Network Based Malware Detection within Virtualised Environments

While virtualisation can provide many benefits to a networks infrastructure, securing the virtualised environment is a big challenge. The security of a fully virtualised solution is dependent on the security of each of its underlying components, such as the hypervisor, guest operating systems and storage. This paper presents a single security service running on the hypervisor that could potentially work to provide security service to all virtual machines running on the system. This paper presents a hypervisor hosted framework which performs specialised security tasks for all underlying virtual machines to protect against any malicious attacks by passively analysing the network traffic of VMs. This framework has been implemented using Xen Server and has been evaluated by detecting a Zeus Server setup and infected clients, distributed over a number of virtual machines. This framework is capable of detecting and identifying all infected VMs with no false positive or false negative detection.

[1]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[2]  Jason Flinn,et al.  Virtualized in-cloud security services for mobile devices , 2008, MobiVirt '08.

[3]  Phillip A. Porras Directions in Network-Based Security Monitoring , 2009, IEEE Security & Privacy Magazine.

[4]  Sakir Sezer,et al.  ITACA: Flexible, scalable network analysis , 2012, 2012 IEEE International Conference on Communications (ICC).

[5]  Chris I. Dalton,et al.  A Framework for Detecting Malware in Cloud by Identifying Symptoms , 2012, 2012 IEEE 16th International Enterprise Distributed Object Computing Conference.

[6]  Yoshiyasu Takefuji,et al.  A novel approach for a file-system integrity monitor tool of Xen virtual machine , 2007, ASIACCS '07.

[7]  David Kaeli,et al.  Virtual machine monitor-based lightweight intrusion detection , 2011, OPSR.

[8]  Huang Liu-sheng,et al.  An improved trusted cloud computing platform model based on DAA and privacy CA scheme , 2010, 2010 International Conference on Computer Application and System Modeling (ICCASM 2010).

[9]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[10]  Ahmad-Reza Sadeghi,et al.  Twin Clouds: Secure Cloud Computing with Low Latency - (Full Version) , 2011, Communications and Multimedia Security.

[11]  Kevin Borders,et al.  Siren: catching evasive malware , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[12]  Krishna P. Gummadi,et al.  Towards Trusted Cloud Computing , 2009, HotCloud.

[13]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[14]  Chundong Wang,et al.  Virtual Machine-based Intrusion Detection System Framework in Cloud Computing Environment , 2012, J. Comput..

[15]  Xiaoping Wu,et al.  Cloud Computing System Based on Trusted Computing Platform , 2010, 2010 International Conference on Intelligent Computation Technology and Automation.

[16]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[17]  Andrew Warfield,et al.  Xen and the art of virtualization , 2003, SOSP '03.