Zhi Lin,Yubo Song,Junbo Wang

DOI: https://doi.org/10.1007/978-3-030-78612-0_15

2021-01-01

Abstract:With the rapid development of cloud computing, virtual machines are now attracting more and more attention. Virtual machines used at malicious motivation cause enormous threats to the security of computer systems. Virtual machine detection is crucial for honeypot systems and software that provide free trials. Various strategies based on local register values affected by virtualization have been proposed. However, these strategies have a limited scope of application since they can only run natively. What’s more, the values they depend on can be modified with ease. In this paper, we propose a new remote virtual machine detection strategy applying to different types of virtual machines and different operating systems based on time difference in thread scheduling. Our main contribution is to set up a probability-based thread scheduling analysis model to describe the time difference between physical machines and virtual machines. This paper shows that the probability distribution of execution time of a piece of CPU-bound code in virtual machines has higher variance along with lower kurtosis and skewness, which make up our index system for detection. Results of Numeric simulation and real test show good agreement and provide a clear criterion for detection. In the real test all the virtual machines and 97.2% of the physical machines were identified correctly.

li ruan,yikai sun,limin xiao,mingfa zhu

DOI: https://doi.org/10.1007/978-3-642-41591-3_13

2013-01-01

Abstract:Recently, virtualization technology has revived and become the key support of the clouds. KVM (Kernel virtual machine) based on Linux kernel-level achieves its popularity however with security risks. Therefore, the virtual environment and vulnerability detecting of KVM is of theoretical significance and great application value. However, there are few reports on virtual environment and vulnerability detection for KVM. This paper introduces a virtual environment and vulnerability method which includes the CPU cycle based detection algorithms, the internet time detection algorithms and multithread counter detection algorithms, etc.. In the vulnerability detection of KVM, denial of service attack is simulated and its detection method is proposed. Function and performance tests are also introduced.

Feng Zhao,Hai Jin

2012-01-01

Abstract:Because virtual computing platforms are dynamically changing, it is difficult to build high-quality intrusion detection system. In this paper, we present an automated approach to intrusions detection in order to maintain sufficient performance and reduce dependence on execution environment. We discuss a hidden Markov model strategy for abnormality detection using frequent system call sequences, letting us identify attacks and intrusions automatically and efficiently. We also propose an automated mining algorithm, named AGAS, to generate frequent system call sequences. In our approach, the detection performance is adaptively tuned according to the execution state every period. To improve performance, the period value is also under self-adjustment.

Feng Li,Sun Jie,Zhou Xiaoming,Yang Liwei,Pen Qinke

DOI: https://doi.org/10.3321/j.issn:0253-987x.2006.04.009

2006-01-01

Abstract:In order to detect more and more serious attacks against the Windows operating system (OS), a multi-step consistency model and exponential iteration detection algorithm (EIDA) based on Native API sequences were proposed to realize the detection of the anomaly intrusions from kernel space in Windows operating system. The system service dispatch table is captured by designing a virtual device so as to get the Native API information in real time. One step and two steps consistency models are built by the captured normal Native API data to describe the normal behavior of processes. In the detection process, the normal index of emerging Native API is measured continuously by EIDA. The normal indexes are analyzed through an alarm extraction algorithm, which uniquely determines the corresponding attack and provide administrator with guarantee to grasp the security situation of OS in time. The experiments under different Windows OS environment indicate that the proposed method has better accuracy.

Deyuan Qin,Shuyu Chen,Hancui Zhang,Tianshu Wu

DOI: https://doi.org/10.1109/icsess.2016.7883102

2016-01-01

Abstract:Virtual machine is an important part of cloud platform. Ensuring virtual machine running correctly is of great significance to ensure the availability of cloud service. Due to cloud platform has characteristics of the large number of virtual machines and dynamic change of running environment, it's hard to accept the cost of collecting training data for anomaly detector and training the anomaly detector. This paper focuses on insufficient training data set for anomaly detector training of virtual machine of cloud platform and high cost of detector training, and does research on how to improve anomaly detection accuracy and efficiency under the condition that there is not enough training data for anomaly detector. Concretely speaking, main research contents and highlights of this paper are described as follows: It puts forward a virtual machine detection domain partitioning strategy based on K-medoids according to the virtual machine running environment, thereby, improving the accuracy and efficiency of anomaly detection. Meanwhile, this paper optimizes the steps of clustering iteration updating, to enhance the speed of detecting area partitioning. The experiment result shows that, the improved clustering algorithm has lower time complexity, and the virtual machine anomaly detection strategy based on detection domain partitioning possesses higher accuracy and efficiency.

Cheng ZHAO,Xingshu CHEN,Xin JIN

DOI: https://doi.org/10.11772/j.issn.1001-9081.2017.02.0388

2017-01-01

Abstract:In order to protect the integrity of the Virtual Machine (VM) sensitive files and make up for the shortcomings such as high performance overhead,low compatibility and poor flexibility in out-of-box monitoring based on the instruction monitoring methods,OFM (Out-of-box File Monitoring) based on hardware virtualization was proposed.In OFM,Kernelbased Virtual Machine (KVM) was used as the virtual machine monitor to dynamically configure sensitive file access control strategy in real-time;in addition,OFM could modify the call table entries related to file operations of virtual machine system to determine the legitimacy of the VM process operation files,and deal with the illegal processes.Unixbench was deployed in a virtual machine to test the performance of OFM.The experimental results demonstrate that OFM outperforms to instruction monitoring methods in file monitoring and has no affect on other types of system calls for virtual machines.Meanwhile,OFM can effectively monitor the integrity of the virtual machine files and provide better compatibility,flexibility and lower performance losses.

ZHONG Ming-quan,LI Huan-zhou,TANG Zhang-guo,ZHANG Jian

DOI: https://doi.org/10.3724/sp.j.1087.2010.03357

2010-01-01

Journal of Computer Applications

Abstract:Concerning the feature that the technology of characteristic code is unable to detect new and unknown baleful program,an auto-detection system of suspicious file based on technology of virtual machine and behavior analysis was proposed.Work diagram of detection system was introduced with emphasis,module framework of management center and detection center of the system was given,and the technical principle of management center and detection center was analyzed in detail.The experimental results show that the system can judge rapidly the dangerous level of one detected file and the system has long life cycle.

Zhengmin Li,Chunge Zhu,Xinran Liu,Xiufeng Sui

DOI: https://doi.org/10.1109/icnsc.2017.8000085

2017-01-01

Abstract:The combination of fast online anomaly detection and offline learning is a vital element of operations in large-scale datacenters and utility clouds. Given ever-increasing datacenter sizes coupled with the complexities of systems software, applications, and workload patterns, such anomaly detection must operate continuous and real-time at runtime. Further, detection should function for both hardware and software levels of abstraction, and for the multiple metrics used in cloud computing systems. In this paper, we present a novel, flexible framework to do anomaly detection for data center. The goal of our framework design is to combine online anomaly detection and offline learning automatically and iteratively. And the framework aims to have the capability to integrate different offline learning methodologies. We demonstrate this framework with two representative applications in datacenters, and explore three common scenarios during the applications runtime. Experiment results show that the proposed approach provides good accuracy and low overhead.

guofeng wang,chuanyi liu,jie lin

DOI: https://doi.org/10.1007/978-3-662-43908-1_4

2014-01-01

Abstract:Modern malware attacks are designed intricately, transport data encrypted, so monitoring network traffic can't solve such attacks completely. Therefore, network monitoring and analysis need to be combined with system behavior monitoring and memory analysis, and the latter is more important. In this article we propose a hardware-based virtualization prototype system, combined with memory analysis tools to monitor and counterwork malicious attacks actively. The system is based on Xen virtualization platform, which monitoring virtual machine behavior by capturing specific events. The events are triggered by some specific behaviors associated with malicious software monitoring, such as executing privileged instruction, system calls, memory writing, etc. When necessary, we can dump the memory of the virtual machine, use memory analysis tools for detailed analysis, so as to achieve the purpose of monitoring and counterworking.

Xianxian Li,Changhui Jiang,Jianxin Li,Bo Li

DOI: https://doi.org/10.1109/NCIS.2011.21

2011-01-01

Abstract:Malicious software is one of the primary threats to information system on Internet, while the traditional host-based and network-based monitoring systems are vulnerable to prevent the malicious behavior of software because most current malicious software is capable of resisting security monitoring. Virtualization technology gives an impactful approach to monitoring the behavior of malicious software since it can provide an abstraction layer between the operating system and the hardware. In this paper, we propose a hardware-virtualization-based security monitor system named VMInsight, which can provide load-time and run-time monitoring for processes. VMInsight intercepts system calls and process behaviors by monitoring changes in the virtual machine CPU register, and it is implemented in the hyper visor, thus is completely transparent to the software and operating system running in the virtual machine. The experimental results show that the performance overhead of VMInsight is less than 10%, and it can be easily applied to the third-party security monitoring system.

Hai Jin,Guofu Xiang,Deqing Zou,Feng Zhao,Min Li,Chen Yu

DOI: https://doi.org/10.1016/j.camwa.2010.01.007

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:The file system becomes the usual target of malicious attacks because it contains lots of sensitive data, such as executable programs, configuration and authorization information. File integrity monitoring is an effective approach to discover aggressive behavior by detecting modification actions on these sensitive files. Traditional real-time integrity monitoring tools, which insert hooks into the OS kernel, are easily controlled and disabled by malicious software. Such existing methods, which insert kernel module into OS, are hard to be compatible because of the diversity of OS. In this paper, we present a non-intrusive real-time file integrity monitoring method in virtual machine-based computing environment, which is transparent to the monitored system. The monitor is isolated from the monitored system, since it observes the state of the monitored system from the outside. This method brings two benefits: detecting file operations in real time and being invisible to malicious attackers in the monitored system. Furthermore, a kind of file classification algorithm based on file security level is proposed to improve efficiency in this paper. The proposed file integrity monitoring method is implemented in the full-virtualization mode supported by the Xen platform. The experimental results show that the method is effective with acceptable overhead.

Xiaoming Ye,Xingshu Chen,Haizhou Wang,Xuemei Zeng,Guolin Shao,Xueyuan Yin,Chun Xu

DOI: https://doi.org/10.1109/TST.2016.7488743

2016-01-01

Abstract:This paper proposes an anomalous behavior detection model based on cloud computing. Virtual Machines (VMs) are one of the key components of cloud Infrastructure as a Service (IaaS). The security of such VMs is critical to IaaS security. Many studies have been done on cloud computing security issues, but research into VM security issues, especially regarding VM network traffic anomalous behavior detection, remains inadequate. More and more studies show that communication among internal nodes exhibits complex patterns. Communication among VMs in cloud computing is invisible. Researchers find such issues challenging, and few solutions have been proposed-leaving cloud computing vulnerable to network attacks. This paper proposes a model that uses Software-Defined Networks (SDN) to implement traffic redirection. Our model can capture inter-VM traffic, detect known and unknown anomalous network behaviors, adopt hybrid techniques to analyze VM network behaviors, and control network systems. The experimental results indicate that the effectiveness of our approach is greater than 90%, and prove the feasibility of the model.

Youhui Zhang,Yu Gu,Hongyi Wang,Dongsheng Wang

DOI: https://doi.org/10.1109/sbac-pad.2006.32

2006-01-01

Abstract:In this paper we present a storage-based intrusion detection system (IDS) that makes use of advantages of virtual machine (VM) and smart disk technologies. The virtual machine monitor (VMM) can prevent the IDS itself from potential attacks while the smart disk technology provides IDS with a whole view of the file system of the monitored VM. We show how to use a tool and some file system knowledge to enable the virtual disk to maintain a sector-to-file mapping table (called file-aware block level storage) as well as how to detect the changes to file content on-line. Based on these features, normal file-level intrusion detection (ID) rules can be converted to sector-level ones in order to integrate ID functions to the virtual storage. We implement such a prototype based on QEMU VMM and the OS of VM is Windows XP. Moreover the time overhead introduced by this solution is tested

Huaizhe Zhou,Haihe Ba,Yongjun Wang,Tie Hong

DOI: https://doi.org/10.1587/transinf.2019EDL8148

2020-01-01

IEICE Transactions on Information and Systems

Abstract:The arms race between offense and defense in the cloud impels the innovation of techniques for monitoring attacks and unauthorized activities. The promising technique of virtual machine introspection (VMI) becomes prevalent for its tamper-resistant capability. However, some elaborate exploitations are capable of invalidating VMI-based tools by breaking the assumption of a trusted guest kernel. To achieve a more reliable and robust introspection, we introduce a practical approach to monitor and detect attacks that attempt to subvert VMI in this paper. Our approach combines supervised machine learning and hardware architectural events to identify those malicious behaviors which are targeted at VMI techniques. To demonstrate the feasibility, we implement a prototype named HyperMon on the Xen hypervisor. The results of our evaluation show the effectiveness of HyperMon in detecting malicious behaviors with an average accuracy of 90.51% (AUC).

Hancui Zhang,Shuyu Chen,Jun Liu,Zhen Zhou,Tianshu Wu

DOI: https://doi.org/10.1371/journal.pone.0187488

IF: 3.7

2017-01-01

PLoS ONE

Abstract:Self-Organizing Map (SOM) algorithm as an unsupervised learning method has been applied in anomaly detection due to its capabilities of self-organizing and automatic anomaly prediction. However, because of the algorithm is initialized in random, it takes a long time to train a detection model. Besides, the Cloud platforms with large scale virtual machines are prone to performance anomalies due to their high dynamic and resource sharing characters, which makes the algorithm present a low accuracy and a low scalability. To address these problems, an Improved Incremental Self-Organizing Map (IISOM) model is proposed for anomaly detection of virtual machines. In this model, a heuristic-based initialization algorithm and a Weighted Euclidean Distance (WED) algorithm are introduced into SOM to speed up the training process and improve model quality. Meanwhile, a neighborhood based searching algorithm is presented to accelerate the detection time by taking into account the large scale and high dynamic features of virtual machines on cloud platform. To demonstrate the effectiveness, experiments on a common benchmark KDD Cup dataset and a real dataset have been performed. Results suggest that IISOM has advantages in accuracy and convergence velocity of anomaly detection for virtual machines on cloud platform.

Xiaolin Wang,Binbin Zhang,Haogang Chen,Xinxin Jin,Yingwei Luo,Xiaoming Li,Zhenlin Wang

DOI: https://doi.org/10.1109/CIT.2010.392

2010-01-01

Abstract:Intel and AMD have provided hardware support, VT and SVM, to support classical full virtualization. The hardware extensions help to implement a VMM without changing the guest OS or resorting to software binary translation. Ironically, a VMM using VT or SVM has not yet met performance expectation. One major reason is that there still exist too many VM exits that incur significant overhead. This paper proposed a novel method, Competition in Bucket Method (CBM), to track all VM exits efficiently. The analysis and experiments show that, CBM can find out hot VM exits efficiently.

Xingshu Chen,Dandan Zhao,Hui Li,Lei Zhang

DOI: https://doi.org/10.13245/j.hust.160307

2016-01-01

Abstract:To trace the behavior of LKM (loadable kernel modules)rootkits,a hardware assisted vir-tualization based framework for kernel modules running in isolation was proposed to isolate drivers in an address space separate from the kernel by two sets of hardware assisted page tables and to protect integrity of the kernel stack basing on the chain composed of base pointers of stack frames.Eventually a prototype system on the full-virtualization platform of KVM was implemented which was called Hy-per-ISO (Hyper-ISOlation).The experimental result shows that the Hyper-ISO is able to monitor the control transfer processes between the untrusted module and the kernel timely,monitor the untrusted module accessing kernel code or data,and protect the kernel stack from the untrusted module.

JIN Wei,LI Ming-lu,WENG Chu-liang

DOI: https://doi.org/10.3969/j.issn.1000-3428.2011.15.036

2011-01-01

Abstract:This paper aims to explore the security of the Virtual Machine Monitor(VMM),combined with open source virtualization software Xen to analyze the potential threats and vulnerabilities,such as tampering with hypercalls,malicious direct memory access.It designs and implements a way to undermine the stability of virtual machine by modifying VCPU state and meanwhile give countermeasures,such as verifying critical data structures to discover whether it is invaded,or forbidding the loading of module to eliminate all possible security risks posed by the module.

郑重,王志英,陈顼颢,黄訸

DOI: https://doi.org/10.3969/j.issn.1671-0428.2010.05.002

2010-01-01

Abstract:A algorithm to detect and analyze computer virus based on its behavior sequence under the support of virtual execution technology is presented in this paper.It can overcome the shortage of normal virus scanner,which could not detect unknown virus.Tests in a simulating virtual execution environment indicated that this algorithm is feasible and accurate.

Hao Shi,Jelena Mirkovic,Abdulla Alwabel

DOI: https://doi.org/10.1145/3139292

IF: 2.717

2017-01-01

ACM Transactions on Privacy and Security

Abstract:Malware analysis relies heavily on the use of virtual machines (VMs) for functionality and safety. There are subtle differences in operation between virtual and physical machines. Contemporary malware checks for these differences and changes its behavior when it detects a VM presence. These anti-VM techniques hinder malware analysis. Existing research approaches to uncover differences between VMs and physical machines use randomized testing, and thus cannot guarantee completeness. In this article, we propose a detect-and-hide approach, which systematically addresses anti-VM techniques in malware. First, we propose cardinal pill testing —a modification of red pill testing that aims to enumerate the differences between a given VM and a physical machine through carefully designed tests. Cardinal pill testing finds five times more pills by running 15 times fewer tests than red pill testing. We examine the causes of pills and find that, while the majority of them stem from the failure of VMs to follow CPU specifications, a small number stem from under-specification of certain instructions by the Intel manual. This leads to divergent implementations in different CPU and VM architectures. Cardinal pill testing successfully enumerates the differences that stem from the first cause. Finally, we propose VM Cloak —a WinDbg plug-in which hides the presence of VMs from malware. VM Cloak monitors each execute malware command, detects potential pills, and at runtime modifies the command’s outcomes to match those that a physical machine would generate. We implemented VM Cloak and verified that it successfully hides VM presence from malware.