Phase Space Detection of Virtual Machine Cyber Events Through Hypervisor-Level System Call Analysis

Dawson, Joel; McDonald, J. Todd; Hively, L.M.; Andel, Todd R.; Yampolskiy, Mark; Hubbard, Charles W.

doi:10.1109/icdis.2018.00034

Cited by 18 publications

(8 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Most recently, approaches that rely on machine learning techniques have gained traction. The high increase in cloud activity has also called for more attention towards methods that are specific to the cloud environment [1], [5]- [7], [10], [20], [21]. Table I shows some of the closely related work.…”

Section: A Related Workmentioning

confidence: 99%

“…This approach succeeded in detecting highly active malware, but was not successful in detecting low activity malware. Dawson et al [10] fetch API calls through hypervisor to be used as features and use a non linear phase-space algorithm to detect anomalous behavior. Watson et al [1] use performance metrics to build a one class SVC; however, the authors experimented on highly active malware which is easy to detect.…”

Section: A Related Workmentioning

confidence: 99%

“…Online malware detection techniques are significantly impacted by the features chosen to capture the behavior of the malware present in a particular machine. For example, several works [2], [10], [11] are using system calls (the most widely used); however, it is very resource consuming and data can only be fetched through on-host collecting agent. Only few works [1], [5]- [8], [12], [13] use resource utilization metrics (also known as performance metrics) due to the fact that they are less expressive than system calls in terms of capturing the low-activity malicious behavior.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Analyzing Machine Learning Approaches for Online Malware Detection in Cloud

Kimmell¹,

Abdelsalam²,

Gupta³

2021

Preprint

View full text Add to dashboard Cite

The variety of services and functionality offered by various cloud service providers (CSP) have exploded lately. Utilizing such services has created numerous opportunities for enterprises infrastructure to become cloud-based and, in turn, assisted the enterprises to easily and flexibly offer services to their customers. The practice of renting out access to servers to clients for computing and storage purposes is known as Infrastructure as a Service (IaaS). The popularity of IaaS has led to serious and critical concerns with respect to the cyber security and privacy. In particular, malware is often leveraged by malicious entities against cloud services to compromise sensitive data or to obstruct their functionality. In response to this growing menace, malware detection for cloud environments has become a widely researched topic with numerous methods being proposed and deployed. In this paper, we present online malware detection based on process level performance metrics, and analyze the effectiveness of different baseline machine learning models including, Support Vector Classifier (SVC), Random Forest Classifier (RFC), K-Nearest Neighbor (KNN), Gradient Boosted Classifier (GBC), Gaussian Naive Bayes (GNB) and Convolutional Neural Networks (CNN). Our analysis conclude that neural network models can most accurately detect the impact malware have on the process level features of virtual machines in the cloud, and therefore are best suited to detect them. Our models were trained, validated, and tested by using a dataset of 40,680 malicious and benign samples. The dataset was complied by running different families of malware (collected from VirusTotal) in a live cloud environment and collecting the process level features.

show abstract

Section: A Related Workmentioning

confidence: 99%

Section: A Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Analyzing Machine Learning Approaches for Online Malware Detection in Cloud

Kimmell¹,

Abdelsalam²,

Gupta³

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Many research works address the problem of online malware detection using different set of features and machine learning algorithms. Some works [6,8,14] focus on using systems calls while others [3,18,19] focus on using API calls. Others [16,23] focus on using memory features or performance counters [7].…”

Section: Related Workmentioning

confidence: 99%

“…Few works [1,6,17,20,21] exist in the domain of online malware detection in cloud. Typically, machine learning is used in online malware detection.…”

Section: Introductionmentioning

confidence: 99%

Online Malware Detection in Cloud Auto-scaling Systems Using Shallow Convolutional Neural Networks

Abdelsalam

Krishnan

Sandhu

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

This paper introduces a novel online malware detection approach in cloud by leveraging one of its unique characteristics-auto-scaling. Auto-scaling in cloud allows for maintaining an optimal number of running VMs based on load, by dynamically adding or terminating VMs. Our detection system is online because it detects malicious behavior while the system is running. Malware detection is performed by utilizing process-level performance metrics to model a Convolutional Neural Network (CNN). We initially employ a 2d CNN approach which trains on individual samples of each of the VMs in an auto-scaling scenario. That is, there is no correlation between samples from different VMs during the training phase. We enhance the detection accuracy by considering the correlations between multiple VMs through a sample pairing approach. Experiments are performed by injecting malware inside one of the VMs in an auto-scaling scenario. We show that our standard 2d CNN approach reaches an accuracy of 90%. However, our sample pairing approach significantly improves the accuracy to 97%.

show abstract