Abstract
As more and more applications migrate to clouds, the type and amount of malware attack against virtualized environments are increasing, which is a key factor that restricts the widespread deployment and application of cloud platforms. Traditional in-VM-based security software is not effective against malware attacks, as the security software itself becomes the target of malware attacks and can easily be tampered with or even subverted. In this paper, we propose a new malware detection method to improve virtual machine security performance and ensure the security of the entire cloud platform. This paper uses the virtual machine introspection(VMI) combined with the memory forensics analysis(MFA) technology to extract multiple types of dynamic features from the virtual machine memory, the hypervisor layer and the hardware layer. Furthermore, this paper proposes an adaptive feature selection method. By combining three different search strategies, three types of features are compared and analyzed from three aspects: effectiveness, system load and security. By adjusting the weight of each feature, it meets the detection requirements of different malware in the cloud environment as expected. Finally, the detection method improves the detection accuracy and generalization ability of the overall classifier using the AdaBoost ensemble learning method with Voting’s combination strategy. The experiment used a large number of real malicious samples, and achieved an accuracy of 0.999 (AUC), with a maximum performance overhead of 5.6%.
Similar content being viewed by others
References
Han Y, Hao Z, Cui L, Wang C, Sang Y (2016) A hybrid monitoring mechanism in virtualized environments. In: 2016 IEEE Trustcom/BigDataSE/ISPA, pp 1038–1045, DOI https://doi.org/10.1109/TrustCom.2016.0173, (to appear in print)
Cheng Y, Fu X, Du X, Luo B, Guizani M (2017) A lightweight live memory forensic approach based on hardware virtualization. Inform Sci 379:23–41. https://doi.org/10.1016/j.ins.2016.07.019
Mishra P, Pilli ES, Varadharajant V, Tupakula U (2016) Nvcloudids: a security architecture to detect intrusions at network and virtualization layer in cloud environment. In: 2016 international conference on advances in computing, communications and informatics (ICACCI), pp 56–62, DOI https://doi.org/10.1109/ICACCI.2016.7732025, (to appear in print)
Riley R, Jiang X, Xu D (2009) Multi-aspect profiling of kernel rootkit behavior. In: Proceedings of the 4th ACM European conference on computer systems, pp 47–60, DOI https://doi.org/10.1145/1519065.1519072, (to appear in print)
Payne BD, Carbone M, Sharif M, Lee W (2008) Lares: an architecture for secure active monitoring using virtualization. In: 2008 IEEE symposium on security and privacy (sp 2008), pp 233–247, DOI https://doi.org/10.1109/SP.2008.24, (to appear in print)
Suneja S, Isci C, de Lara E, Bala V (2015) Exploring vm introspection: Techniques and trade-offs. In: Acm Sigplan Notices, vol 50, pp 133–146, DOI https://doi.org/10.1145/2731186.2731196
Xiao J, Lu L, Wang H, Zhu X (2016) Hyperlink: Virtual machine introspection and memory forensic analysis without kernel source code. In: 2016 IEEE international conference on autonomic computing (ICAC), pp 127–136, DOI https://doi.org/10.1109/ICAC.2016.46, (to appear in print)
Fu Y, Zeng J, Lin Z (2014) Hypershell: a practical hypervisor layer guest os shell for automated in-vm management. In: 2014 USENIX annual technical conference (USENIX ATC 14), pp 85–96
Shi J, Yang Y, Tang C (2016) Hardware assisted hypervisor introspection. SpringerPlus 5(1):647. https://doi.org/10.1186/s40064-016-2257-7
Taubmann B, Frädrich C, Dusold D, Reiser HP (2016) Tlskex: Harnessing virtual machine introspection for decrypting tls communication. Digit Investig 16:S114–S123. https://doi.org/10.1016/j.diin.2016.01.014
Sebastián M, Rivera R, Kotzias P, Caballero J (2016) Avclass: a tool for massive malware labeling. In: International symposium on research in attacks, intrusions, and defenses, pp 230–253, DOI https://doi.org/10.1007/978-3-319-45719-2_11, (to appear in print)
Tang A, Sethumadhavan S, Stolfo S (2014) Unsupervised anomaly-based malware detection using hardware features. In: International workshop on recent advances in intrusion detection, pp 109–129, DOI https://doi.org/10.1007/978-3-319-11379-1_6, (to appear in print)
Kong D, Yan G (2013) Discriminant malware distance learning on structural information for automated malware classification. In: Proceedings of the 19th ACM SIGKDD international conference on knowledge discovery and data mining, pp 1357–1365, DOI https://doi.org/10.1145/2465529.2465531, (to appear in print)
Kumara A, Jaidhar C (2018) Automated multi-level malware detection system based on reconstructed semantic view of executables using machine learning techniques at vmm. Futur Gener Comput Syst 79:431–446. https://doi.org/10.1016/j.future.2017.06.002
Jang J, Brumley D, Venkataraman S (2011) Bitshred: feature hashing malware for scalable triage and semantic analysis. In: Proceedings of the 18th ACM conference on Computer and communications security, pp 309–320, DOI https://doi.org/10.1145/2046707.2046742, (to appear in print)
Ye Y, Li T, Chen Y, Jiang Q (2010) Automatic malware categorization using cluster ensemble. In: Proceedings of the 16th ACM SIGKDD international conference on knowledge discovery and data mining, pp 95–104, DOI https://doi.org/10.1145/1835804.1835820, (to appear in print)
Garfinkel T, Rosenblum M, et al. (2003) A virtual machine introspection based architecture for intrusion detection. In: Ndss, vol 3, pp 191–206
Bauman E, Ayoade G, Lin Z (2015) A survey on hypervisor-based monitoring: approaches, applications, and evolutions. ACM Computing Surveys (CSUR) 48(1):10. https://doi.org/10.1145/2775111
Hebbal Y, Laniepce S, Menaud J-M (2015) Virtual machine introspection: Techniques and applications. In: 2015 10th international conference on availability, reliability and security, pp 676–685, DOI https://doi.org/10.1109/ARES.2015.43, (to appear in print)
Petroni NL Jr, Fraser T, Molina J, Arbaugh WA (2004) Copilot-a coprocessor-based kernel runtime integrity monitor. In: USENIX security symposium, pp 179–194
Dolan-Gavitt B, Leek T, Zhivich M, Giffin J, Lee W (2011) Virtuoso: Narrowing the semantic gap in virtual machine introspection. In: 2011 IEEE symposium on security and privacy, pp 297–312, DOI https://doi.org/10.1109/SP.2011.11, (to appear in print)
Fu Y, Lin Z (2012) Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: 2012 IEEE symposium on security and privacy, pp 586–600, DOI https://doi.org/10.1109/SP.2012.40, (to appear in print)
Saberi A, Fu Y, Lin Z (2014) Hybrid-bridge: Efficiently bridging the semantic gap in virtual machine introspection via decoupled execution and training memoization. In: Proceedings of the 21st annual network and distributed system security symposium
Demme J, Maycock M, Schmitz J, Tang A, Waksman A, Sethumadhavan S, Stolfo S (2013) On the feasibility of online malware detection with performance counters. In: ACM SIGARCH computer architecture news, vol 41, pp 559–570, DOI https://doi.org/10.1145/2508148.2485970
Avritzer A, Tanikella R, James K, Cole RG, Weyuker E (2010) Monitoring for security intrusion using performance signatures. In: Proceedings of the first joint WOSP/SIPEW international conference on performance engineering, pp 93–104, DOI https://doi.org/10.1145/1712605.1712623, (to appear in print)
Tuzel T, Bridgman M, Zepf J, Lengyel TK, Temkin K (2018) Who watches the watcher? detecting hypervisor introspection from unprivileged guests. Digit Investig 26:S98–S106. https://doi.org/10.1016/j.diin.2018.04.015
Hong S, Nicolae A, Srivastava A, Dumitraş T (2018) Peek-a-boo: Inferring program behaviors in a virtualized infrastructure without introspection. Computers & Security 79:190–207. https://doi.org/10.1016/j.cose.2018.08.010
Xuan C, Copeland J, Beyah R (2009) Toward revealing kernel malware behavior in virtual execution environments. In: International workshop on recent advances in intrusion detection, pp 304–325, DOI https://doi.org/10.1007/978-3-642-04342-0_16, (to appear in print)
Dinaburg A, Royal P, Sharif M, Lee W (2008) Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM conference on computer and communications security, pp 51–62, DOI https://doi.org/10.1145/1455770.1455779, (to appear in print)
Dai S-Y, Fyodor Y, Wu J-S, Lin C-H, Huang Y, Kuo S-Y (2009) Holography: a hardware virtualization tool for malware analysis. In: 2009 15th IEEE Pacific rim international symposium on dependable computing, pp 263–268, DOI https://doi.org/10.1109/PRDC.2009.48, (to appear in print)
Henderson A, Prakash A, Yan LK, Hu X, Wang X, Zhou R, Yin H (2014) Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform. In: Proceedings of the 2014 international symposium on software testing and analysis, pp 248–258, DOI https://doi.org/10.1145/2610384.2610407, (to appear in print)
Schultz MG, Eskin E, Zadok F, Stolfo S (2001) Data mining methods for detection of new malicious executables. In: Proceedings 2001 IEEE symposium on security and privacy. S&P 2001, pp 38–49, DOI https://doi.org/10.1109/SECPRI.2001.924286, (to appear in print)
Zhang Y, Huang Q, Ma X, Yang Z, Jiang J (2016) Using multi-features and ensemble learning method for imbalanced malware classification. In: 2016 IEEE Trustcom/BigDataSE/ISPA, pp 965–973, DOI https://doi.org/10.1109/TrustCom.2016.0163, (to appear in print)
Bai J, Wang J (2016) Improving malware detection using multi-view ensemble learning. Sec Commun Netw 9(17):4227–4241. https://doi.org/10.1002/sec.1600
Cohen A, Nissim N (2018) Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory. Expert Syst Appl 102:158–178. https://doi.org/10.1016/j.eswa.2018.02.039
Heidari P, Desnoyers M, Dagenais M (2008) Performance analysis of virtual machines through tracing. In: 2008 Canadian conference on electrical and computer engineering, pp 000261–000266, DOI https://doi.org/10.1109/CCECE.2008.4564536, (to appear in print)
Weaver VM (2013) Linux perf_event features and overhead. In: The 2nd international workshop on performance analysis of workload optimized systems, FastPath, vol. 13
Lengyel TK, Maresca S, Payne BD, Webster GD, Vogl S, Kiayias A (2014) Scalability, fidelity and stealth in the drakvuf dynamic malware analysis system. In: Proceedings of the 30th annual computer security applications conference, pp 386–395, DOI https://doi.org/10.1145/2664243.2664252, (to appear in print)
Lin C-H, Pao H-K, Liao J-W (2018) Efficient dynamic malware analysis using virtual time control mechanics. Computers & Security 73:359–373. https://doi.org/10.1016/j.cose.2017.11.010
Yadav RM (2019) Effective analysis of malware detection in cloud computing. Computers & Security 83:14–21. https://doi.org/10.1016/j.cose.2018.12.005
Nataraj L, Karthikeyan S, Jacob G, Manjunath B (2011) Malware images: visualization and automatic classification. In: Proceedings of the 8th international symposium on visualization for cyber security, p 4, DOI https://doi.org/10.1145/2016904.2016908, (to appear in print)
Ni S, Qian Q, Zhang R (2018) Malware identification using visualization images and deep learning. Computers & Security 77:871–885. https://doi.org/10.1016/j.cose.2018.04.005
Abou-Assaleh T, Cercone N, Keselj V, Sweidan R (2004) N-gram-based detection of new malicious code. In: Proceedings of the 28th annual international computer software and applications conference, 2004. COMPSAC 2004, vol 2, pp 41–42, DOI https://doi.org/10.1109/CMPSAC.2004.1342667
Shabtai A, Moskovitch R, Feher C, Dolev S, Elovici Y (2012) Detecting unknown malicious code by applying classification techniques on opcode patterns. Security Informatics 1(1):1. https://doi.org/10.1186/2190-8532-1-1
Wang L, Meng J, Huang R, Zhu H, Peng K Incremental feature weighting for fuzzy feature selection, Fuzzy Sets and Systems. https://doi.org/10.1016/j.fss.2018.10.021
Tuo Q, Zhao H, Hu Q (2019) Hierarchical feature selection with subtree based graph regularization. Knowl-Based Syst 163:996–1008. https://doi.org/10.1016/j.knosys.2018.10.023
Zhang R, Nie F, Li X, Wei X (2019) Feature selection with multi-view data: a survey. Information Fusion 50:158–167. https://doi.org/10.1016/j.inffus.2018.11.019
Mohammadi S, Mirvaziri H, Ghazizadeh-Ahsaee M, Karimipour H (2019) Cyber intrusion detection by combined feature selection algorithm. J Inf Sec Appl 44:80–88. https://doi.org/10.1016/j.jisa.2018.11.007
Salza P, Ferrucci F (2019) Speed up genetic algorithms in the cloud using software containers. Futur Gener Comput Syst 92:276–289
Kennedy J, Eberhart RC (1997) A discrete binary version of the particle swarm algorithm. In: 1997 IEEE international conference on systems, man, and cybernetics. Computational cybernetics and simulation, vol 5, pp 4104–4108, DOI https://doi.org/10.1109/ICSMC.1997.637339
Xu G, Yu G (2018) Reprint of: on convergence analysis of particle swarm optimization algorithm. J Comput Appl Math 340:709–717. https://doi.org/10.1016/j.cam.2018.04.036
Jovanovic R, Tuba M, Voß S (2019) An efficient ant colony optimization algorithm for the blocks relocation problem. Eur J Oper Res 274(1):78–90. https://doi.org/10.1016/j.ejor.2018.09.038
Khasawneh KN, Ozsoy M, Donovick C, Abu-Ghazaleh N, Ponomarev D (2015) Ensemble learning for low-level hardware-supported malware detection. In: International workshop on recent advances in intrusion detection, pp 3–25, DOI https://doi.org/10.1007/978-3-319-26362-5_1, (to appear in print)
Mishra P, Pilli ES, Varadharajan V, Tupakula U (2017) Intrusion detection techniques in cloud environment: a survey. J Netw Comput Appl 77:18–47. https://doi.org/10.1016/j.jnca.2016.10.015
Huda S, Miah S, Hassan MM, Islam R, Yearwood J, Alrubaian M, Almogren A (2017) Defending unknown attacks on cyber-physical systems by semi-supervised approach and available unlabeled data. Inform Sci 379:211–228. https://doi.org/10.1016/j.ins.2016.09.041
Acknowledgments
This work is supported by the National Key R&D Program of China (2016YFB 0800805), the Major Projects of Science and Technology Service Industry in Tianjin (16ZXFWGX00140), the Open Project Foundation of Information Security Evaluation Center of Civil Aviation, Civil Aviation University of China (NO. CAAC-ISECCA-201501), and the Natural Science Foundation of Tianjin (NO. 18JCQNJC69900). Finally, we would like to thank all of the working group members who contributed to the work.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Zhang, J., Gao, C., Gong, L. et al. Malware Detection Based on Multi-level and Dynamic Multi-feature Using Ensemble Learning at Hypervisor. Mobile Netw Appl 26, 1668–1685 (2021). https://doi.org/10.1007/s11036-019-01503-4
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11036-019-01503-4