Title: HyperGuard: on designing out-VM malware analysis approach to detect intrusions from hypervisor in cloud environment

Authors: Prithviraj Singh Bisht; Preeti Mishra; Pushpanjali Chauhan; R.C. Joshi

Addresses: Bharti Airtel, Pune, India ' Department of Computer Science, Doon University, Dehradun, India ' Apple, Hyderabad, India ' Department of Electronics and Computer Engineering, Indian Institute of Technology, Roorkee, Uttarakhand, India

Abstract: Cloud computing provides delivery of computing resources as a service on a pay-as-you-go basis. It represents a shift from products being purchased, to products being subscribed as a service, delivered to consumers over the internet from a large scale data centre. The main issue with cloud services is security from attackers who can easily compromise the Virtual Machines (VMs) and applications running over it. In this paper, we present a HyperGuard mechanism to detect malware attacks which hide their presence by sensing the analysing environment or security tools installed in VMs. They may attach themselves with the legitimate processes. Hence, HyperGuard is deployed at the hypervisor, outside the monitored VMs to detect such evasive attacks. It employs open source introspection libraries such as DRAKVUF, LIbVMI etc. to capture the VM behaviour from hypervisor inform of syscall logs. It extracts the features in form of n-grams. It makes use of Recursive Feature Elimination (RFE) and Support Vector Machine (SVM) to learn and detect the abnormal behaviour of evasive malware. The approach has been validated with a publicly available dataset (Trojan binaries) and dataset obtained on request from University of New California (evasive malware binaries). The results seem to be promising.

Keywords: cloud security; intrusion detection; virtual machine introspection; system call traces; machine learning; anomaly behaviour detection.

DOI: 10.1504/IJGUC.2023.132617

International Journal of Grid and Utility Computing, 2023 Vol.14 No.4, pp.356 - 367

Received: 29 Oct 2019
Accepted: 01 May 2020

Published online: 31 Jul 2023 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article