The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
A corrida armamentista entre ataque e defesa na nuvem impulsiona a inovação de técnicas de monitoramento de ataques e atividades não autorizadas. A técnica promissora de introspecção de máquina virtual (VMI) torna-se predominante por sua capacidade de resistência a violações. No entanto, algumas explorações elaboradas são capazes de invalidar ferramentas baseadas em VMI, quebrando a suposição de um kernel convidado confiável. Para alcançar uma introspecção mais confiável e robusta, apresentamos neste artigo uma abordagem prática para monitorar e detectar ataques que tentam subverter o VMI. Nossa abordagem combina aprendizado de máquina supervisionado e eventos de arquitetura de hardware para identificar os comportamentos maliciosos direcionados às técnicas VMI. Para demonstrar a viabilidade, implementamos um protótipo denominado HyperMon no hipervisor Xen. Os resultados da nossa avaliação mostram a eficácia do HyperMon na detecção de comportamentos maliciosos com uma precisão média de 90.51% (AUC).
Huaizhe ZHOU
National University of Defense Technology
Haihe BA
National University of Defense Technology
Yongjun WANG
National University of Defense Technology
Tie HONG
National University of Defense Technology
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copiar
Huaizhe ZHOU, Haihe BA, Yongjun WANG, Tie HONG, "On the Detection of Malicious Behaviors against Introspection Using Hardware Architectural Events" in IEICE TRANSACTIONS on Information,
vol. E103-D, no. 1, pp. 177-180, January 2020, doi: 10.1587/transinf.2019EDL8148.
Abstract: The arms race between offense and defense in the cloud impels the innovation of techniques for monitoring attacks and unauthorized activities. The promising technique of virtual machine introspection (VMI) becomes prevalent for its tamper-resistant capability. However, some elaborate exploitations are capable of invalidating VMI-based tools by breaking the assumption of a trusted guest kernel. To achieve a more reliable and robust introspection, we introduce a practical approach to monitor and detect attacks that attempt to subvert VMI in this paper. Our approach combines supervised machine learning and hardware architectural events to identify those malicious behaviors which are targeted at VMI techniques. To demonstrate the feasibility, we implement a prototype named HyperMon on the Xen hypervisor. The results of our evaluation show the effectiveness of HyperMon in detecting malicious behaviors with an average accuracy of 90.51% (AUC).
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2019EDL8148/_p
Copiar
@ARTICLE{e103-d_1_177,
author={Huaizhe ZHOU, Haihe BA, Yongjun WANG, Tie HONG, },
journal={IEICE TRANSACTIONS on Information},
title={On the Detection of Malicious Behaviors against Introspection Using Hardware Architectural Events},
year={2020},
volume={E103-D},
number={1},
pages={177-180},
abstract={The arms race between offense and defense in the cloud impels the innovation of techniques for monitoring attacks and unauthorized activities. The promising technique of virtual machine introspection (VMI) becomes prevalent for its tamper-resistant capability. However, some elaborate exploitations are capable of invalidating VMI-based tools by breaking the assumption of a trusted guest kernel. To achieve a more reliable and robust introspection, we introduce a practical approach to monitor and detect attacks that attempt to subvert VMI in this paper. Our approach combines supervised machine learning and hardware architectural events to identify those malicious behaviors which are targeted at VMI techniques. To demonstrate the feasibility, we implement a prototype named HyperMon on the Xen hypervisor. The results of our evaluation show the effectiveness of HyperMon in detecting malicious behaviors with an average accuracy of 90.51% (AUC).},
keywords={},
doi={10.1587/transinf.2019EDL8148},
ISSN={1745-1361},
month={January},}
Copiar
TY - JOUR
TI - On the Detection of Malicious Behaviors against Introspection Using Hardware Architectural Events
T2 - IEICE TRANSACTIONS on Information
SP - 177
EP - 180
AU - Huaizhe ZHOU
AU - Haihe BA
AU - Yongjun WANG
AU - Tie HONG
PY - 2020
DO - 10.1587/transinf.2019EDL8148
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E103-D
IS - 1
JA - IEICE TRANSACTIONS on Information
Y1 - January 2020
AB - The arms race between offense and defense in the cloud impels the innovation of techniques for monitoring attacks and unauthorized activities. The promising technique of virtual machine introspection (VMI) becomes prevalent for its tamper-resistant capability. However, some elaborate exploitations are capable of invalidating VMI-based tools by breaking the assumption of a trusted guest kernel. To achieve a more reliable and robust introspection, we introduce a practical approach to monitor and detect attacks that attempt to subvert VMI in this paper. Our approach combines supervised machine learning and hardware architectural events to identify those malicious behaviors which are targeted at VMI techniques. To demonstrate the feasibility, we implement a prototype named HyperMon on the Xen hypervisor. The results of our evaluation show the effectiveness of HyperMon in detecting malicious behaviors with an average accuracy of 90.51% (AUC).
ER -