On the Detection of Malicious Behaviors against Introspection Using Hardware Architectural Events

Huaizhe ZHOU  Haihe BA  Yongjun WANG  Tie HONG  

IEICE TRANSACTIONS on Information and Systems   Vol.E103-D   No.1   pp.177-180
Publication Date: 2020/01/01
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2019EDL8148
Type of Manuscript: LETTER
Category: Artificial Intelligence, Data Mining
virtual machine introspection,  hardware architectural events,  supervised machine learning,  

Full Text: PDF(242.4KB)>>
Buy this Article

The arms race between offense and defense in the cloud impels the innovation of techniques for monitoring attacks and unauthorized activities. The promising technique of virtual machine introspection (VMI) becomes prevalent for its tamper-resistant capability. However, some elaborate exploitations are capable of invalidating VMI-based tools by breaking the assumption of a trusted guest kernel. To achieve a more reliable and robust introspection, we introduce a practical approach to monitor and detect attacks that attempt to subvert VMI in this paper. Our approach combines supervised machine learning and hardware architectural events to identify those malicious behaviors which are targeted at VMI techniques. To demonstrate the feasibility, we implement a prototype named HyperMon on the Xen hypervisor. The results of our evaluation show the effectiveness of HyperMon in detecting malicious behaviors with an average accuracy of 90.51% (AUC).