Your search keyword '"virtual machine introspection"' showing total 206 results

1. Malware detection for container runtime based on virtual machine introspection.

Author

He, Xinfeng and Li, Riyang

Subjects

*VIRTUAL machine systems, *CONVOLUTIONAL neural networks, *MALWARE, *INTROSPECTION, *HYPERVISOR (Computer software), *GRAYSCALE model

Abstract

The isolation technique of containers introduces uncertain security risks to malware detection in the current container environment. In this paper, we propose a framework called Malware Detection for Container Runtime based on Virtual Machine Introspection (MDCRV) to detect in-container malware. MDCRV can automatically export the memory snapshots by using virtual machine introspection in container-in-virtual-machine architecture and reconstruct container semantics from memory snapshots. Although in-container malware might escape from the isolating measures of the container, our detecting program which benefits from the isolation of the hypervisor still can work well. Additionally, we propose a container process visualization approach to improve the efficiency of analyzing the binary execution information of container runtime. We convert the live processes of in-container malware and benign application to grayscale images and employ the convolutional neural network to extract malware features from the self-constructed dataset. The experimental results show that MDCRV achieves high accuracy while improving security. [ABSTRACT FROM AUTHOR]

Published

2024

2. Retrofitting AMD x86 Processors with Active Virtual Machine Introspection Capabilities

Author

Dangl, Thomas, Sentanoe, Stewart, Reiser, Hans P., Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Goumas, Georgios, editor, Tomforde, Sven, editor, Brehm, Jürgen, editor, Wildermann, Stefan, editor, and Pionteck, Thilo, editor

Published

2023

3. SeqTrace: API Call Tracing Based on Intel PT and VMI for Malware Detection

Author

Ding, Zhenquan, Guo, Yonghe, Xu, Hui, Yan, Longchuan, Cui, Lei, Peng, Yuanlong, Cheng, Feng, Hao, Zhiyu, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Meng, Weizhi, editor, Lu, Rongxing, editor, Min, Geyong, editor, and Vaidya, Jaideep, editor

Published

2023

4. An Asset-Based Approach to Mitigate Zero-Day Ransomware Attacks.

Author

Azzedin, Farag, Suwad, Husam, and Rahman, Md Mahfuzur

Subjects

RANSOMWARE, VIRTUAL machine systems, SECURITY systems, BURGLARY protection, INTROSPECTION, INFORMATION storage & retrieval systems

Abstract

This article presents an asset-based security system where security practitioners build their systems based on information they own and not solicited by observing attackers' behavior. Current security solutions rely on information coming from attackers. Examples are current monitoring and detection security solutions such as intrusion prevention/detection systems and firewalls. This article envisions creating an imbalance between attackers and defenders in favor of defenders. As such, we are proposing to flip the security game such that it will be led by defenders and not attackers. We are proposing a security system that does not observe the behavior of the attack. On the contrary, we draw, plan, and follow up our own protection strategy regardless of the attack behavior. The objective of our security system is to protect assets rather than protect against attacks. Virtual machine introspection is used to intercept, inspect, and analyze system calls. The system callbased approach is utilized to detect zero-day ransomware attacks. The core idea is to take advantage of Xen and DRAKVUF for system call interception, and leverage system calls to detect illegal operations towards identified critical assets. We utilize our vision by proposing an asset-based approach to mitigate zero-day ransomware attacks. The obtained results are promising and indicate that our prototype will achieve its goals. [ABSTRACT FROM AUTHOR]

Published

2022

5. A Quest for Best: A Detailed Comparison Between Drakvuf-VMI-Based and Cuckoo Sandbox-Based Technique for Dynamic Malware Analysis

Author

Melvin, A. Alfred Raja, Kathrine, G. Jaspher W., Kacprzyk, Janusz, Series Editor, Pal, Nikhil R., Advisory Editor, Bello Perez, Rafael, Advisory Editor, Corchado, Emilio S., Advisory Editor, Hagras, Hani, Advisory Editor, Kóczy, László T., Advisory Editor, Kreinovich, Vladik, Advisory Editor, Lin, Chin-Teng, Advisory Editor, Lu, Jie, Advisory Editor, Melin, Patricia, Advisory Editor, Nedjah, Nadia, Advisory Editor, Nguyen, Ngoc Thanh, Advisory Editor, Wang, Jun, Advisory Editor, Peter, J. Dinesh, editor, Fernandes, Steven L., editor, and Alavi, Amir H., editor

Published

2021

6. (Short Paper) Evidence Collection and Preservation System with Virtual Machine Monitoring

Author

Nakamura, Toru, Ito, Hiroshi, Kiyomoto, Shinsaku, Yamauchi, Toshihiro, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Nakanishi, Toru, editor, and Nojima, Ryo, editor

Published

2021

7. A Container-Oriented Virtual-Machine-Introspection-Based Security Monitor to Secure Containers in Cloud Computing

Author

Yu, Zhaofeng, Ye, Lin, Zhang, Hongli, Zhan, Dongyang, Su, Shen, Tian, Zhihong, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Sun, Xingming, editor, Zhang, Xiaorui, editor, and Xia, Zhihua, editor

Published

2021

8. Agent-Based File Extraction Using Virtual Machine Introspection

Author

Dangl, Thomas, Taubmann, Benjamin, Reiser, Hans P., Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Asplund, Mikael, editor, and Nadjm-Tehrani, Simin, editor

Published

2021

9. Retrofitting LBR Profiling to Enhance Virtual Machine Introspection.

Author

Liu, Weijie, Liu, Ximeng, Li, Zhi, Liu, Bin, Yu, Rongwei, and Wang, Lina

Abstract

Cloud attack provenance is a well-established industrial practice for assuring transparency and accountability for a service provider to tenants. However, the multi-tenancy and self-service nature coupled with the sheer size of a cloud implies many unique challenges to cloud forensics. Although Virtual Machine Introspection (VMI) is a powerful tool for attack provenance due to the privilege isolation, the stealthiness of state-of-the-art attacks and the lack of precise information make existing attack provenance solutions difficult to fulfill real-time forensics when tracking enormous suspicious behaviors. To this end, we propose an instruction-level tracing framework for inspecting the presence of attacks by dynamically tracking shared processor hardware event patterns and analyzing the attack traces. To overcome the challenges of real-time detection and provenance, we advocate Last Branch Record (LBR) profiling, to extract the suspicious execution flows. With the hardware assistance and software-based virtualization introspection, we show that the framework can provide an effective response to threats in different cases, thereby enabling a quick attack provenance with high fidelity. The evaluation shows that our prototype introduces negligible performance penalties. [ABSTRACT FROM AUTHOR]

Published

2022

10. DECAF: A Platform-Neutral Whole-System Dynamic Binary Analysis Platform

Author

Henderson, A, Yan, LK, Hu, X, Prakash, A, Yin, H, and McCamant, S

Subjects

Dynamic binary analysis, dynamic taint analysis, virtual machine introspection, Software Engineering, Computer Software, Information Systems, Electrical and Electronic Engineering

Abstract

Dynamic binary analysis is a prevalent and indispensable technique in program analysis. While several dynamic binary analysis tools and frameworks have been proposed, all suffer from one or more of: prohibitive performance degradation, a semantic gap between the analysis code and the program being analyzed, architecture/OS specificity, being user-mode only, and lacking APIs. We present DECAF, a virtual machine based, multi-target, whole-system dynamic binary analysis framework built on top of QEMU. DECAF provides Just-In-Time Virtual Machine Introspection and a plugin architecture with a simple-to-use event-driven programming interface. DECAF implements a new instruction-level taint tracking engine at bit granularity, which exercises fine control over the QEMU Tiny Code Generator (TCG) intermediate representation to accomplish on-the-fly optimizations while ensuring that the taint propagation is sound and highly precise. We perform a formal analysis of DECAF's taint propagation rules to verify that most instructions introduce neither false positives nor false negatives. We also present three platform-neutral plugins - Instruction Tracer, Keylogger Detector, and API Tracer, to demonstrate the ease of use and effectiveness of DECAF in writing cross-platform and system-wide analysis tools. Implementation of DECAF consists of 9,550 lines of C++ code and 10,270 lines of C code and we evaluate DECAF using CPU2006 SPEC benchmarks and show average overhead of 605 percent for system wide tainting and 12 percent for VMI.

Published

2017

11. VMIGuard: Detecting and Preventing Service Integrity Violations by Malicious Insiders Using Virtual Machine Introspection

Author

Sentanoe, Stewart, Taubmann, Benjamin, Reiser, Hans P., Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Askarov, Aslan, editor, Hansen, René Rydhof, editor, and Rafnsson, Willard, editor

Published

2019

12. Developing a novel methodology for virtual machine introspection to classify unknown malware functions.

Author

Vaza, Rahul N., Prajapati, Ramesh, Rathod, Dushyantsinh, and Vaghela, Dineshkumar

Subjects

AFRICAN buffalo, INTROSPECTION, MALWARE, FEATURE extraction, KEY performance indicators (Management), ERROR rates

Abstract

In recent years, cloud service security is a crucial task because of several vulnerabilities in Virtual Machine such as malicious activities, viruses, and errors. Therefore detecting malicious activity is essential to improve the security of the cloud and VM. There are many existing techniques are developed to identify malicious attacks but still having the issues of less accuracy of detecting attacks, high false prediction rate and error also the main problem is the complexity to detect malware attacks because of large files. So, this current research proposed a new Adversarial-based Generative Model with African Buffalo (AGM-AB) technique to classify unknown malware functions presented in the VM. Also, AB fitness is initializing in AGM for enhancing the performance of feature extraction and classification. In addition, the developed AGM-AB technique categorizes executable files of benign and malware also improve the accuracy of malware detection. Furthermore, launch the unknown malware in developed technique for validating the efficiency of classification in AGM-AB technique. Thus the developed AGM-AB technique is implemented in python, and the performance metrics are calculated such as accuracy, AUC, False Positive Rate (FPR), recall value, precision, and F-measure. [ABSTRACT FROM AUTHOR]

Published

2022

13. Hardening the Security of Multi-Access Edge Computing through Bio-Inspired VM Introspection.

Author

Huseynov, Huseyn, Saadawi, Tarek, and Kourai, Kenichi

Subjects

BANDWIDTHS, 5G networks, TECHNOLOGICAL innovations, CLOUD computing, VIRTUAL machine systems

Abstract

The extreme bandwidth and performance of 5G mobile networks changes the way we develop and utilize digital services. Within a few years, 5G will not only touch technology and applications, but dramatically change the economy, our society and individual life. One of the emerging technologies that enables the evolution to 5G by bringing cloud capabilities near to the end users is Edge Computing or also known as Multi-Access Edge Computing (MEC) that will become pertinent towards the evolution of 5G. This evolution also entails growth in the threat landscape and increase privacy in concerns at different application areas, hence security and privacy plays a central role in the evolution towards 5G. Since MEC application instantiated in the virtualized infrastructure, in this paper we present a distributed application that aims to constantly introspect multiple virtual machines (VMs) in order to detect malicious activities based on their anomalous behavior. Once suspicious processes detected, our IDS in real-time notifies system administrator about the potential threat. Developed software is able to detect keyloggers, rootkits, trojans, process hiding and other intrusion artifacts via agent-less operation, by operating remotely or directly from the host machine. Remote memory introspection means no software to install, no notice to malware to evacuate or destroy data. Experimental results of remote VMI on more than 50 different malicious code demonstrate average anomaly detection rate close to 97%. We have established wide testbed environment connecting networks of two universities Kyushu Institute of Technology and The City College of New York through secure GRE tunnel. Conducted experiments on this testbed deliver high response time of the proposed system. [ABSTRACT FROM AUTHOR]

Published

2021

14. Malware Detection Based on Multi-level and Dynamic Multi-feature Using Ensemble Learning at Hypervisor.

Author

Zhang, Jian, Gao, Cheng, Gong, Liangyi, Gu, Zhaojun, Man, Dapeng, Yang, Wu, and Li, Wenzhen

Subjects

*REAL numbers, *FEATURE selection, *HYPERVISOR (Computer software), *MACHINE performance, *CLOUD computing, *MALWARE, *MALWARE prevention

Abstract

As more and more applications migrate to clouds, the type and amount of malware attack against virtualized environments are increasing, which is a key factor that restricts the widespread deployment and application of cloud platforms. Traditional in-VM-based security software is not effective against malware attacks, as the security software itself becomes the target of malware attacks and can easily be tampered with or even subverted. In this paper, we propose a new malware detection method to improve virtual machine security performance and ensure the security of the entire cloud platform. This paper uses the virtual machine introspection(VMI) combined with the memory forensics analysis(MFA) technology to extract multiple types of dynamic features from the virtual machine memory, the hypervisor layer and the hardware layer. Furthermore, this paper proposes an adaptive feature selection method. By combining three different search strategies, three types of features are compared and analyzed from three aspects: effectiveness, system load and security. By adjusting the weight of each feature, it meets the detection requirements of different malware in the cloud environment as expected. Finally, the detection method improves the detection accuracy and generalization ability of the overall classifier using the AdaBoost ensemble learning method with Voting's combination strategy. The experiment used a large number of real malicious samples, and achieved an accuracy of 0.999 (AUC), with a maximum performance overhead of 5.6%. [ABSTRACT FROM AUTHOR]

Published

2021

15. On the Trustworthiness of Memory Analysis-An Empirical Study from the Perspective of Binary Execution

Author

Prakash, A, Venkataramani, E, Yin, H, and Lin, Z

Subjects

Memory forensics, operating systems security, invasive software, DKOM, kernel rootkit, virtual machine introspection, Strategic, Defence & Security Studies, Computer Software, Data Format, Distributed Computing, Strategic, Defence & Security Studies

Abstract

Memory analysis serves as a foundation for many security applications such as memory forensics, virtual machine introspection and malware investigation. However, malware, or more specifically a kernel rootkit, can often tamper with kernel memory data, putting the trustworthiness of memory analysis under question. With the rapid deployment of cloud computing and increase of cyber attacks, there is a pressing need to systematically study and understand the problem of memory analysis. In particular, without ground truth, the quality of the memory analysis tools widely used for analyzing closed-source operating systems (like Windows) has not been thoroughly studied. Moreover, while it is widely accepted that value manipulation attacks pose a threat to memory analysis, its severity has not been explored and well understood. To answer these questions, we have devised a number of novel analysis techniques including (1) binary level ground-truth collection, and (2) value equivalence set directed field mutation. Our experimental results demonstrate not only that the existing tools are inaccurate even under a non-malicious context, but also that value manipulation attacks are practical and severe. Finally, we show that exploiting information redundancy can be a viable direction to mitigate value manipulation attacks, but checking information equivalence alone is not an ultimate solution.

Published

2015

16. Automatic Mitigation of Kernel Rootkits in Cloud Environments

Author

Grimm, Jonathan, Ahmed, Irfan, Roussev, Vassil, Bhatt, Manish, Hong, ManPyo, Hutchison, David, Series Editor, Kanade, Takeo, Series Editor, Kittler, Josef, Series Editor, Kleinberg, Jon M., Series Editor, Mattern, Friedemann, Series Editor, Mitchell, John C., Series Editor, Naor, Moni, Series Editor, Pandu Rangan, C., Series Editor, Steffen, Bernhard, Series Editor, Terzopoulos, Demetri, Series Editor, Tygar, Doug, Series Editor, Weikum, Gerhard, Series Editor, Kang, Brent ByungHoon, editor, and Kim, Taesoo, editor

Published

2018

17. NOR: Towards Non-intrusive, Real-Time and OS-agnostic Introspection for Virtual Machines in Cloud Environment

Author

Wang, Chonghua, Hao, Zhiyu, Yun, Xiaochun, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Chen, Xiaofeng, editor, Lin, Dongdai, editor, and Yung, Moti, editor

Published

2018

18. Sarracenia: Enhancing the Performance and Stealthiness of SSH Honeypots Using Virtual Machine Introspection

Author

Sentanoe, Stewart, Taubmann, Benjamin, Reiser, Hans P., Hutchison, David, Series Editor, Kanade, Takeo, Series Editor, Kittler, Josef, Series Editor, Kleinberg, Jon M., Series Editor, Mattern, Friedemann, Series Editor, Mitchell, John C., Series Editor, Naor, Moni, Series Editor, Pandu Rangan, C., Series Editor, Steffen, Bernhard, Series Editor, Terzopoulos, Demetri, Series Editor, Tygar, Doug, Series Editor, Weikum, Gerhard, Series Editor, and Gruschka, Nils, editor

Published

2018

19. Machine-Learning-Based Malware Detection for Virtual Machine by Analyzing Opcode Sequence

Author

Wang, Xiao, Zhang, Jianbiao, Zhang, Ai, Hutchison, David, Series Editor, Kanade, Takeo, Series Editor, Kittler, Josef, Series Editor, Kleinberg, Jon M., Series Editor, Mattern, Friedemann, Series Editor, Mitchell, John C., Series Editor, Naor, Moni, Series Editor, Pandu Rangan, C., Series Editor, Steffen, Bernhard, Series Editor, Terzopoulos, Demetri, Series Editor, Tygar, Doug, Series Editor, Weikum, Gerhard, Series Editor, Ren, Jinchang, editor, Hussain, Amir, editor, Zheng, Jiangbin, editor, Liu, Cheng-Lin, editor, Luo, Bin, editor, Zhao, Huimin, editor, and Zhao, Xinbo, editor

Published

2018

20. ShadowMonitor: An Effective In-VM Monitoring Framework with Hardware-Enforced Isolation

Author

Shi, Bin, Cui, Lei, Li, Bo, Liu, Xudong, Hao, Zhiyu, Shen, Haiying, Hutchison, David, Series Editor, Kanade, Takeo, Series Editor, Kittler, Josef, Series Editor, Kleinberg, Jon M., Series Editor, Mattern, Friedemann, Series Editor, Mitchell, John C., Series Editor, Naor, Moni, Series Editor, Pandu Rangan, C., Series Editor, Steffen, Bernhard, Series Editor, Terzopoulos, Demetri, Series Editor, Tygar, Doug, Series Editor, Weikum, Gerhard, Series Editor, Bailey, Michael, editor, Holz, Thorsten, editor, Stamatogiannakis, Manolis, editor, and Ioannidis, Sotiris, editor

Published

2018

21. Furnace: Self-service Tenant VMI for the Cloud

Author

Bushouse, Micah, Reeves, Douglas, Hutchison, David, Series Editor, Kanade, Takeo, Series Editor, Kittler, Josef, Series Editor, Kleinberg, Jon M., Series Editor, Mattern, Friedemann, Series Editor, Mitchell, John C., Series Editor, Naor, Moni, Series Editor, Pandu Rangan, C., Series Editor, Steffen, Bernhard, Series Editor, Terzopoulos, Demetri, Series Editor, Tygar, Doug, Series Editor, Weikum, Gerhard, Series Editor, Bailey, Michael, editor, Holz, Thorsten, editor, Stamatogiannakis, Manolis, editor, and Ioannidis, Sotiris, editor

Published

2018

22. Active and passive virtual machine introspection on AMD and ARM processors.

Author

Dangl, Thomas, Sentanoe, Stewart, and Reiser, Hans P.

Subjects

*VIRTUAL machine systems, *ARM microprocessors, *HYPERVISOR (Computer software), *INTROSPECTION

Abstract

Active and passive virtual machine introspection mechanisms are pivotal for monitoring virtual machines on top of a hypervisor. They enable external tools to monitor and inspect the state from the outside. Active virtual machine introspection mechanisms intercept the execution at predetermined locations of interest synchronous to the execution of the system. Such mechanisms, in particular, require support from the processor vendor by facilitating interpositioning. This support is missing on AMD x86 processors, leading to inferior introspection solutions. We outline implicit assumptions about active introspection mechanisms in previous work, offer constructions for solution strategies on AMD systems, and discuss stealthiness and correctness. We show empirically that such retrofitted software solutions exhibit performance metrics in the same order of magnitude as native hardware solutions. Moreover, we highlight that the open problems for virtual machine introspection on ARM systems and those encountered on AMD x86 are related. Hence, we present an introspection architecture based on KVMi that addresses these open problems. Finally, we demonstrate comparable and, in many cases, superior performance to state-of-the-art solutions on Intel x86. [ABSTRACT FROM AUTHOR]

Published

2024

23. Multi-Aspect, Robust, and Memory Exclusive Guest OS Fingerprinting

Author

Gu, Yufei, Fu, Yangchun, Prakash, Aravind, Lin, Zhiqiang, and Yin, Heng

Subjects

Distributed Computing and Systems Software, Information and Computing Sciences, Cybersecurity and Privacy, Operating system fingerprinting, virtual machine introspection, memory forensics, Distributed Computing, Information Systems, Distributed computing and systems software

Abstract

Precise fingerprinting of an operating system (OS) is critical to many security and forensics applications in the cloud, such as virtual machine (VM) introspection, penetration testing, guest OS administration, kernel dump analysis, and memory forensics. The existing OS fingerprinting techniques primarily inspect network packets or CPU states, and they all fall short in precision and usability. As the physical memory of a VM always exists in all these applications, in this article, we present OS-Sommelier+, a multi-aspect, memory exclusive approach for precise and robust guest OS fingerprinting in the cloud. It works as follows: given a physical memory dump of a guest OS, OS-Sommelier+ first uses a code hash based approach from kernel code aspect to determine the guest OS version. If code hash approach fails, OS-Sommelier+ then uses a kernel data signature based approach from kernel data aspect to determine the version. We have implemented a prototype system, and tested it with a number of Linux kernels. Our evaluation results show that the code hash approach is faster but can only fingerprint the known kernels, and data signature approach complements the code signature approach and can fingerprint even unknown kernels.

Published

2014

24. VMI-based virtual machine remote attestation scheme

Author

Wei WANG,Xin JIN, Xingshu CHEN, and Xiao LAN

Subjects

virtual machine remote attestation, the cuckoo attack, virtual machine introspection, tpm, attestation identity key, Electronic computers. Computer science, QA75.5-76.95

Abstract

The virtual machine attestation scheme proposed by trusted computing group (TCG) can provide attestation service of virtual machine for cloud computing.However,the service using the scheme proposed by the TCG directly would be threatened by the cuckoo attack and its performance would be lower.Therefore,a new virtual machine remote attestation scheme based on virtual machine introspection (VMI) was proposed.Firstly,it eliminated the path to perform cuckoo attacks in virtual machines via obtaining virtual machines′ remote attestation evidence in virtual machine monitor (VMM).Secondly,it used physical trusted platform module (TPM) to ensure the integrity of virtual machines’ remote attestation evidence and reduced the number of attestation identity key (AIK) certificates required during remote attestation to balance the load of private CA.Experiments show that the proposed scheme can verify the status of virtual machines correctly and increase the performance of bulk virtual machines’ remote attestation significantly.

Published

2018

25. Reading the contents of deleted and modified files in the virtualization based black-box binary analysis system Drakvuf

Author

S. G. Kovalev

Subjects

вредоносная программа, динамический анализ, инъекция, drakvuf, virtual machine introspection, Electronic computers. Computer science, QA75.5-76.95

Abstract

The article discusses ways to get the content of files, which are modified during the processing in the well-known open source dynamic analysis environment Drakvuf. Drakvuf initially implemented file saving functionality based on the use of undocumented mechanisms for working with the system cache. The author of this article proposes a new approach to obtaining the content of files on Microsoft Windows family systems using Drakvuf. The proposed approach is based solely on the use of the public interface of the kernel by the hypervisor and provides portability between different versions of the operating system. In the conclusion of the article, the advantages and disadvantages of both approaches are presented, and directions for further work are proposed.

Published

2018

26. A Cooperative Approach to Virtual Machine Based Fault Injection

Author

Naughton, Thomas, Engelmann, Christian, Vallée, Geoffroy, Aderholdt, Ferrol, Scott, Stephen L., Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Desprez, Frédéric, editor, Dutot, Pierre-François, editor, Kaklamanis, Christos, editor, Marchal, Loris, editor, Molitorisz, Korbinian, editor, Ricci, Laura, editor, Scarano, Vittorio, editor, Vega-Rodríguez, Miguel A., editor, Varbanescu, Ana Lucia, editor, Hunold, Sascha, editor, Scott, Stephen L., editor, Lankes, Stefan, editor, and Weidendorfer, Josef, editor

Published

2017

27. Checking Function-Level Kernel Control Flow Integrity for Cloud Computing

Author

Lin Ye, Xiangzhan Yu, Lei Yu, Bin Guo, Dongyang Zhan, Xiaojiang Du, and Mohsen Guizani

Subjects

Control flow integrity, function-level analysis, virtual machine introspection, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

With the advancement of cloud computing, the control flow integrity (CFI) of virtual machines' kernel becomes more and more important for the security of cloud services. Many CFI checking and protecting approaches have been proposed. Among them, dynamic analysis approaches have the best detection capability, but they are rarely used because of the high overhead introduced to the virtual machines to be monitored. In this paper, we propose a function-level kernel CFI checking approach to meet the performance requirements in the cloud. By combining the static memory analysis and the dynamic tracing, our system can achieve high detection capability with low overhead. Since the analysis and tracing targets of our system are kernel functions, our system incurs lower overhead to the monitored virtual machines than the instruction-level monitors. We propose two models to describe the kernel control flows. After building the secure control flow database by learning the normal behaviors, we can detect abnormal control flows in real time. With the help of virtualization and virtual machine introspection techniques, we implement a prototype system in the hardware virtualization environment. From the evaluation, our system has high detection capability with reasonable overhead.

Published

2018

28. Hardware-Assisted MMU Redirection for In-Guest Monitoring and API Profiling.

Author

Hsiao, Shun-Wen, Sun, Yeali S., and Chen, Meng Chang

Abstract

With the advance of hardware, network, and virtualization technologies, cloud computing has prevailed and become the target of security threats such as the cross virtual machine (VM) side channel attack, with which malicious users exploit vulnerabilities to gain information or access to other guest virtual machines. Among the many virtualization technologies, the hypervisor manages the shared resource pool to ensure that the guest VMs can be properly served and isolated from each other. However, while managing the shared hardware resources, due to the presence of the virtualization layer and different CPU modes (root and non-root mode), when a CPU is switched to non-root mode and is occupied by a guest machine, a hypervisor cannot intervene with a guest at runtime. Thus, the execution status of a guest is like a black box to a hypervisor, and the hypervisor cannot mediate possible malicious behavior at runtime. To rectify this, we propose a hardware-assisted VMI (virtual machine introspection) based in-guest process monitoring mechanism which supports monitoring and management applications such as process profiling. The mechanism allows hooks placed within a target process (which the security expert selects to monitor and profile) of a guest virtual machine and handles hook invocations via the hypervisor. In order to facilitate the needed monitoring and/or management operations in the guest machine, the mechanism redirects access to in-guest memory space to a controlled, self-defined memory within the hypervisor by modifying the extended page table (EPT) to minimize guest and host machine switches. The advantages of the proposed mechanism include transparency, high performance, and comprehensive semantics. To demonstrate the capability of the proposed mechanism, we develop an API profiling system (APIf) to record the API invocations of the target process. The experimental results show an average performance degradation of about 2.32%, far better than existing similar systems. [ABSTRACT FROM AUTHOR]

Published

2020

29. Automatic Uncovering of Tap Points from Kernel Executions

Author

Zeng, Junyuan, Fu, Yangchun, Lin, Zhiqiang, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Monrose, Fabian, editor, Dacier, Marc, editor, Blanc, Gregory, editor, and Garcia-Alfaro, Joaquin, editor

Published

2016

30. VMI Based Automated Real-Time Malware Detector for Virtualized Cloud Environment

Author

Ajay Kumara, M. A., Jaidhar, C. D., Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Carlet, Claude, editor, Hasan, M. Anwar, editor, and Saraswat, Vishal, editor

Published

2016

31. Hardening the Security of Multi-Access Edge Computing through Bio-Inspired VM Introspection

Author

Huseyn Huseynov, Tarek Saadawi, and Kenichi Kourai

Subjects

security and privacy, virtualization, intrusion detection, artificial immune system, virtual machine introspection, cloud security, Technology

Abstract

The extreme bandwidth and performance of 5G mobile networks changes the way we develop and utilize digital services. Within a few years, 5G will not only touch technology and applications, but dramatically change the economy, our society and individual life. One of the emerging technologies that enables the evolution to 5G by bringing cloud capabilities near to the end users is Edge Computing or also known as Multi-Access Edge Computing (MEC) that will become pertinent towards the evolution of 5G. This evolution also entails growth in the threat landscape and increase privacy in concerns at different application areas, hence security and privacy plays a central role in the evolution towards 5G. Since MEC application instantiated in the virtualized infrastructure, in this paper we present a distributed application that aims to constantly introspect multiple virtual machines (VMs) in order to detect malicious activities based on their anomalous behavior. Once suspicious processes detected, our IDS in real-time notifies system administrator about the potential threat. Developed software is able to detect keyloggers, rootkits, trojans, process hiding and other intrusion artifacts via agent-less operation, by operating remotely or directly from the host machine. Remote memory introspection means no software to install, no notice to malware to evacuate or destroy data. Experimental results of remote VMI on more than 50 different malicious code demonstrate average anomaly detection rate close to 97%. We have established wide testbed environment connecting networks of two universities Kyushu Institute of Technology and The City College of New York through secure GRE tunnel. Conducted experiments on this testbed deliver high response time of the proposed system.

Published

2021

32. Principles-Driven Forensic Analysis

Author

Peisert, Sean, Bishop, Matt, Karin, Sidney, and Marzullo, Keith

Subjects

OS and Networks, Forensics, forensic analysis, forensic principles, logging, auditing, covert channels, compilers, virtual machine introspection, multi-resolution forensics, abstraction shortcuts, race conditions

Abstract

It is possible to enhance our understanding of what has happened on a computer system by using forensic techniques that do not require prediction of the nature of the attack, the skill of the attacker, or the details of the system resources or objects affected. These techniques address five fundamental principles of computer forensics. These principles include recording data about the entire operating system, particularly user space events and environments, and interpreting events at different layers of abstraction, aided by the context in which they occurred. They also deal with modeling the recorded data as a multi-resolution, finite state machine so that results can be established to a high degree of certainty rather than merely inferred.

Published

2005

33. Defeating Kernel Driver Purifier

Author

Xiao, Jidong, Huang, Hai, Wang, Haining, Akan, Ozgur, Series editor, Cao, Jiannong, Series editor, Coulson, Geoffrey, Series editor, Dressler, Falko, Series editor, Ferrari, Domenico, Series editor, Gerla, Mario, Series editor, Kobayashi, Hisashi, Series editor, Palazzo, Sergio, Series editor, Sahni, Sartaj, Series editor, Shen, Xuemin (Sherman), Series editor, Stan, Mircea, Series editor, Xiaohua, Jia, Series editor, Zomaya, Albert, Series editor, Bellavista, Paolo, Series editor, Thuraisingham, Bhavani, editor, Wang, XiaoFeng, editor, and Yegneswaran, Vinod, editor

Published

2015

34. You Can’t Hide: A Novel Methodology to Defend DDoS Attack Based on Botcloud

Author

Li, Baohui, Niu, Wenjia, Xu, Kefu, Zhang, Chuang, Zhang, Peng, Diniz Junqueira Barbosa, Simone, Series editor, Chen, Phoebe, Series editor, Du, Xiaoyong, Series editor, Filipe, Joaquim, Series editor, Kara, Orhun, Series editor, Liu, Ting, Series editor, Kotenko, Igor, Series editor, Sivalingam, Krishna M., Series editor, Washio, Takashi, Series editor, Niu, Wenjia, editor, Li, Gang, editor, Liu, Jiqiang, editor, Tan, Jianlong, editor, Guo, Li, editor, Han, Zhen, editor, and Batten, Lynn, editor

Published

2015

35. Integrity Checking of Function Pointers in Kernel Pools via Virtual Machine Introspection

Author

Ahmed, Irfan, Richard, Golden G., III, Zoranic, Aleksandar, Roussev, Vassil, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, and Desmedt, Yvo, editor

Published

2015

36. A Model of Dynamic Malware Analysis Based on VMI

Author

Li, Chengye, Xiang, Yangyue, Shi, Jiangyong, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Wang, Guojin, editor, Zomaya, Albert, editor, Martinez, Gregorio, editor, and Li, Kenli, editor

Published

2015

37. Jackdaw: Towards Automatic Reverse Engineering of Large Datasets of Binaries

Author

Polino, Mario, Scorti, Andrea, Maggi, Federico, Zanero, Stefano, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Almgren, Magnus, editor, Gulisano, Vincenzo, editor, and Maggi, Federico, editor

Published

2015

38. CloudVMI: A Cloud-Oriented Writable Virtual Machine Introspection

Author

Weizhong Qiang, Gongping Xu, Weiqi Dai, Deqing Zou, and Hai Jin

Subjects

Virtual machine introspection, cloud management, security monitoring, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

IoT generates considerable amounts of data, which often requires leveraging cloud computing to effectively scale the costs of transferring and computing these data. The concern regarding cloud security is more severe because many devices are connected to the cloud. It is important to automatically monitor and control these resources and services to efficiently and securely deliver cloud computing. The writable virtual machine introspection (VMI) technique can not only detect the runtime state of a guest VM from the outside but also update the state from the outside without any need for administrator efforts. Thus, the writable VMI technique can provide the benefit of high automation, which is helpful for automated cloud management. However, the existing writable VMI technique produces high overhead, fails to monitor the VMs distributed on different host nodes, and fails to monitor multiple VMs with heterogeneous guest OSes within a cloud; therefore, it cannot be applied for automated and centralized cloud management. In this paper, we present CloudVMI, which is a writable and crossnode monitoring VMI framework that can overcome the aforementioned issues. CloudVMI solves the semantic gap problem by redirecting the critical execution of system calls issued by the VMI program into the monitored VM. It has strong practicability by allowing one introspection program to inspect heterogeneous guest OSes and to monitor VMs distributed on remote host nodes. Thus, CloudVMI can be directly applied for automated and centralized cloud management. Moreover, we implement some defensive measures to secure CloudVMI itself. To highlight the writable capability and practical usefulness of CloudVMI, we implement four applications based on CloudVMI. CloudVMI is designed, implemented, and systematically evaluated. The experimental results demonstrate that CloudVMI is effective and practical for cloud management and that its performance overhead is acceptable compared with existing VMI systems.

Published

2017

39. Kernel Memory Protection by an Insertable Hypervisor Which Has VM Introspection and Stealth Breakpoints

Author

Suzaki, Kuniyasu, Yagi, Toshiki, Kobara, Kazukuni, Ishiyama, Toshiaki, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Kobsa, Alfred, Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Nierstrasz, Oscar, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Yoshida, Maki, editor, and Mouri, Koichi, editor

Published

2014

40. Network Security Situation Awareness Framework based on Threat Intelligence.

Author

Hongbin Zhang, Yuzi Yi, Junshe Wang, Ning Cao, and Qiang Duan

Subjects

COMPUTER network security, SITUATIONAL awareness, CYBERTERRORISM, CLOUD computing, VIRTUAL machine systems

Abstract

Network security situation awareness is an important foundation for network security management, which presents the target system security status by analyzing existing or potential cyber threats in the target system. In network offense and defense, the network security state of the target system will be affected by both offensive and defensive strategies. According to this feature, this paper proposes a network security situation awareness method using stochastic game in cloud computing environment, uses the utility of both sides of the game to quantify the network security situation value. This method analyzes the nodes based on the network security state of the target virtual machine and uses the virtual machine introspection mechanism to obtain the impact of network attacks on the target virtual machine, then dynamically evaluates the network security situation of the cloud environment based on the game process of both attack and defense. In attack prediction, cyber threat intelligence is used as an important basis for potential threat analysis. Cyber threat intelligence that is applicable to the current security state is screened through the system hierarchy fuzzy optimization method, and the potential threat of the target system is analyzed using the cyber threat intelligence obtained through screening. If there is no applicable cyber threat intelligence, using the Nash equilibrium to make predictions for the attack behavior. The experimental results show that the network security situation awareness method proposed in this paper can accurately reflect the changes in the network security situation and make predictions on the attack behavior. [ABSTRACT FROM AUTHOR]

Published

2018

41. Virtualization security:the good,the bad and the ugly

Author

Yu-tao LIU,Hai-bo CHEN

Subjects

virtualization security, trusted execution environment, virtual machine introspection, intra-domain isolation, trusted computing base, cross-world call, Electronic computers. Computer science, QA75.5-76.95

Abstract

The virtualization security has increasingly drawn widespread attention with the spread of cloud computing in recent years.Thanks to another level of indirection,virtualization can provide stronger isolation mechanisms,as well as bottom-up security services for upper-level software.On the other side,the extra indirection brings complexity and overhead as well,which poses huge challenges.A series of recent representative work done by the institute of parallel and distributed system shanghai jiaotong university,including providing security services of trusted execution environment,virtual machine monitoring,intra-domain isolation,as well as optimizing trusted computing base and cross-world calls in the virtualization environment.Finally the problems and directions in the space of virtualization security were summarized.

Published

2016

42. X-TIER: Kernel Module Injection

Author

Vogl, Sebastian, Kilic, Fatih, Schneider, Christian, Eckert, Claudia, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Doug, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, Lopez, Javier, editor, Huang, Xinyi, editor, and Sandhu, Ravi, editor

Published

2013

43. Investigating the Implications of Virtualization for Digital Forensics

Author

Song, Zheng, Jin, Bo, Zhu, Yinghong, Sun, Yongqing, Akan, Ozgur, Series editor, Bellavista, Paolo, Series editor, Cao, Jiannong, Series editor, Dressler, Falko, Series editor, Ferrari, Domenico, Series editor, Gerla, Mario, Series editor, Kobayashi, Hisashi, Series editor, Palazzo, Sergio, Series editor, Sahni, Sartaj, Series editor, Shen, Xuemin (Sherman), Series editor, Stan, Mircea, Series editor, Xiaohua, Jia, Series editor, Zomaya, Albert, Series editor, Coulson, Geoffrey, Series editor, Lai, Xuejia, editor, Gu, Dawu, editor, Jin, Bo, editor, Wang, Yongquan, editor, and Li, Hui, editor

Published

2011

44. 基于改进期望值决策法的虚拟机可信审计方法.

Author

田俊峰 and 张永超

Abstract

Copyright of Journal on Communication / Tongxin Xuebao is the property of Journal on Communications Editorial Office and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)

Published

2018

45. Research on Semantic Gap Problem of Virtual Machine.

Author

Zhao, Bo, Xu, Xiaoyan, Wang, Xiaorui, and Zhao, Rongcai

Subjects

VIRTUAL machine systems, INTRUSION detection systems (Computer security), COMPUTER security software, DATA structures, DATA security

Abstract

Semantic gap is a major challenge for virtualization security applications. Many researches have been carried out represented by virtual machine introspection around bridging the semantic gap. This paper analyzes the causes of semantic gap problem, discusses the differences of current semantic gap bridging method in the aspects of extracting and view generation in Guest status based on three typical model of virtual machine introspection, including Out-of band, In-band and Derivative, and evaluates these three models.It also counts on 34 kinds of mainstream methods features of virtual machine introspection on the basis of factors of data source, threat model and VMM security assumption. According to the analysis of defects in data reliability and status recognition of the current methods, this paper also put forward a view generation model which can be used to transfer secret information between Guest and VMM. [ABSTRACT FROM AUTHOR]

Published

2017

46. Leveraging virtual machine introspection with memory forensics to detect and characterize unknown malware using machine learning techniques at hypervisor.

Author

Ajay Kumara, M.A. and Jaidhar, C.D.

Subjects

VIRTUAL machine systems, SEMANTIC computing, ANTIQUITIES, DIGITAL technology, MACHINE learning

Abstract

The Virtual Machine Introspection (VMI) has emerged as a fine-grained, out-of-VM security solution that detects malware by introspecting and reconstructing the volatile memory state of the live guest Operating System (OS). Specifically, it functions by the Virtual Machine Monitor (VMM), or hypervisor. The reconstructed semantic details obtained by the VMI are available in a combination of benign and malicious states at the hypervisor. In order to distinguish between these two states, the existing out-of-VM security solutions require extensive manual analysis. In this paper, we propose an advanced VMM-based, guest-assisted Automated Internal-and-External (A-IntExt) introspection system by leveraging VMI, Memory Forensics Analysis (MFA), and machine learning techniques at the hypervisor. Further, we use the VMI-based technique to introspect digital artifacts of the live guest OS to obtain a semantic view of the processes details. We implemented an Intelligent Cross View Analyzer (ICVA) and implanted it into our proposed A-IntExt system, which examines the data supplied by the VMI to detect hidden, dead, and dubious processes, while also predicting early symptoms of malware execution on the introspected guest OS in a timely manner. Machine learning techniques are used to analyze the executables that are mined and extracted using MFA-based techniques and ascertain the malicious executables. The practicality of the A-IntExt system is evaluated by executing large real-world malware and benign executables onto the live guest OSs. The evaluation results achieved 99.55% accuracy and 0.004 False Positive Rate (FPR) on the 10-fold cross-validation to detect unknown malware on the generated dataset. Additionally, the proposed system was validated against other benchmarked malware datasets and the A-IntExt system outperforms the detection of real-world malware at the VMM with performance exceeding 6.3%. [ABSTRACT FROM AUTHOR]

Published

2017

47. Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections

Author

Srivastava, Abhinav, Giffin, Jonathon, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Doug, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, Lippmann, Richard, editor, Kirda, Engin, editor, and Trachtenberg, Ari, editor

Published

2008

48. NODEGUARD : A Virtualized Introspection Security Approach for the Modern Cloud Data Center

Author

Shamseddine, Maha, Al-Dulaimy, Auday, Itani, Wassim, Nolte, Thomas, Papadopoulos, Alessandro, Shamseddine, Maha, Al-Dulaimy, Auday, Itani, Wassim, Nolte, Thomas, and Papadopoulos, Alessandro

Abstract

This paper presents NODEGUARD, a security approach for detecting and isolating misbehaving Virtual Machines (VMs) in multi-tenant virtualized cloud data centers, based on the Virtual Machine Introspection (VMI) monitoring primitives. NODEGUARD employs a divide-and-conquer strategy that checks logical groups of VMs to ensure the efficiency of the detection mechanisms which opportunistically approaches a complexity of O (log(2)(n)) when there is a relatively low number of hostile VMs. This greatly enhances the algorithmic time complexity of the proposed security system compared to the O(n) complexity achieved by the traditional VMI inspection strategy that checks each VM separately. The approach has been evaluated in a virtualized cloud environment using the Mininet network emulator.

Published

2022

49. Tenant-Oriented Monitoring for Customized Security Services in the Cloud

Author

Huaizhe Zhou, Haihe Ba, Yongjun Wang, Zhiying Wang, Jun Ma, Yunshi Li, and Huidong Qiao

Subjects

virtualization, cloud security, virtual machine introspection, cloud monitoring, privacy, Mathematics, QA1-939

Abstract

The dramatic proliferation of cloud computing makes it an attractive target for malicious attacks. Increasing solutions resort to virtual machine introspection (VMI) to deal with security issues in the cloud environment. However, the existing works are not feasible to support tenants to customize individual security services based on their security requirements flexibly. Additionally, adoption of VMI-based security solutions makes tenants at the risk of exposing sensitive information to attackers. To alleviate the security and privacy anxieties of tenants, we present SECLOUD, a framework for monitoring VMs in the cloud for security analysis in this paper. By extending VMI techniques, SECLOUD provides remote tenants or their authorized security service providers with flexible interfaces for monitoring runtime information of guest virtual machines (VMs) in a non-intrusive manner. The proposed framework enhances effectiveness of monitoring by taking advantages of architectural symmetry of cloud environment. Moreover, we harden our framework with a privacy-preserving capacity for tenants. The flexibility and effectiveness of SECLOUD is demonstrated through a prototype implementation based on Xen hypervisor, which results in acceptable performance overhead.

Published

2019

50. Virtual Machine Introspection

Author

Payne, Bryan D., van Tilborg, Henk C. A., editor, and Jajodia, Sushil, editor

Published

2011