Skip to main content
SpringerLink
Log in

A behavioral anomaly detection strategy based on time series process portraits for desktop virtualization systems

  • Published:
Cluster Computing Aims and scope Submit manuscript

Abstract

As the application of desktop virtualization systems (DVSs) continues to gain momentums, the security issue of DVSs becomes increasingly critical and is extensively studied. Unfortunately, the majority of current researches on DVSs only focuses on the virtual machines (VMs) on the servers, and overlooks to a large extent the security issue of the clients. In addition, traditional security techniques are not completely suitable for the DVSs’ particularly thin client environment. Towards finding a solution to these problems, we propose a novel behavioral anomaly detection method for DVS clients by creating and using process portraits. Based on the correlations between users, virtualized desktop processes (VDPs), and VMs in DVSs, this proposed method describes the process behaviors of clients by the CPU utilization rates of VMs located on the server, constructs process portraits for VDPs by hidden Markov models and by considering the user profiles, and detects anomalies of VDPs by contrasting VDPs’ behaviors against the constructed process portraits. Our experimental results show that the proposed method is effective and successful.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

References

  1. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, 120–128 (1996)

  2. Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: a virtual machine-based platform for trusted computing. In: Proceedings of the 19th ACM Symposium on Operating Systems Principles, 193–206 (2003)

  3. Hidalgo, R., César, A.: Conditions for the emergence of scaling in the inter-event time of uncorrelated and seasonal systems. Phys. A 369(2), 877–883 (2006)

    Article  Google Scholar 

  4. Jiang, X., Wang, X., and Xu, D.: Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, 128–138 (2007)

  5. Jiang, X., and Xu, D.: Collapsar: a VM-based architecture for network attack detention center. In: Proceedings of the 2004 USENIX Security Symposium, 15–28 (2004)

  6. King, S.T., Chen, P.M., Wang, Y.M., Verbowski, C., Wang, H.J., Lorch, J.R.: SubVirt: implementing malware with virtual machines. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, 314–327 (2006)

  7. Liang, Z., Venkatakrishnan, V.N., and Sekar, R.: Isolated program execution: an application transparent approach for executing untrusted programs. In: Proceedings of the 19th Annual Computer Security Applications Conference, 182–191 (2003)

  8. Liu, Y., Jia, S., Xing, C.: A novel behavior-based virus detection method for smart mobile terminals. Discrete Dyn. Nat. Soc. (2012). doi:10.1155/2012/262193

  9. Lonea, A.M., Popescu, D.E., Tianfield, H.: Detecting DDoS attacks in cloud computing environment. Int. J. Comput. Commun. Control 8(1), 70–78 (2012)

    Article  Google Scholar 

  10. Melbourne Clouds Lab.: CloudSim: a framework for modeling and simulation of cloud computing infrastructures and services (2014). http://www.cloudbus.org/cloudsim/

  11. Nikolai, J., Wang, Y.: Hypervisor-based cloud intrusion detection system. In: Proceedings of the 2014 International Conference on Computing, Networking and Communications, 989–993 (2014). Accessed 12 April 2007

  12. Rabiner, L., Juang, B.H.: An introduction to hidden Markov models. IEEE Acoustics Speech Signal Process. Mag. 3(1), 4–16 (1986)

    Google Scholar 

  13. Rhee, J., Riley, R., Xu, D., Jiang, X.: Defeating dynamic data kernel rootkit attacks via vmm-based guest-transparent monitoring. In: Proceedings of the 2009 International Conference on Availability, Reliability and Security, 74–81 (2009)

  14. Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In: Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection, 1–20 (2008)

  15. Sailer, R., Jaeger, T., Valdez, E., Caceres, R., Perez, R., Berger, S., Linwood Griffin, J., van Doorn, L.: Building a MAC-based security architecture for the Xen open-source hypervisor. In: Proceedings of the 21st Annual Computer Security Applications Conference. 276–285 (2005)

  16. Santos, N., Gummadi, K.P., Rodrigues, R.: Towards trusted cloud computing. In: Proceedings of the 2009 Conference on Hot Topics in Cloud Computing, 3–3 (2009)

  17. Shinagawa, T., Eiraku, H., Tanimoto, K., Omote, K., Hasegawa, S., Horie, T., Kourai, K., Oyama, Y., Kawai, E., Kono K., Chiba, S., Shinjo, Y., Kato, K.: Bitvisor: a thin hypervisor for enforcing i/o device security. In: Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, 121–130 (2009)

  18. Wang, Z., Jiang, X.: Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, 380–395 (2010)

  19. Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, 545–554 (2009)

  20. Yu, Y., Guo, F., Nanda, S., Lam, L.C., Chiueh, T.C.: A feather-weight virtual machine for windows applications. In: Proceedings of the 2nd International Conference on Virtual Execution Environments, 24–34 (2006)

Download references

Acknowledgments

This work is supported in part by the following Grants: National Science Foundation of China (Grant No. 61272400), Chongqing Innovative Team Fund for College Development Project (Grant No. KJTD201310), Chongqing Youth Innovative Talent Project (Grant No. cstc2013kjrc-qnrc40004), Ministry of Education of China and China Mobile Research Fund (Grant No. MCM20130351), and Science and Technology on Information Transmission and Dissemination in Communication Networks Laboratory Open Project (Grant No. ITD-U13002/KX132600009).

Author information

Authors and Affiliations

  1. Engineering Laboratory of Network and Information Security, Chongqing University of Posts and Telecommunications, Chongqing, 400065, China

    Yanbing Liu, Zhong Yuan, Bo Gong, Yunpeng Xiao & Hong Liu

  2. Laboratory of Science and Technology on Information Transmission and Dissemination in Communication Networks, Shijiazhuang, 050081, China

    Yunpeng Xiao

  3. Department of Mathematics and Computer Science, Nicholls State University, Thibodaux, LA, 70310, USA

    Congcong Xing

Authors
  1. Yanbing Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zhong Yuan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Congcong Xing
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Bo Gong
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Yunpeng Xiao
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Hong Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yanbing Liu.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Liu, Y., Yuan, Z., Xing, C. et al. A behavioral anomaly detection strategy based on time series process portraits for desktop virtualization systems. Cluster Comput 18, 979–988 (2015). https://doi.org/10.1007/s10586-015-0431-2

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10586-015-0431-2

Keywords

Search

Navigation