Cloud computing provides on demand provisioning of resources mostly offered as Infrastructure as a Service. The flexibility in services has opened doors for attackers. Research has been performed to detect various malware in the last few years. However, modern malware are advanced enough to detect the presence of virtualization environment, security analyzer, or even the hypervisor by observing the virtualization-specific information such as virtual processor features, timing features, etc. The malware exhibit evasive nature and can fool existing security solutions by performing modern antidetection tactics. In this paper, we propose an approach named as VMI-assisted evasion detection (VAED), deployed at virtual machine monitor, to detect the evasion-based malware attacks. The VAED is based on learning the program semantic of evasive malware. It uses system call dependency graph approach generated using Markov Chain principle and keeps track of system call ordering with transition probability distribution between each pair system calls. It uses software break point injection technique to extract the system call traces of evasive malware samples, which is free from any modification in hardware-specific values. Hence, it is secure from evasion attempts. The VAED is validated over evasive samples collected from the University of California on request, and results seem to be promising.
- cloud security
- intrusion detection
- system call analysis
- virtual machine introspection