Skip to main content
SpringerLink
Log in

Detection of Virtual Machines Based on Thread Scheduling

  • Conference paper
  • First Online:
Artificial Intelligence and Security (ICAIS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 12737))

Included in the following conference series:

  • 1418 Accesses

Abstract

With the rapid development of cloud computing, virtual machines are now attracting more and more attention. Virtual machines used at malicious motivation cause enormous threats to the security of computer systems. Virtual machine detection is crucial for honeypot systems and software that provide free trials. Various strategies based on local register values affected by virtualization have been proposed. However, these strategies have a limited scope of application since they can only run natively. What’s more, the values they depend on can be modified with ease. In this paper, we propose a new remote virtual machine detection strategy applying to different types of virtual machines and different operating systems based on time difference in thread scheduling. Our main contribution is to set up a probability-based thread scheduling analysis model to describe the time difference between physical machines and virtual machines. This paper shows that the probability distribution of execution time of a piece of CPU-bound code in virtual machines has higher variance along with lower kurtosis and skewness, which make up our index system for detection. Results of Numeric simulation and real test show good agreement and provide a clear criterion for detection. In the real test all the virtual machines and 97.2% of the physical machines were identified correctly.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Alnaim, A.K., Alwakeel, A.M., Fernandez, E.B.: A pattern for an NFV virtual machine environment. In: 2019 IEEE International Systems Conference (SysCon), pp. 1–6. IEEE (2019)

    Google Scholar 

  2. Asvija, B., Eswari, R., Bijoy, M.: Security in hardware assisted virtualization for cloud computing-state of the art issues and challenges. Comput. Netw. 151, 68–92 (2019)

    Article  Google Scholar 

  3. Brengel, M., Backes, M., Rossow, C.: Detecting hardware-assisted virtualization. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 207–227. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_11

    Chapter  Google Scholar 

  4. Favre, O., Tellenbach, B., Asenz, J.: Honey-copy: a concept and prototype of a generic honeypot system. In: ICIMP 2017 the Twelfth International Conference on Internet Monitoring and Protection, Venice, Italy, 25–29 July 2017, pp. 7–11. IARIA (2017)

    Google Scholar 

  5. Franklin, J., Luk, M., McCune, J.M., Seshadri, A., Perrig, A., Van Doorn, L.: Remote detection of virtual machine monitors with fuzzy benchmarking. ACM SIGOPS Oper. Syst. Rev. 42(3), 83–92 (2008)

    Article  Google Scholar 

  6. Ho, G., Boneh, D., Ballard, L., Provos, N.: Tick tock: building browser red pills from timing side channels. In: 8th \(\{\)USENIX\(\}\) Workshop on Offensive Technologies (\(\{\)WOOT\(\}\) 14) (2014)

    Google Scholar 

  7. Jämthagen, C., Hell, M., Smeets, B.: A technique for remote detection of certain virtual machine monitors. In: Chen, L., Yung, M., Zhu, L. (eds.) INTRUST 2011. LNCS, vol. 7222, pp. 129–137. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32298-3_9

    Chapter  Google Scholar 

  8. Keith, A.: Detection in two easy steps. http://x86vmm.blogspot.mx/2007/07/bluepill-detection-in-two-easy-steps.html

  9. King, S.T., Chen, P.M.: Subvirt: Implementing malware with virtual machines. In: 2006 IEEE Symposium on Security and Privacy (S&P 2006), pp. 14-pp. IEEE (2006)

    Google Scholar 

  10. Klein, T.: Scoopyng-the vmware detection tool. http://www.trapkit.de/research/vmm/scoopyng/index.html

  11. Ma, T., Pang, S., Zhang, W., Hao, S.: Virtual machine based on genetic algorithm used in time and power oriented cloud computing task scheduling. Intell. Autom. Soft Comput. 25(3), 605–613 (2019)

    Article  Google Scholar 

  12. Sierra-Arriaga, F., Branco, R., Lee, B.: Security issues and challenges for virtualization technologies. ACM Comput. Surv. (CSUR) 53(2), 1–37 (2020)

    Article  Google Scholar 

  13. Wang, Q., Zhu, F., Leng, Y., Ren, Y., Xia, J.: Ensuring readability of electronic records based on virtualization technology in cloud storage. J. Internet Things 1(1), 33 (2019)

    Article  Google Scholar 

  14. Zhang, Z., Cheng, Y., Gao, Y., Nepal, S., Liu, D., Zou, Y.: Detecting hardware-assisted virtualization with inconspicuous features. IEEE Trans. Inf. Forensics Secur. 16, 16–27 (2020)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Information Science and Engineering, Southeast University, Nanjing, 211111, China

    Zhi Lin & Junbo Wang

  2. Key Laboratory of Computer Network Technology of Jiangsu Province, School of Cyber Science and Engineering, Southeast University, Nanjing, 211111, China

    Yubo Song

  3. Purple Mountain Laboratories, Nanjing, 211111, China

    Yubo Song

  4. National Mobile Communications Research Laboratory, Southeast University, Nanjing, 211111, China

    Junbo Wang

Authors
  1. Zhi Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yubo Song
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Junbo Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Nanjing University of Information Science and Technology, Nanjing, China

    Xingming Sun

  2. Nanjing University of Information Science and Technology, Nanjing, China

    Xiaorui Zhang

  3. Jinan University, Guangzhou, China

    Zhihua Xia

  4. Purdue University, West Lafayette, IN, USA

    Elisa Bertino

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lin, Z., Song, Y., Wang, J. (2021). Detection of Virtual Machines Based on Thread Scheduling. In: Sun, X., Zhang, X., Xia, Z., Bertino, E. (eds) Artificial Intelligence and Security. ICAIS 2021. Lecture Notes in Computer Science(), vol 12737. Springer, Cham. https://doi.org/10.1007/978-3-030-78612-0_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-78612-0_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-78611-3

  • Online ISBN: 978-3-030-78612-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation