For Full-Text PDF, please login, if you are a member of IEICE,|
or go to Pay Per View on menu list, if you are a nonmember of IEICE.
On the Detection of Malicious Behaviors against Introspection Using Hardware Architectural Events
Huaizhe ZHOU Haihe BA Yongjun WANG Tie HONG
IEICE TRANSACTIONS on Information and Systems
Publication Date: 2020/01/01
Online ISSN: 1745-1361
Type of Manuscript: LETTER
Category: Artificial Intelligence, Data Mining
virtual machine introspection, hardware architectural events, supervised machine learning,
Full Text: PDF(242.4KB)>>
The arms race between offense and defense in the cloud impels the innovation of techniques for monitoring attacks and unauthorized activities. The promising technique of virtual machine introspection (VMI) becomes prevalent for its tamper-resistant capability. However, some elaborate exploitations are capable of invalidating VMI-based tools by breaking the assumption of a trusted guest kernel. To achieve a more reliable and robust introspection, we introduce a practical approach to monitor and detect attacks that attempt to subvert VMI in this paper. Our approach combines supervised machine learning and hardware architectural events to identify those malicious behaviors which are targeted at VMI techniques. To demonstrate the feasibility, we implement a prototype named HyperMon on the Xen hypervisor. The results of our evaluation show the effectiveness of HyperMon in detecting malicious behaviors with an average accuracy of 90.51% (AUC).