Advertisement

Sādhanā

, 44:34 | Cite as

Towards virtual machine introspection based security framework for cloud

  • Bhavesh BorisaniyaEmail author
  • Dhiren Patel
Article
  • 12 Downloads

Abstract

Virtualization enables provision of resources to users according to their requirement through Infrastructure as a Service (IaaS) delivery model in cloud computing environment. Malicious users could lease cloud resources and use them as platforms to launch attacks. In this paper, we propose a Virtual Machine Introspection (VMI)-based security framework to monitor cloud users’ in-VM activities and detect malicious one if any. We justify our selection of VMI method based on hardware knowledge for proposed framework by discussing its key advantages over other VMI methods. We propose design of multi-threaded analysis component that can introspect number of virtual machines hosted on cloud servers in real time. Experimental results demonstrate that our framework performs well with a set of metrics appropriate for cloud IaaS environment.

Keywords

Virtual Machine Introspection cloud computing vector space model system call trace malware 

References

  1. 1.
    Clark K, Warnier M and Brazier F 2011 BOTCLOUDS – the future of cloud-based Botnets? In: Proceedings of the 1st International Conference on Cloud Computing and Services Science, SciTePress, pp. 597–603Google Scholar
  2. 2.
    Comazzetto A 2011 Botnets: the dark side of cloud computing. SOPHOS Technical Report, Bostan, USA, https://cloud.report/Resources/Whitepapers/4762db4d-c561-4f62-bd3f-9eee93843cb7_Sophos.pdf
  3. 3.
    Modi C, Patel D, Borisaniya B, Patel H, Patel A and Rajarajan M 2013 A survey of intrusion detection techniques in Cloud. J. Netw. Comput. Appl. 36(1): 42–57CrossRefGoogle Scholar
  4. 4.
    Pfoh J, Schneider C and Eckert C 2009 A formal model for virtual machine introspection. In: Proceedings of the 1st ACM Workshop on Virtual Machine Security, ACM VMSec’09, pp. 1–10Google Scholar
  5. 5.
    Bahram S, Jiang X, Wang Z, Grace M, Li J, Srinivasan D, Rhee J and Xu D 2010 DKSM: Subverting virtual machine introspection for fun and profit. In: Proceedings of the 29th IEEE Symposium on Reliable Distributed Systems, pp. 82–91Google Scholar
  6. 6.
    Pfoh J, Schneider C and Eckert C 2011 Nitro: hardware-based system call tracing for virtual machines. In: Iwata T and Nishigaki M (Eds.) Advances in Information and Computer Security, Lecture Notes in Computer Science, vol. 7038. Springer, Berlin, Heidelberg, pp. 96–112CrossRefGoogle Scholar
  7. 7.
    Borisaniya B and Patel D 2014 Evasion resistant intrusion detection framework at Hypervisor layer in Cloud. In: Proceedings of the International Conference on Advances in Communication, Network, and Computing, CNC 2014, pp. 748–756Google Scholar
  8. 8.
    Borisaniya B, Patel K and Patel D 2014 Evaluation of applicability of modified vector space representation for in-VM malicious activity detection in Cloud. In: Proceedings of the Annual IEEE India Conference (INDICON), pp. 1–6Google Scholar
  9. 9.
    Dolan-Gavitt B, Leek T, Zhivich M, Giffin J and Lee W 2011 Virtuoso: narrowing the semantic gap in virtual machine introspection. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy (SP), pp. 297–312Google Scholar
  10. 10.
    Payne B D, de Carbone M and Lee W 2007 Secure and flexible monitoring of virtual machines. In: Proceedings of the Twenty-Third Annual Computer Security Applications Conference, ACSAC 2007, pp. 385–397CrossRefGoogle Scholar
  11. 11.
    Payne B D 2012 Simplifying virtual machine introspection using LibVMI. Sandia Report, September 2012, http://prod.sandia.gov/techlib/access-control.cgi/2012/127818.pdf
  12. 12.
    Schneider C, Pfoh J and Eckert C 2012 Bridging the semantic gap through static code analysis. In: Proceedings of the 5th European Workshop on System Security (EuroSec 2012) Google Scholar
  13. 13.
    Fu Y and Lin Z 2012 Space traveling across VM: automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: Proceedings of the IEEE Symposium on Security and Privacy (SP), pp. 586–600Google Scholar
  14. 14.
    Newsome J and Song D 2005 Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the Network and Distributed Systems Security Symposium (NDSS’05) Google Scholar
  15. 15.
    Saberi A, Fu Y and Lin Z 2014 Hybrid-bridge: efficiently bridging the semantic gap in virtual machine introspection via decoupled execution and training memoization. In: Proceedings of the Network and Distributed Systems Security Symposium (NDSS14) Google Scholar
  16. 16.
    Michie D 1968 Memo functions and machine learning. Nature 218(5136): 19–22CrossRefGoogle Scholar
  17. 17.
    Dinaburg A, Royal P, Sharif M and Lee W 2008 Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS ’08), pp. 51–62Google Scholar
  18. 18.
    Dinaburg A, Royal P, Sharif M and Lee W Ether. http://ether.gtisc.gatech.edu/
  19. 19.
    Ibrahim A S, Hamlyn-Harris J, Grundy J and Almorsy M 2011 CloudSec: a security monitoring appliance for virtual machines in the IaaS cloud model. In: Proceedings of the 5th International Conference on Network and System Security (NSS), pp. 113–120Google Scholar
  20. 20.
  21. 21.
    Baek H W, Srivastava A and Van der Merwe J 2014 CloudVMI: virtual machine introspection as a Cloud service. In: Proceedings of the IEEE International Conference on Cloud Engineering (IC2E), pp. 153–158Google Scholar
  22. 22.
    Yao F, Sprabery R and Campbell R H 2014 CryptVMI: a flexible and encrypted Virtual Machine Introspection system in the Cloud. In: Proceedings of the 2nd International Workshop on Security in Cloud Computing (SCC), pp. 11–18Google Scholar
  23. 23.
    Suneja S, Isci C, Bala V, de Lara E and Mummert T 2014 Non-intrusive, out-of-band and out-of-the-box systems monitoring in the Cloud. In: Proceedings of the 2014 ACM International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS), pp. 249–261Google Scholar
  24. 24.
    Forrest S, Hofmeyr S, Somayaji A and Longstaff T 1996 A sense of self for Unix processes. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 120–128Google Scholar
  25. 25.
    Pfoh J, Schneider C and Eckert C 2013 Leveraging string kernels for Malware detection. In: Proceedings of the 7th International Conference on Network and System Security, Lecture Notes in Computer Science, vol. 7873. Springer, Berlin, Heidelberg, pp. 206–219CrossRefGoogle Scholar
  26. 26.
    Lodhi H, Saunders C, Shawe-Taylor J, Cristianini N and Watkins C 2002 Text classification using string kernels. J. Mach. Learn. Res. 2: 419–444zbMATHGoogle Scholar
  27. 27.
    Wang X, Yu W, Champion A, Fu X and Xuan D 2007 Detecting worms via mining dynamic program execution. In: Proceedings of the Third International Conference on Security and Privacy in Communications Networks and the Workshops (SecureComm), pp. 412–421Google Scholar
  28. 28.
    Kang D K, Fuller D and Honavar V 2005 Learning classifiers for misuse and anomaly detection using a bag of system calls representation. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, (IAW 2005), pp. 118–125Google Scholar
  29. 29.
    Rieck K, Holz T, Willems C, Düssel P and Laskov P 2008 Learning and classification of Malware behavior. In: Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Lecture Notes in Computer Science, vol. 5137. Springer, Berlin, Heidelberg, pp. 108–125CrossRefGoogle Scholar
  30. 30.
    Liao Y and Vemuri V R 2002 Using text categorization techniques for intrusion detection. In: Proceedings of the 11th USENIX Security Symposium, Berkeley, CA, USA, vol. 12, pp. 51–59Google Scholar
  31. 31.
    Wagner D and Dean D 2001 Intrusion detection via static analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp. 156–168Google Scholar
  32. 32.
    Wagner D and Soto P 2002 Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS), pp. 255–264Google Scholar
  33. 33.
    Canali D, Lanzi A, Balzarotti D, Kruegel C, Christodorescu M and Kirda E 2012 A quantitative study of accuracy in system call-based malware detection. In: Proceedings of the 2012 International Symposium on Software Testing and Analysis (ISSTA), pp. 122–132Google Scholar
  34. 34.
  35. 35.
    Holmes G, Donkin A and Witten I H 1994 Weka: a machine learning workbench. In: Proceedings of the 1994 Second Australian and New Zealand Conference on Intelligent Information Systems (ANZIIS), pp. 357–361Google Scholar
  36. 36.
    Canali D Anubis System call Dataset. http://s3.eurecom.fr/~canali/resources.html
  37. 37.
    Anubis – malware analysis for unknown binaries. https://anubis.iseclab.org/
  38. 38.
    Quinlan J 1993 C4.5: Programs for machine learning. In: Morgan Kaufmann Series in Machine Learning. Morgan Kaufmann Publishers Inc. San Francisco, CA, USAGoogle Scholar
  39. 39.
    Sami N 2005 PCMark 05 PC performance analysis – white paper. June 2005, http://s3.amazonaws.com/download-aws.futuremark.com/pcmark05-whitepaper.pdf
  40. 40.
    Nurmi D, Wolski R, Grzegorczyk C, Obertelli G, Soman S, Youseff L and Zagorodnov D 2008 Eucalyptus: a technical report on an elastic utility computing archietcture linking your programs to useful systems. UCSB Computer Science Technical Report, pp. 1–16Google Scholar
  41. 41.
    Nurmi D, Wolski R, Grzegorczyk C, Obertelli G, Soman S, Youseff L and Zagorodnov D 2009 The Eucalyptus open-source cloud-computing system. In: Proceedings of the 9th IEEE/ACM International Symposium on Cluster Computing and the Grid (CCGRID 2009), pp. 124–131Google Scholar

Copyright information

© Indian Academy of Sciences 2019

Authors and Affiliations

  1. 1.Department of Computer EngineeringSardar Vallabhbhai National Institute of Technology SuratSuratIndia

Personalised recommendations