Phase space detection of virtual machine cyber events through hypervisor-level system call analysis

Joel A. Dawson, Jeffrey T. McDonald, Lee Hively, Todd R. Andel, Mark Yampolskiy, Charles Hubbard

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

21 Scopus citations

Abstract

The growth of the cloud computing ecosystem has afforded many new opportunities to businesses and consumers alike; however, with this new computing context comes new risks, and much attention has been given to the security dangers inherent in the architecture of cloud-based systems. Researchers, however, have done little to address the risk of advanced persistent threat intrusions, specifically in regard to the use of rootkits, which are powerful, stealthy pieces of malware that have grown in popularity with cybercriminals and nation state actors. These programs threaten a system by acquiring root privilege and then, using a variety of stealth tactics, evading detection and removal by modern anti-malware tools. In this research, we validate that the approach of Oak Ridge National Laboratory's Beholder project is applicable to the context of rootkit detection within a running virtual machine. We do this by collecting and analyzing system calls collected on the hypervisor level. The analysis employs a novel nonlinear, phase-space algorithm to derive time-serial cyber dynamics, and then uses these dynamics to characterize potentially anomalous system behavior through the comparison of nominal and test behavior profiles. Our results demonstrate that this technique is effective in flagging variance between the timing traces of an infected and an uninfected machine, thus indicating the presence of a running rootkit.

Original languageEnglish
Title of host publicationProceedings - 2018 1st International Conference on Data Intelligence and Security, ICDIS 2018
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages159-167
Number of pages9
ISBN (Electronic)9781538657621
DOIs
StatePublished - May 25 2018
Externally publishedYes
Event1st International Conference on Data Intelligence and Security, ICDIS 2018 - South Padre Island, United States
Duration: Apr 8 2018Apr 10 2018

Publication series

NameProceedings - 2018 1st International Conference on Data Intelligence and Security, ICDIS 2018

Conference

Conference1st International Conference on Data Intelligence and Security, ICDIS 2018
Country/TerritoryUnited States
CitySouth Padre Island
Period04/8/1804/10/18

Funding

This material is based in part upon work supported by the National Science Foundation under grant DUE-1241675

Keywords

  • Cloud computing security
  • Cyber anomaly detection
  • Graph theory
  • Malware
  • Phase space analysis
  • Rootkits
  • Virtual machine

Fingerprint

Dive into the research topics of 'Phase space detection of virtual machine cyber events through hypervisor-level system call analysis'. Together they form a unique fingerprint.

Cite this