Top

Mobile Networks and Applications

Published in:

08-01-2020

Malware Detection Based on Multi-level and Dynamic Multi-feature Using Ensemble Learning at Hypervisor

Authors: Jian Zhang, Cheng Gao, Liangyi Gong, Zhaojun Gu, Dapeng Man, Wu Yang, Wenzhen Li

Published in: Mobile Networks and Applications | Issue 4/2021

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

As more and more applications migrate to clouds, the type and amount of malware attack against virtualized environments are increasing, which is a key factor that restricts the widespread deployment and application of cloud platforms. Traditional in-VM-based security software is not effective against malware attacks, as the security software itself becomes the target of malware attacks and can easily be tampered with or even subverted. In this paper, we propose a new malware detection method to improve virtual machine security performance and ensure the security of the entire cloud platform. This paper uses the virtual machine introspection(VMI) combined with the memory forensics analysis(MFA) technology to extract multiple types of dynamic features from the virtual machine memory, the hypervisor layer and the hardware layer. Furthermore, this paper proposes an adaptive feature selection method. By combining three different search strategies, three types of features are compared and analyzed from three aspects: effectiveness, system load and security. By adjusting the weight of each feature, it meets the detection requirements of different malware in the cloud environment as expected. Finally, the detection method improves the detection accuracy and generalization ability of the overall classifier using the AdaBoost ensemble learning method with Voting’s combination strategy. The experiment used a large number of real malicious samples, and achieved an accuracy of 0.999 (AUC), with a maximum performance overhead of 5.6%.

previous article A Fault Tolerant Mechanism for UE Authentication in 5G Networks

next article Secure Encrypted Data Deduplication Based on Data Popularity

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

ATZelektronik

Die Fachzeitschrift ATZelektronik bietet für Entwickler und Entscheider in der Automobil- und Zulieferindustrie qualitativ hochwertige und fundierte Informationen aus dem gesamten Spektrum der Pkw- und Nutzfahrzeug-Elektronik.

Lassen Sie sich jetzt unverbindlich 2 kostenlose Ausgabe zusenden.

inform now

ATZelectronics worldwide

ATZlectronics worldwide is up-to-speed on new trends and developments in automotive electronics on a scientific level with a high depth of information.

Order your 30-days-trial for free and without any commitment.

inform now

Han Y, Hao Z, Cui L, Wang C, Sang Y (2016) A hybrid monitoring mechanism in virtualized environments. In: 2016 IEEE Trustcom/BigDataSE/ISPA, pp 1038–1045, DOI https://doi.org/10.1109/TrustCom.2016.0173, (to appear in print)

Cheng Y, Fu X, Du X, Luo B, Guizani M (2017) A lightweight live memory forensic approach based on hardware virtualization. Inform Sci 379:23–41. https://doi.org/10.1016/j.ins.2016.07.019CrossRef

Mishra P, Pilli ES, Varadharajant V, Tupakula U (2016) Nvcloudids: a security architecture to detect intrusions at network and virtualization layer in cloud environment. In: 2016 international conference on advances in computing, communications and informatics (ICACCI), pp 56–62, DOI https://doi.org/10.1109/ICACCI.2016.7732025, (to appear in print)

Riley R, Jiang X, Xu D (2009) Multi-aspect profiling of kernel rootkit behavior. In: Proceedings of the 4th ACM European conference on computer systems, pp 47–60, DOI https://doi.org/10.1145/1519065.1519072, (to appear in print)

Payne BD, Carbone M, Sharif M, Lee W (2008) Lares: an architecture for secure active monitoring using virtualization. In: 2008 IEEE symposium on security and privacy (sp 2008), pp 233–247, DOI https://doi.org/10.1109/SP.2008.24, (to appear in print)

Suneja S, Isci C, de Lara E, Bala V (2015) Exploring vm introspection: Techniques and trade-offs. In: Acm Sigplan Notices, vol 50, pp 133–146, DOI https://doi.org/10.1145/2731186.2731196

Xiao J, Lu L, Wang H, Zhu X (2016) Hyperlink: Virtual machine introspection and memory forensic analysis without kernel source code. In: 2016 IEEE international conference on autonomic computing (ICAC), pp 127–136, DOI https://doi.org/10.1109/ICAC.2016.46, (to appear in print)

Fu Y, Zeng J, Lin Z (2014) Hypershell: a practical hypervisor layer guest os shell for automated in-vm management. In: 2014 USENIX annual technical conference (USENIX ATC 14), pp 85–96

Shi J, Yang Y, Tang C (2016) Hardware assisted hypervisor introspection. SpringerPlus 5(1):647. https://doi.org/10.1186/s40064-016-2257-7CrossRef

10.

Taubmann B, Frädrich C, Dusold D, Reiser HP (2016) Tlskex: Harnessing virtual machine introspection for decrypting tls communication. Digit Investig 16:S114–S123. https://doi.org/10.1016/j.diin.2016.01.014CrossRef

11.

Sebastián M, Rivera R, Kotzias P, Caballero J (2016) Avclass: a tool for massive malware labeling. In: International symposium on research in attacks, intrusions, and defenses, pp 230–253, DOI https://doi.org/10.1007/978-3-319-45719-2_11, (to appear in print)

12.

Tang A, Sethumadhavan S, Stolfo S (2014) Unsupervised anomaly-based malware detection using hardware features. In: International workshop on recent advances in intrusion detection, pp 109–129, DOI https://doi.org/10.1007/978-3-319-11379-1_6, (to appear in print)

13.

Kong D, Yan G (2013) Discriminant malware distance learning on structural information for automated malware classification. In: Proceedings of the 19th ACM SIGKDD international conference on knowledge discovery and data mining, pp 1357–1365, DOI https://doi.org/10.1145/2465529.2465531, (to appear in print)

14.

Kumara A, Jaidhar C (2018) Automated multi-level malware detection system based on reconstructed semantic view of executables using machine learning techniques at vmm. Futur Gener Comput Syst 79:431–446. https://doi.org/10.1016/j.future.2017.06.002CrossRef

15.

Jang J, Brumley D, Venkataraman S (2011) Bitshred: feature hashing malware for scalable triage and semantic analysis. In: Proceedings of the 18th ACM conference on Computer and communications security, pp 309–320, DOI https://doi.org/10.1145/2046707.2046742, (to appear in print)

16.

Ye Y, Li T, Chen Y, Jiang Q (2010) Automatic malware categorization using cluster ensemble. In: Proceedings of the 16th ACM SIGKDD international conference on knowledge discovery and data mining, pp 95–104, DOI https://doi.org/10.1145/1835804.1835820, (to appear in print)

17.

Garfinkel T, Rosenblum M, et al. (2003) A virtual machine introspection based architecture for intrusion detection. In: Ndss, vol 3, pp 191–206

18.

Bauman E, Ayoade G, Lin Z (2015) A survey on hypervisor-based monitoring: approaches, applications, and evolutions. ACM Computing Surveys (CSUR) 48(1):10. https://doi.org/10.1145/2775111CrossRef

19.

Hebbal Y, Laniepce S, Menaud J-M (2015) Virtual machine introspection: Techniques and applications. In: 2015 10th international conference on availability, reliability and security, pp 676–685, DOI https://doi.org/10.1109/ARES.2015.43, (to appear in print)

20.

Petroni NL Jr, Fraser T, Molina J, Arbaugh WA (2004) Copilot-a coprocessor-based kernel runtime integrity monitor. In: USENIX security symposium, pp 179–194

21.

Dolan-Gavitt B, Leek T, Zhivich M, Giffin J, Lee W (2011) Virtuoso: Narrowing the semantic gap in virtual machine introspection. In: 2011 IEEE symposium on security and privacy, pp 297–312, DOI https://doi.org/10.1109/SP.2011.11, (to appear in print)

22.

Fu Y, Lin Z (2012) Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: 2012 IEEE symposium on security and privacy, pp 586–600, DOI https://doi.org/10.1109/SP.2012.40, (to appear in print)

23.

Saberi A, Fu Y, Lin Z (2014) Hybrid-bridge: Efficiently bridging the semantic gap in virtual machine introspection via decoupled execution and training memoization. In: Proceedings of the 21st annual network and distributed system security symposium

24.

Demme J, Maycock M, Schmitz J, Tang A, Waksman A, Sethumadhavan S, Stolfo S (2013) On the feasibility of online malware detection with performance counters. In: ACM SIGARCH computer architecture news, vol 41, pp 559–570, DOI https://doi.org/10.1145/2508148.2485970

25.

Avritzer A, Tanikella R, James K, Cole RG, Weyuker E (2010) Monitoring for security intrusion using performance signatures. In: Proceedings of the first joint WOSP/SIPEW international conference on performance engineering, pp 93–104, DOI https://doi.org/10.1145/1712605.1712623, (to appear in print)

26.

Tuzel T, Bridgman M, Zepf J, Lengyel TK, Temkin K (2018) Who watches the watcher? detecting hypervisor introspection from unprivileged guests. Digit Investig 26:S98–S106. https://doi.org/10.1016/j.diin.2018.04.015CrossRef

27.

Hong S, Nicolae A, Srivastava A, Dumitraş T (2018) Peek-a-boo: Inferring program behaviors in a virtualized infrastructure without introspection. Computers & Security 79:190–207. https://doi.org/10.1016/j.cose.2018.08.010CrossRef

28.

Xuan C, Copeland J, Beyah R (2009) Toward revealing kernel malware behavior in virtual execution environments. In: International workshop on recent advances in intrusion detection, pp 304–325, DOI https://doi.org/10.1007/978-3-642-04342-0_16, (to appear in print)

29.

Dinaburg A, Royal P, Sharif M, Lee W (2008) Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM conference on computer and communications security, pp 51–62, DOI https://doi.org/10.1145/1455770.1455779, (to appear in print)

30.

Dai S-Y, Fyodor Y, Wu J-S, Lin C-H, Huang Y, Kuo S-Y (2009) Holography: a hardware virtualization tool for malware analysis. In: 2009 15th IEEE Pacific rim international symposium on dependable computing, pp 263–268, DOI https://doi.org/10.1109/PRDC.2009.48, (to appear in print)

31.

Henderson A, Prakash A, Yan LK, Hu X, Wang X, Zhou R, Yin H (2014) Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform. In: Proceedings of the 2014 international symposium on software testing and analysis, pp 248–258, DOI https://doi.org/10.1145/2610384.2610407, (to appear in print)

32.

Schultz MG, Eskin E, Zadok F, Stolfo S (2001) Data mining methods for detection of new malicious executables. In: Proceedings 2001 IEEE symposium on security and privacy. S&P 2001, pp 38–49, DOI https://doi.org/10.1109/SECPRI.2001.924286, (to appear in print)

33.

Zhang Y, Huang Q, Ma X, Yang Z, Jiang J (2016) Using multi-features and ensemble learning method for imbalanced malware classification. In: 2016 IEEE Trustcom/BigDataSE/ISPA, pp 965–973, DOI https://doi.org/10.1109/TrustCom.2016.0163, (to appear in print)

34.

Bai J, Wang J (2016) Improving malware detection using multi-view ensemble learning. Sec Commun Netw 9(17):4227–4241. https://doi.org/10.1002/sec.1600CrossRef

35.

Cohen A, Nissim N (2018) Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory. Expert Syst Appl 102:158–178. https://doi.org/10.1016/j.eswa.2018.02.039CrossRef

36.

Heidari P, Desnoyers M, Dagenais M (2008) Performance analysis of virtual machines through tracing. In: 2008 Canadian conference on electrical and computer engineering, pp 000261–000266, DOI https://doi.org/10.1109/CCECE.2008.4564536, (to appear in print)

37.

Weaver VM (2013) Linux perf_event features and overhead. In: The 2nd international workshop on performance analysis of workload optimized systems, FastPath, vol. 13

38.

Lengyel TK, Maresca S, Payne BD, Webster GD, Vogl S, Kiayias A (2014) Scalability, fidelity and stealth in the drakvuf dynamic malware analysis system. In: Proceedings of the 30th annual computer security applications conference, pp 386–395, DOI https://doi.org/10.1145/2664243.2664252, (to appear in print)

39.

Lin C-H, Pao H-K, Liao J-W (2018) Efficient dynamic malware analysis using virtual time control mechanics. Computers & Security 73:359–373. https://doi.org/10.1016/j.cose.2017.11.010CrossRef

40.

Yadav RM (2019) Effective analysis of malware detection in cloud computing. Computers & Security 83:14–21. https://doi.org/10.1016/j.cose.2018.12.005CrossRef

41.

Nataraj L, Karthikeyan S, Jacob G, Manjunath B (2011) Malware images: visualization and automatic classification. In: Proceedings of the 8th international symposium on visualization for cyber security, p 4, DOI https://doi.org/10.1145/2016904.2016908, (to appear in print)

42.

Ni S, Qian Q, Zhang R (2018) Malware identification using visualization images and deep learning. Computers & Security 77:871–885. https://doi.org/10.1016/j.cose.2018.04.005CrossRef

43.

Abou-Assaleh T, Cercone N, Keselj V, Sweidan R (2004) N-gram-based detection of new malicious code. In: Proceedings of the 28th annual international computer software and applications conference, 2004. COMPSAC 2004, vol 2, pp 41–42, DOI https://doi.org/10.1109/CMPSAC.2004.1342667

44.

Shabtai A, Moskovitch R, Feher C, Dolev S, Elovici Y (2012) Detecting unknown malicious code by applying classification techniques on opcode patterns. Security Informatics 1(1):1. https://doi.org/10.1186/2190-8532-1-1CrossRef

45.

Wang L, Meng J, Huang R, Zhu H, Peng K Incremental feature weighting for fuzzy feature selection, Fuzzy Sets and Systems. https://doi.org/10.1016/j.fss.2018.10.021

46.

Tuo Q, Zhao H, Hu Q (2019) Hierarchical feature selection with subtree based graph regularization. Knowl-Based Syst 163:996–1008. https://doi.org/10.1016/j.knosys.2018.10.023CrossRef

47.

Zhang R, Nie F, Li X, Wei X (2019) Feature selection with multi-view data: a survey. Information Fusion 50:158–167. https://doi.org/10.1016/j.inffus.2018.11.019CrossRef

48.

Mohammadi S, Mirvaziri H, Ghazizadeh-Ahsaee M, Karimipour H (2019) Cyber intrusion detection by combined feature selection algorithm. J Inf Sec Appl 44:80–88. https://doi.org/10.1016/j.jisa.2018.11.007CrossRef

49.

Salza P, Ferrucci F (2019) Speed up genetic algorithms in the cloud using software containers. Futur Gener Comput Syst 92:276–289CrossRef

50.

Kennedy J, Eberhart RC (1997) A discrete binary version of the particle swarm algorithm. In: 1997 IEEE international conference on systems, man, and cybernetics. Computational cybernetics and simulation, vol 5, pp 4104–4108, DOI https://doi.org/10.1109/ICSMC.1997.637339

51.

Xu G, Yu G (2018) Reprint of: on convergence analysis of particle swarm optimization algorithm. J Comput Appl Math 340:709–717. https://doi.org/10.1016/j.cam.2018.04.036MathSciNetCrossRefMATH

52.

Jovanovic R, Tuba M, Voß S (2019) An efficient ant colony optimization algorithm for the blocks relocation problem. Eur J Oper Res 274(1):78–90. https://doi.org/10.1016/j.ejor.2018.09.038MathSciNetCrossRefMATH

53.

Khasawneh KN, Ozsoy M, Donovick C, Abu-Ghazaleh N, Ponomarev D (2015) Ensemble learning for low-level hardware-supported malware detection. In: International workshop on recent advances in intrusion detection, pp 3–25, DOI https://doi.org/10.1007/978-3-319-26362-5_1, (to appear in print)

54.

Mishra P, Pilli ES, Varadharajan V, Tupakula U (2017) Intrusion detection techniques in cloud environment: a survey. J Netw Comput Appl 77:18–47. https://doi.org/10.1016/j.jnca.2016.10.015CrossRef

55.

Huda S, Miah S, Hassan MM, Islam R, Yearwood J, Alrubaian M, Almogren A (2017) Defending unknown attacks on cyber-physical systems by semi-supervised approach and available unlabeled data. Inform Sci 379:211–228. https://doi.org/10.1016/j.ins.2016.09.041CrossRef

Title: Malware Detection Based on Multi-level and Dynamic Multi-feature Using Ensemble Learning at Hypervisor
Authors: Jian Zhang
Cheng Gao
Liangyi Gong
Zhaojun Gu
Dapeng Man
Wu Yang
Wenzhen Li
Publication date: 08-01-2020
Publisher: Springer US
Published in: Mobile Networks and Applications / Issue 4/2021
Print ISSN: 1383-469X
Electronic ISSN: 1572-8153
DOI: https://doi.org/10.1007/s11036-019-01503-4

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

ATZelektronik

ATZelectronics worldwide

Other articles of this Issue 4/2021

ClusTi: Clustering Method for Table Structure Recognition in Scanned Images

Cryptanalysis of a Public Key Cryptosystem Based on Data Complexity under Quantum Environment

Privacy-Preserving Top-k Location-based Services Retrieval in Mobile Internet

Identity-based Multi-Recipient Public Key Encryption Scheme and Its Application in IoT

Secure Encrypted Data Deduplication Based on Data Popularity

Correction to: Identity-based Multi-Recipient Public Key Encryption Scheme and Its Application in IoT