research-article

Malware Detection in Cloud Computing Infrastructures

Authors:

Michael R. Watson,

Noor-ul-hassan Shirazi,

Angelos K. Marnerides,

Andreas Mauthe,

David HutchisonAuthors Info & Claims

IEEE Transactions on Dependable and Secure Computing, Volume 13, Issue 2

Pages 192 - 205

https://doi.org/10.1109/TDSC.2015.2457918

Published: 01 March 2016 Publication History

Abstract

Cloud services are prominent within the private, public and commercial domains. Many of these services are expected to be always on and have a critical nature; therefore, security and resilience are increasingly important aspects. In order to remain resilient, a cloud needs to possess the ability to react not only to known threats, but also to new challenges that target cloud infrastructures. In this paper we introduce and discuss an online cloud anomaly detection approach, comprising dedicated detection components of our cloud resilience architecture. More specifically, we exhibit the applicability of novelty detection under the one-class support Vector Machine (SVM) formulation at the hypervisor level, through the utilisation of features gathered at the system and network levels of a cloud node. We demonstrate that our scheme can reach a high detection accuracy of over <inline-formula><tex-math notation="LaTeX"> $90$</tex-math><alternatives><inline-graphic xlink:type="simple" xlink:href="watson-ieq1-2457918.gif"/></alternatives></inline-formula> percent whilst detecting various types of malware and DoS attacks. Furthermore, we evaluate the merits of considering not only system-level data, but also network-level data depending on the attack type. Finally, the paper shows that our approach to detection using dedicated monitoring components per VM is particularly applicable to cloud scenarios and leads to a flexible detection system capable of detecting new malware strains with no prior knowledge of their functionality or their underlying instructions.

References

[1]

A. Marnerides, C. James, A. Schaeffer, S. Sait, A. Mauthe, and H. Murthy, “Multi-level network resilience: Traffic analysis, anomaly detection and simulation,” ICTACT J. Commun. Technol., Special Issue Next Generation Wireless Netw. Appl., vol. 2, pp. 345–356, Jun. 2011.

[2]

J. P. G. Sterbenz, D. Hutchison, E. K. Çetinkaya, A. Jabbar, J. P. Rohrer, M. Schöller, and P. Smith, “ Resilience and survivability in communication networks: Strategies, principles, and survey of disciplines,” Comput. Netw., vol. 54, no. 8, pp. 1245–1265, Jun. 2010.

Digital Library

[3]

A. K. Marnerides, M. R. Watson, N. Shirazi, A. Mauthe, and D. Hutchison, “Malware analysis in cloud computing: Network and system characteristics,” in Proc. IEEE Globecom Workshop, 2013, pp. 482–487.

[4]

M. R. Watson, N. Shirazi, A. K. Marnerides, A. Mauthe, and D. Hutchison, “Towards a distributed, self-organizing approach to malware detection in cloud computing,” in Proc. 7th IFIP/IFISC IWSOS, 2013, pp. 182–185.

[5]

M. Garnaeva. Kelihos/Hlux Botnet Returns with New Techniques. Securelist [Online]. Available: http://www.securelist.com/en/blog/655/Kelihos_Hlux_botnet_returns_with_new_techniques, Feb. 2012.

[6]

H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang, “On the analysis of the zeus botnet crimeware toolkit,” in Proc. 8th Annu. Int. Conf. Privacy Security Trust, Aug. 2010, pp. 31–38.

[7]

T. Brewster. (2014, Jul. 11). GameOver Zeus returns: Thieving malware rises a month after police actions, Guardian Newspaper [Online]. Available: http://www.theguardian.com/technology/2014/jul/11/gameover-zeus-crimina l-malware-police-hacking

[8]

A. K. Marnerides, P. Spachos, P. Chatzimisios, and A. Mauthe, “Malware detection in the cloud under ensemble empirical model decomposition,” in Proc. 6th IEEE Int. Conf. Netw. Comput., 2015, pp. 82–88.

[9]

L. Kaufman, “Data security in the world of cloud computing,” IEEE Security Privacy, vol. 7, no. 4, pp. 61 –64, Jul. 2009.

Digital Library

[10]

M. Christodorescu, R. Sailer, D. L. Schales, D. Sgandurra, and D. Zamboni, “Cloud security is not (just) virtualization security: A short paper,” in Proc. ACM Workshop Cloud Comput. Security, New York, NY, USA, 2009, pp. 97–102.

[11]

N. Gruschka and M. Jensen, “Attack surfaces: A taxonomy for attacks on cloud services,” in Proc. IEEE 3rd Int. Conf. Cloud Comput., Jul. 2010, pp. 276– 279.

[12]

Y. Chen, V. Paxson, and R. H. Katz. (2010, Jan.). Whats new about cloud computing security?. EECS Department, Univ. of California. Berkeley, Tech. Rep. UCB/EECS-2010-5. [Online]. Available: http://www.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-5.html

[13]

G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, “Bothunter: Detecting malware infection through ids-driven dialog correlation,” in Proc. 16th USENIX Security Symp. USENIX Security Symp., Berkeley, CA, USA, 2007, pp. 12:1–12:16.

[14]

M. Bailey, J. Oberheide, J. Andersen, Z. Mao, F. Jahanian, and J. Nazario, “Automated classification and analysis of internet malware,” in Proc. 10th Int. Conf. Recent Adv. Intrusion Detection, 2007, vol. 4637, pp. 178–197.

[15]

C. Mazzariello, R. Bifulco, and R. Canonico, “ Integrating a network ids into an open source cloud computing environment,” in Proc. 6th Int. Conf. Inf. Assurance Security, Aug. 2010, pp. 265– 270.

[16]

S. Roschke, F. Cheng, and C. Meinel, “Intrusion detection in the cloud,” in Proc. 8th IEEE Int. Conf. Dependable, Autonomic Secure Comput., Dec. 2009, pp. 729–734.

[17]

A. Ibrahim, J. Hamlyn-Harris, J. Grundy, and M. Almorsy, “Cloudsec: A security monitoring appliance for virtual machines in the iaas cloud model,” in Proc. 5th Int. Conf. Netw. Syst. Security, Sep. 2011, pp. 113–120.

[18]

B. Hay and K. Nance, “ Forensics examination of volatile system data using virtual introspection,” SIGOPS Oper. Syst. Rev., vol. 42, no. 3, pp. 74– 82, Apr. 2008.

Digital Library

[19]

V. Chandola, A. Banerjee, and V. Kumar, “Anomaly detection: A survey,” ACM Comput. Surveys, vol. 41, no. 3, p. 15, 2009.

Digital Library

[20]

A. Marnerides, A. Schaeffer-Filho, and A. Mauthe, “ Traffic anomaly diagnosis in internet backbone networks: A survey,” Comput. Netw., vol. 73, pp. 224–243, 2014.

Digital Library

[21]

C. Wang, K. Viswanathan, L. Choudur, V. Talwar, W. Satterfield, and K. Schwan, “Statistical techniques for online anomaly detection in data centers,” in Proc. IFIP/IEEE Int. Symp. Integrated Netw. Manage., 2011, pp. 385– 392.

[22]

C. Wang, V. Talwar, K. Schwan, and P. Ranganathan, “Online detection of utility cloud anomalies using metric distributions,” in Proc. IEEE Netw. Oper. Manage. Symp., 2010, pp. 96–103.

[23]

Q. Guan and S. Fu, “Adaptive anomaly identification by exploring metric subspace in cloud computing infrastructures, ” in Proc. IEEE 32nd Int. Symp. Rel. Distrib. Syst., 2013, pp. 205–214.

[24]

Q. Guan, S. Fu, N. DeBardeleben, and S. Blanchard, “Exploring time and frequency domains for accurate and automated anomaly detection in cloud computing systems,” in Proc. IEEE 19th Pacific Rim Int. Symp. Dependable Comput., 2013, pp. 196 –205.

[25]

I. Cohen, J. S. Chase, M. Goldszmidt, T. Kelly, and J. Symons, “Correlating instrumentation data to system states: A building block for automated diagnosis and control,” in Proc. 6th Conf. Symp. Oper. Syst. Des. Implementation, 2004, vol. 4, pp. 16–16.

[26]

P. Bahl, R. Chandra, A. Greenberg, S. Kandula, D. A. Maltz, and M. Zhang, “Towards highly reliable enterprise network services via inference of multi-level dependencies, ” ACM SIGCOMM Comput. Commun. Rev., vol. 37, no. 4, pp. 13–24, 2007.

Digital Library

[27]

C. Wang, “Ebat: Online methods for detecting utility cloud anomalies,” in Proc. 6th Middleware Doctoral Symp., 2009, p. 4 .

[28]

Y. Guan and J. Bao, “A cp intrusion detection strategy on cloud computing,” in Proc. Int. Symp. Web Inf. Syst. Appl., 2009, pp. 84–87.

[29]

J.-H. Lee, M.-W. Park, J.-H. Eom, and T.-M. Chung, “Multi-level intrusion detection system and log management in cloud computing,” in Proc. 13th Int. Conf. Adv. Commun. Technol. , 2011, pp. 552–555.

[30]

H. S. Pannu, J. Liu, and S. Fu, “Aad: Adaptive anomaly detection system for cloud computing infrastructures,” in Proc. IEEE Symp. Rel. Distrib. Syst., 2012, pp. 396–397.

[31]

A. Marnerides, S. Malinowski, R. Morla, and H. Kim. (2015). Fault diagnosis in {DSL} networks using support vector machines. Comput. Commun. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S0140366415000080

[32]

W.-H. Chen, S.-H. Hsu, and H.-P. Shen, “ Application of SVM and ANN for intrusion detection,” Comput. Oper. Res., vol. 32, no. 10, pp. 2617–2634, 2005.

Digital Library

[33]

Y. Tang, Y.-Q. Zhang, N. Chawla, and S. Krasser, “Svms modeling for highly imbalanced classification,” IEEE Trans. Syst., Man, Cybern., Part B: Cybern., vol. 39, no. 1, pp. 281–288, Feb. 2009.

Digital Library

[34]

India-UK advanced technology centre project. [Online]. Available: http://www.iu-atc.com/, Jan. 2013.

[35]

B. Schölkopf, R. C. Williamson, A. J. Smola, J. Shawe-Taylor, and J. C. Platt, “Support vector method for novelty detection, ” in Proc. Adv. Neural Inf. Process. Syst. 12, 1999, vol. 12, pp. 582–588.

[36]

A. Marnerides, M. Watson, N. Shirazi, A. Mauthe, and D. Hutchison, “Malware analysis in cloud computing: Network and system characteristics,” in Proc. IEEE Globecom Workshops, Dec. 2013, pp. 482–487.

[37]

N.-U.-H. Shirazi, S. Simpson, A. Marnerides, M. Watson, A. Mauthe, and D. Hutchison, “Assessing the impact of intra-cloud live migration on anomaly detection,” in Proc. IEEE 3rd Int. Conf. Cloud Netw., Oct. 2014, pp. 52 –57.

Cited By

Soussi WGür GStiller B(2024)Democratizing Container Live Migration for Enhanced Future Networks - A SurveyACM Computing Surveys10.1145/370443657:4(1-37)Online publication date: 14-Nov-2024
https://dl.acm.org/doi/10.1145/3704436
Deka PVerma YBhutto AElmroth EBhuyan M(2023)Semi-Supervised Range-Based Anomaly Detection for Cloud SystemsIEEE Transactions on Network and Service Management10.1109/TNSM.2022.322575320:2(1290-1304)Online publication date: 1-Jun-2023
https://dl.acm.org/doi/10.1109/TNSM.2022.3225753
Lv PLi PZhang SChen KLiang RMa HZhao YLi Y(2023)A Robustness-Assured White-Box Watermark in Neural NetworksIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.324273720:6(5214-5229)Online publication date: 1-Nov-2023
https://dl.acm.org/doi/10.1109/TDSC.2023.3242737
Show More Cited By

Index Terms

Malware Detection in Cloud Computing Infrastructures

Index terms have been assigned to the content through auto-classification.

Recommendations

Comments

Information & Contributors

Information

Published In

cover image IEEE Transactions on Dependable and Secure Computing

IEEE Transactions on Dependable and Secure Computing Volume 13, Issue 2

March-April 2016

166 pages

ISSN:1545-5971

Issue’s Table of Contents

Copyright © 2015.

Publisher

IEEE Computer Society Press

Washington, DC, United States

Publication History

Published: 01 March 2016

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 21 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Soussi WGür GStiller B(2024)Democratizing Container Live Migration for Enhanced Future Networks - A SurveyACM Computing Surveys10.1145/370443657:4(1-37)Online publication date: 14-Nov-2024
https://dl.acm.org/doi/10.1145/3704436
Deka PVerma YBhutto AElmroth EBhuyan M(2023)Semi-Supervised Range-Based Anomaly Detection for Cloud SystemsIEEE Transactions on Network and Service Management10.1109/TNSM.2022.322575320:2(1290-1304)Online publication date: 1-Jun-2023
https://dl.acm.org/doi/10.1109/TNSM.2022.3225753
Lv PLi PZhang SChen KLiang RMa HZhao YLi Y(2023)A Robustness-Assured White-Box Watermark in Neural NetworksIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.324273720:6(5214-5229)Online publication date: 1-Nov-2023
https://dl.acm.org/doi/10.1109/TDSC.2023.3242737
Rishikesh Sinha D(2023)Traditional and Blockchain Based IoT and IIoT Security in the Context of Agriculture: A SurveyWireless Personal Communications: An International Journal10.1007/s11277-024-10866-1133:4(2267-2295)Online publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1007/s11277-024-10866-1
Melvin AKathrine GIlango SVimal SRho SXiong NNam Y(2022)Dynamic malware attack dataset leveraging virtual machine monitor audit data for the detection of intrusions in cloudTransactions on Emerging Telecommunications Technologies10.1002/ett.428733:4Online publication date: 17-Apr-2022
https://dl.acm.org/doi/10.1002/ett.4287
Barbhuiya SKilpatrick PS. Nikolopoulos D(2021)Linear Regression Based DDoS Attack DetectionProceedings of the 2021 13th International Conference on Machine Learning and Computing10.1145/3457682.3457769(568-574)Online publication date: 26-Feb-2021
https://dl.acm.org/doi/10.1145/3457682.3457769
Wahab OBentahar JOtrok HMourad A(2021)Resource-Aware Detection and Defense System against Multi-Type Attacks in the Cloud: Repeated Bayesian Stackelberg GameIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.290794618:2(605-622)Online publication date: 1-Mar-2021
https://dl.acm.org/doi/10.1109/TDSC.2019.2907946
Arzani BCiraci SSaroiu SWolman AStokes JOuthred GDiwu LBhagwan RPorter G(2020)PrivateEyeProceedings of the 17th Usenix Conference on Networked Systems Design and Implementation10.5555/3388242.3388300(797-816)Online publication date: 25-Feb-2020
https://dl.acm.org/doi/10.5555/3388242.3388300
Hagemann TKatsarou K(2020)A Systematic Review on Anomaly Detection for Cloud Computing EnvironmentsProceedings of the 2020 3rd Artificial Intelligence and Cloud Computing Conference10.1145/3442536.3442550(83-96)Online publication date: 18-Dec-2020
https://dl.acm.org/doi/10.1145/3442536.3442550
Gao JYaseen NMacDavid RFrujeri FLiu VBianchini RAditya RWang XLee HMaltz DYu MArzani B(2020)ScoutsProceedings of the Annual conference of the ACM Special Interest Group on Data Communication on the applications, technologies, architectures, and protocols for computer communication10.1145/3387514.3405867(253-269)Online publication date: 30-Jul-2020
https://dl.acm.org/doi/10.1145/3387514.3405867
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents