Skip to main content
SpringerLink
Log in

Malware Detection Based on Multi-level and Dynamic Multi-feature Using Ensemble Learning at Hypervisor

  • Published:
Mobile Networks and Applications Aims and scope Submit manuscript

Abstract

As more and more applications migrate to clouds, the type and amount of malware attack against virtualized environments are increasing, which is a key factor that restricts the widespread deployment and application of cloud platforms. Traditional in-VM-based security software is not effective against malware attacks, as the security software itself becomes the target of malware attacks and can easily be tampered with or even subverted. In this paper, we propose a new malware detection method to improve virtual machine security performance and ensure the security of the entire cloud platform. This paper uses the virtual machine introspection(VMI) combined with the memory forensics analysis(MFA) technology to extract multiple types of dynamic features from the virtual machine memory, the hypervisor layer and the hardware layer. Furthermore, this paper proposes an adaptive feature selection method. By combining three different search strategies, three types of features are compared and analyzed from three aspects: effectiveness, system load and security. By adjusting the weight of each feature, it meets the detection requirements of different malware in the cloud environment as expected. Finally, the detection method improves the detection accuracy and generalization ability of the overall classifier using the AdaBoost ensemble learning method with Voting’s combination strategy. The experiment used a large number of real malicious samples, and achieved an accuracy of 0.999 (AUC), with a maximum performance overhead of 5.6%.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

References

  1. Han Y, Hao Z, Cui L, Wang C, Sang Y (2016) A hybrid monitoring mechanism in virtualized environments. In: 2016 IEEE Trustcom/BigDataSE/ISPA, pp 1038–1045, DOI https://doi.org/10.1109/TrustCom.2016.0173, (to appear in print)

  2. Cheng Y, Fu X, Du X, Luo B, Guizani M (2017) A lightweight live memory forensic approach based on hardware virtualization. Inform Sci 379:23–41. https://doi.org/10.1016/j.ins.2016.07.019

    Article  Google Scholar 

  3. Mishra P, Pilli ES, Varadharajant V, Tupakula U (2016) Nvcloudids: a security architecture to detect intrusions at network and virtualization layer in cloud environment. In: 2016 international conference on advances in computing, communications and informatics (ICACCI), pp 56–62, DOI https://doi.org/10.1109/ICACCI.2016.7732025, (to appear in print)

  4. Riley R, Jiang X, Xu D (2009) Multi-aspect profiling of kernel rootkit behavior. In: Proceedings of the 4th ACM European conference on computer systems, pp 47–60, DOI https://doi.org/10.1145/1519065.1519072, (to appear in print)

  5. Payne BD, Carbone M, Sharif M, Lee W (2008) Lares: an architecture for secure active monitoring using virtualization. In: 2008 IEEE symposium on security and privacy (sp 2008), pp 233–247, DOI https://doi.org/10.1109/SP.2008.24, (to appear in print)

  6. Suneja S, Isci C, de Lara E, Bala V (2015) Exploring vm introspection: Techniques and trade-offs. In: Acm Sigplan Notices, vol 50, pp 133–146, DOI https://doi.org/10.1145/2731186.2731196

  7. Xiao J, Lu L, Wang H, Zhu X (2016) Hyperlink: Virtual machine introspection and memory forensic analysis without kernel source code. In: 2016 IEEE international conference on autonomic computing (ICAC), pp 127–136, DOI https://doi.org/10.1109/ICAC.2016.46, (to appear in print)

  8. Fu Y, Zeng J, Lin Z (2014) Hypershell: a practical hypervisor layer guest os shell for automated in-vm management. In: 2014 USENIX annual technical conference (USENIX ATC 14), pp 85–96

  9. Shi J, Yang Y, Tang C (2016) Hardware assisted hypervisor introspection. SpringerPlus 5(1):647. https://doi.org/10.1186/s40064-016-2257-7

    Article  Google Scholar 

  10. Taubmann B, Frädrich C, Dusold D, Reiser HP (2016) Tlskex: Harnessing virtual machine introspection for decrypting tls communication. Digit Investig 16:S114–S123. https://doi.org/10.1016/j.diin.2016.01.014

    Article  Google Scholar 

  11. Sebastián M, Rivera R, Kotzias P, Caballero J (2016) Avclass: a tool for massive malware labeling. In: International symposium on research in attacks, intrusions, and defenses, pp 230–253, DOI https://doi.org/10.1007/978-3-319-45719-2_11, (to appear in print)

  12. Tang A, Sethumadhavan S, Stolfo S (2014) Unsupervised anomaly-based malware detection using hardware features. In: International workshop on recent advances in intrusion detection, pp 109–129, DOI https://doi.org/10.1007/978-3-319-11379-1_6, (to appear in print)

  13. Kong D, Yan G (2013) Discriminant malware distance learning on structural information for automated malware classification. In: Proceedings of the 19th ACM SIGKDD international conference on knowledge discovery and data mining, pp 1357–1365, DOI https://doi.org/10.1145/2465529.2465531, (to appear in print)

  14. Kumara A, Jaidhar C (2018) Automated multi-level malware detection system based on reconstructed semantic view of executables using machine learning techniques at vmm. Futur Gener Comput Syst 79:431–446. https://doi.org/10.1016/j.future.2017.06.002

    Article  Google Scholar 

  15. Jang J, Brumley D, Venkataraman S (2011) Bitshred: feature hashing malware for scalable triage and semantic analysis. In: Proceedings of the 18th ACM conference on Computer and communications security, pp 309–320, DOI https://doi.org/10.1145/2046707.2046742, (to appear in print)

  16. Ye Y, Li T, Chen Y, Jiang Q (2010) Automatic malware categorization using cluster ensemble. In: Proceedings of the 16th ACM SIGKDD international conference on knowledge discovery and data mining, pp 95–104, DOI https://doi.org/10.1145/1835804.1835820, (to appear in print)

  17. Garfinkel T, Rosenblum M, et al. (2003) A virtual machine introspection based architecture for intrusion detection. In: Ndss, vol 3, pp 191–206

  18. Bauman E, Ayoade G, Lin Z (2015) A survey on hypervisor-based monitoring: approaches, applications, and evolutions. ACM Computing Surveys (CSUR) 48(1):10. https://doi.org/10.1145/2775111

    Article  Google Scholar 

  19. Hebbal Y, Laniepce S, Menaud J-M (2015) Virtual machine introspection: Techniques and applications. In: 2015 10th international conference on availability, reliability and security, pp 676–685, DOI https://doi.org/10.1109/ARES.2015.43, (to appear in print)

  20. Petroni NL Jr, Fraser T, Molina J, Arbaugh WA (2004) Copilot-a coprocessor-based kernel runtime integrity monitor. In: USENIX security symposium, pp 179–194

  21. Dolan-Gavitt B, Leek T, Zhivich M, Giffin J, Lee W (2011) Virtuoso: Narrowing the semantic gap in virtual machine introspection. In: 2011 IEEE symposium on security and privacy, pp 297–312, DOI https://doi.org/10.1109/SP.2011.11, (to appear in print)

  22. Fu Y, Lin Z (2012) Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: 2012 IEEE symposium on security and privacy, pp 586–600, DOI https://doi.org/10.1109/SP.2012.40, (to appear in print)

  23. Saberi A, Fu Y, Lin Z (2014) Hybrid-bridge: Efficiently bridging the semantic gap in virtual machine introspection via decoupled execution and training memoization. In: Proceedings of the 21st annual network and distributed system security symposium

  24. Demme J, Maycock M, Schmitz J, Tang A, Waksman A, Sethumadhavan S, Stolfo S (2013) On the feasibility of online malware detection with performance counters. In: ACM SIGARCH computer architecture news, vol 41, pp 559–570, DOI https://doi.org/10.1145/2508148.2485970

  25. Avritzer A, Tanikella R, James K, Cole RG, Weyuker E (2010) Monitoring for security intrusion using performance signatures. In: Proceedings of the first joint WOSP/SIPEW international conference on performance engineering, pp 93–104, DOI https://doi.org/10.1145/1712605.1712623, (to appear in print)

  26. Tuzel T, Bridgman M, Zepf J, Lengyel TK, Temkin K (2018) Who watches the watcher? detecting hypervisor introspection from unprivileged guests. Digit Investig 26:S98–S106. https://doi.org/10.1016/j.diin.2018.04.015

    Article  Google Scholar 

  27. Hong S, Nicolae A, Srivastava A, Dumitraş T (2018) Peek-a-boo: Inferring program behaviors in a virtualized infrastructure without introspection. Computers & Security 79:190–207. https://doi.org/10.1016/j.cose.2018.08.010

    Article  Google Scholar 

  28. Xuan C, Copeland J, Beyah R (2009) Toward revealing kernel malware behavior in virtual execution environments. In: International workshop on recent advances in intrusion detection, pp 304–325, DOI https://doi.org/10.1007/978-3-642-04342-0_16, (to appear in print)

  29. Dinaburg A, Royal P, Sharif M, Lee W (2008) Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM conference on computer and communications security, pp 51–62, DOI https://doi.org/10.1145/1455770.1455779, (to appear in print)

  30. Dai S-Y, Fyodor Y, Wu J-S, Lin C-H, Huang Y, Kuo S-Y (2009) Holography: a hardware virtualization tool for malware analysis. In: 2009 15th IEEE Pacific rim international symposium on dependable computing, pp 263–268, DOI https://doi.org/10.1109/PRDC.2009.48, (to appear in print)

  31. Henderson A, Prakash A, Yan LK, Hu X, Wang X, Zhou R, Yin H (2014) Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform. In: Proceedings of the 2014 international symposium on software testing and analysis, pp 248–258, DOI https://doi.org/10.1145/2610384.2610407, (to appear in print)

  32. Schultz MG, Eskin E, Zadok F, Stolfo S (2001) Data mining methods for detection of new malicious executables. In: Proceedings 2001 IEEE symposium on security and privacy. S&P 2001, pp 38–49, DOI https://doi.org/10.1109/SECPRI.2001.924286, (to appear in print)

  33. Zhang Y, Huang Q, Ma X, Yang Z, Jiang J (2016) Using multi-features and ensemble learning method for imbalanced malware classification. In: 2016 IEEE Trustcom/BigDataSE/ISPA, pp 965–973, DOI https://doi.org/10.1109/TrustCom.2016.0163, (to appear in print)

  34. Bai J, Wang J (2016) Improving malware detection using multi-view ensemble learning. Sec Commun Netw 9(17):4227–4241. https://doi.org/10.1002/sec.1600

    Article  Google Scholar 

  35. Cohen A, Nissim N (2018) Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory. Expert Syst Appl 102:158–178. https://doi.org/10.1016/j.eswa.2018.02.039

    Article  Google Scholar 

  36. Heidari P, Desnoyers M, Dagenais M (2008) Performance analysis of virtual machines through tracing. In: 2008 Canadian conference on electrical and computer engineering, pp 000261–000266, DOI https://doi.org/10.1109/CCECE.2008.4564536, (to appear in print)

  37. Weaver VM (2013) Linux perf_event features and overhead. In: The 2nd international workshop on performance analysis of workload optimized systems, FastPath, vol. 13

  38. Lengyel TK, Maresca S, Payne BD, Webster GD, Vogl S, Kiayias A (2014) Scalability, fidelity and stealth in the drakvuf dynamic malware analysis system. In: Proceedings of the 30th annual computer security applications conference, pp 386–395, DOI https://doi.org/10.1145/2664243.2664252, (to appear in print)

  39. Lin C-H, Pao H-K, Liao J-W (2018) Efficient dynamic malware analysis using virtual time control mechanics. Computers & Security 73:359–373. https://doi.org/10.1016/j.cose.2017.11.010

    Article  Google Scholar 

  40. Yadav RM (2019) Effective analysis of malware detection in cloud computing. Computers & Security 83:14–21. https://doi.org/10.1016/j.cose.2018.12.005

    Article  Google Scholar 

  41. Nataraj L, Karthikeyan S, Jacob G, Manjunath B (2011) Malware images: visualization and automatic classification. In: Proceedings of the 8th international symposium on visualization for cyber security, p 4, DOI https://doi.org/10.1145/2016904.2016908, (to appear in print)

  42. Ni S, Qian Q, Zhang R (2018) Malware identification using visualization images and deep learning. Computers & Security 77:871–885. https://doi.org/10.1016/j.cose.2018.04.005

    Article  Google Scholar 

  43. Abou-Assaleh T, Cercone N, Keselj V, Sweidan R (2004) N-gram-based detection of new malicious code. In: Proceedings of the 28th annual international computer software and applications conference, 2004. COMPSAC 2004, vol 2, pp 41–42, DOI https://doi.org/10.1109/CMPSAC.2004.1342667

  44. Shabtai A, Moskovitch R, Feher C, Dolev S, Elovici Y (2012) Detecting unknown malicious code by applying classification techniques on opcode patterns. Security Informatics 1(1):1. https://doi.org/10.1186/2190-8532-1-1

    Article  Google Scholar 

  45. Wang L, Meng J, Huang R, Zhu H, Peng K Incremental feature weighting for fuzzy feature selection, Fuzzy Sets and Systems. https://doi.org/10.1016/j.fss.2018.10.021

  46. Tuo Q, Zhao H, Hu Q (2019) Hierarchical feature selection with subtree based graph regularization. Knowl-Based Syst 163:996–1008. https://doi.org/10.1016/j.knosys.2018.10.023

    Article  Google Scholar 

  47. Zhang R, Nie F, Li X, Wei X (2019) Feature selection with multi-view data: a survey. Information Fusion 50:158–167. https://doi.org/10.1016/j.inffus.2018.11.019

    Article  Google Scholar 

  48. Mohammadi S, Mirvaziri H, Ghazizadeh-Ahsaee M, Karimipour H (2019) Cyber intrusion detection by combined feature selection algorithm. J Inf Sec Appl 44:80–88. https://doi.org/10.1016/j.jisa.2018.11.007

    Article  Google Scholar 

  49. Salza P, Ferrucci F (2019) Speed up genetic algorithms in the cloud using software containers. Futur Gener Comput Syst 92:276–289

    Article  Google Scholar 

  50. Kennedy J, Eberhart RC (1997) A discrete binary version of the particle swarm algorithm. In: 1997 IEEE international conference on systems, man, and cybernetics. Computational cybernetics and simulation, vol 5, pp 4104–4108, DOI https://doi.org/10.1109/ICSMC.1997.637339

  51. Xu G, Yu G (2018) Reprint of: on convergence analysis of particle swarm optimization algorithm. J Comput Appl Math 340:709–717. https://doi.org/10.1016/j.cam.2018.04.036

    Article  MathSciNet  MATH  Google Scholar 

  52. Jovanovic R, Tuba M, Voß S (2019) An efficient ant colony optimization algorithm for the blocks relocation problem. Eur J Oper Res 274(1):78–90. https://doi.org/10.1016/j.ejor.2018.09.038

    Article  MathSciNet  MATH  Google Scholar 

  53. Khasawneh KN, Ozsoy M, Donovick C, Abu-Ghazaleh N, Ponomarev D (2015) Ensemble learning for low-level hardware-supported malware detection. In: International workshop on recent advances in intrusion detection, pp 3–25, DOI https://doi.org/10.1007/978-3-319-26362-5_1, (to appear in print)

  54. Mishra P, Pilli ES, Varadharajan V, Tupakula U (2017) Intrusion detection techniques in cloud environment: a survey. J Netw Comput Appl 77:18–47. https://doi.org/10.1016/j.jnca.2016.10.015

    Article  Google Scholar 

  55. Huda S, Miah S, Hassan MM, Islam R, Yearwood J, Alrubaian M, Almogren A (2017) Defending unknown attacks on cyber-physical systems by semi-supervised approach and available unlabeled data. Inform Sci 379:211–228. https://doi.org/10.1016/j.ins.2016.09.041

    Article  Google Scholar 

Download references

Acknowledgments

This work is supported by the National Key R&D Program of China (2016YFB 0800805), the Major Projects of Science and Technology Service Industry in Tianjin (16ZXFWGX00140), the Open Project Foundation of Information Security Evaluation Center of Civil Aviation, Civil Aviation University of China (NO. CAAC-ISECCA-201501), and the Natural Science Foundation of Tianjin (NO. 18JCQNJC69900). Finally, we would like to thank all of the working group members who contributed to the work.

Author information

Authors and Affiliations

  1. School of Computer Science and Engineering, Tianjin University of Technology, Tianjin, China

    Jian Zhang, Cheng Gao, Liangyi Gong & Wenzhen Li

  2. College of Cyber Science, Nankai University, Tianjin, China

    Jian Zhang

  3. Tianjin Key Laboratory of Network and Data Security Technology, Tianjin, China

    Jian Zhang

  4. School of Software and BNRist, Tsinghua University, Beijing, China

    Liangyi Gong

  5. Information Security Evaluation Center of Civil Aviation, Civil Aviation University of China, Tianjin, China

    Zhaojun Gu

  6. Information Security Research Center, Harbin Engineering University, Harbin, Heilongjiang Province, China

    Dapeng Man & Wu Yang

Authors
  1. Jian Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Cheng Gao
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Liangyi Gong
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zhaojun Gu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Dapeng Man
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Wu Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Wenzhen Li
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jian Zhang.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Zhang, J., Gao, C., Gong, L. et al. Malware Detection Based on Multi-level and Dynamic Multi-feature Using Ensemble Learning at Hypervisor. Mobile Netw Appl 26, 1668–1685 (2021). https://doi.org/10.1007/s11036-019-01503-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11036-019-01503-4

Keywords

Search

Navigation