise Classifiers: A New Voting Principle , 2003, Multiple Classifier Systems.

[23]  Vijay Varadharajan,et al.  VAED: VMI‐assisted evasion detection approach for infrastructure as a service cloud , 2017, Concurr. Comput. Pract. Exp..

[24]  Yiorgos Makris,et al.  Hardware-assisted rootkit detection via on-line statistical fingerprinting of process execution , 2018, 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[25]  Yagiz Onat Yazir,et al.  Maitland: Lighter-Weight VM Introspection to Support Cyber-security in the Cloud , 2012, 2012 IEEE Fifth International Conference on Cloud Computing.

[26]  Zhiyong Liu,et al.  Libvmi: A Library for Bridging the Semantic Gap between Guest OS and VMM , 2012, 2012 IEEE 12th International Conference on Computer and Information Technology.

[27]  Shigeru Chiba,et al.  HyperSpector: virtual distributed monitoring environments for secure intrusion detection , 2005, VEE '05.

[28]  David Hutchison,et al.  Malware Detection in Cloud Computing Infrastructures , 2016, IEEE Transactions on Dependable and Secure Computing.

[29]  Mohsine Eleuldj,et al.  OpenStack: Toward an Open-source Solution for Cloud Computing , 2012 .

[30]  J. Ross Quinlan,et al.  Induction of Decision Trees , 1986, Machine Learning.

[31]  Ning Wang,et al.  AdaBoost classifiers for pecan defect classification , 2011 .

[32]  Irfan-Ullah Awan,et al.  CloudIntell: An intelligent malware detection system , 2017, Future Gener. Comput. Syst..

[33]  Xiaohong Guan,et al.  An SVM-based machine learning method for accurate internet traffic classification , 2010, Inf. Syst. Frontiers.

[34]  David A. Landgrebe,et al.  A survey of decision tree classifier methodology , 1991, IEEE Trans. Syst. Man Cybern..

[35]  Aggelos Kiayias,et al.  Virtual Machine Introspection in a Hybrid Honeypot Architecture , 2012, CSET.

[36]  Masoud Nikravesh,et al.  Feature Extraction - Foundations and Applications , 2006, Feature Extraction.

[37]  Peng Liu,et al.  System Call Redirection: A Practical Approach to Meeting Real-World Virtual Machine Introspection Needs , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.