A behavioral anomaly detection strategy based on time series process portraits for desktop virtualization systems
详细信息 查看全文
- 作者:Yanbing Liu ; Zhong Yuan ; Congcong Xing ; Bo Gong ; Yunpeng Xiao…
- 关键词:Desktop virtualization ; Process portrait ; Hidden Markov model ; Anomaly detection ; Profile analysis
- 刊名:Cluster Computing
- 出版年:2015
- 出版时间:June 2015
- 年:2015
- 卷:18
- 期:2
- 页码:979-988
- 全文大小:1,471 KB
- 参考文献:1.Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, 120-28 (1996)
2.Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: a virtual machine-based platform for trusted computing. In: Proceedings of the 19th ACM Symposium on Operating Systems Principles, 193-06 (2003)
3.Hidalgo, R., César, A.: Conditions for the emergence of scaling in the inter-event time of uncorrelated and seasonal systems. Phys. A 369(2), 877-83 (2006)View Article
4.Jiang, X., Wang, X., and Xu, D.: Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, 128-38 (2007)
5.Jiang, X., and Xu, D.: Collapsar: a VM-based architecture for network attack detention center. In: Proceedings of the 2004 USENIX Security Symposium, 15-8 (2004)
6.King, S.T., Chen, P.M., Wang, Y.M., Verbowski, C., Wang, H.J., Lorch, J.R.: SubVirt: implementing malware with virtual machines. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, 314-27 (2006)
7.Liang, Z., Venkatakrishnan, V.N., and Sekar, R.: Isolated program execution: an application transparent approach for executing untrusted programs. In: Proceedings of the 19th Annual Computer Security Applications Conference, 182-91 (2003)
8.Liu, Y., Jia, S., Xing, C.: A novel behavior-based virus detection method for smart mobile terminals. Discrete Dyn. Nat. Soc. (2012). doi:10.-155/-012/-62193
9.Lonea, A.M., Popescu, D.E., Tianfield, H.: Detecting DDoS attacks in cloud computing environment. Int. J. Comput. Commun. Control 8(1), 70-8 (2012)View Article
10.Melbourne Clouds Lab.: CloudSim: a framework for modeling and simulation of cloud computing infrastructures and services (2014). http://?www.?cloudbus.?org/?cloudsim/-/span>
11.Nikolai, J., Wang, Y.: Hypervisor-based cloud intrusion detection system. In: Proceedings of the 2014 International Conference on Computing, Networking and Communications, 989-93 (2014). Accessed 12 April 2007
12.Rabiner, L., Juang, B.H.: An introduction to hidden Markov models. IEEE Acoustics Speech Signal Process. Mag. 3(1), 4-6 (1986)
13.Rhee, J., Riley, R., Xu, D., Jiang, X.: Defeating dynamic data kernel rootkit attacks via vmm-based guest-transparent monitoring. In: Proceedings of the 2009 International Conference on Availability, Reliability and Security, 74-1 (2009)
14.Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In: Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection, 1-0 (2008)
15.Sailer, R., Jaeger, T., Valdez, E., Caceres, R., Perez, R., Berger, S., Linwood Griffin, J., van Doorn, L.: Building a MAC-based security architecture for the Xen open-source hypervisor. In: Proceedings of the 21st Annual Computer Security Applications Conference. 276-85 (2005)
16.Santos, N., Gummadi, K.P., Rodrigues, R.: Towards trusted cloud computing. In: Proceedings of the 2009 Conference on Hot Topics in Cloud Computing, 3- (2009)
17.Shinagawa, T., Eiraku, H., Tanimoto, K., Omote, K., Hasegawa, S., Horie, T., Kourai, K., Oyama, Y., Kawai, E., Kono K., Chiba, S., Shinjo, Y., Kato, K.: Bitvisor: a thin hypervisor for enforcing i/o device security. In: Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, 121-30 (2009)
18.Wang, Z., Jiang, X.: Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, 380-95 (2010)
19.Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, 545-54 (2009)
20.Yu, Y., Guo, F., Nanda, S., Lam, L.C., Chiueh, T.C.: A feather-weight virtual machine for windows applications. In: Proceedings of the 2nd International Conference on Virtual Execution Environments, 24-4 (2006) - 作者单位:Yanbing Liu (1)
Zhong Yuan (1)
Congcong Xing (3)
Bo Gong (1)
Yunpeng Xiao (1) (2)
Hong Liu (1)
1. Engineering Laboratory of Network and Information Security, Chongqing University of Posts and Telecommunications, Chongqing, 400065, China
3. Department of Mathematics and Computer Science, Nicholls State University, Thibodaux, LA, 70310, USA
2. Laboratory of Science and Technology on Information Transmission and Dissemination in Communication Networks, Shijiazhuang, 050081, China - 刊物类别:Computer Science
- 刊物主题:Processor Architectures
Operating Systems
Computer Communication Networks - 出版者:Springer Netherlands
- ISSN:1573-7543
文摘
As the application of desktop virtualization systems (DVSs) continues to gain momentums, the security issue of DVSs becomes increasingly critical and is extensively studied. Unfortunately, the majority of current researches on DVSs only focuses on the virtual machines (VMs) on the servers, and overlooks to a large extent the security issue of the clients. In addition, traditional security techniques are not completely suitable for the DVSs-particularly thin client environment. Towards finding a solution to these problems, we propose a novel behavioral anomaly detection method for DVS clients by creating and using process portraits. Based on the correlations between users, virtualized desktop processes (VDPs), and VMs in DVSs, this proposed method describes the process behaviors of clients by the CPU utilization rates of VMs located on the server, constructs process portraits for VDPs by hidden Markov models and by considering the user profiles, and detects anomalies of VDPs by contrasting VDPs-behaviors against the constructed process portraits. Our experimental results show that the proposed method is effective and successful.