Design and Implementation of Abnormal Behavior Detection System for Virtualization Platform

doi:10.3969/j.issn.1671-1122.2022.11.008

Abstract

Abstract:

This paper proposed an abnormal behavior detection method implemented of virtualization platform based on image and deep learning, designed and implemented the system prototype. This method used the Xen virtualization platform to dump the system memory of VMS running normal software and malicious software respectively and collects 1100 memory dump files containing normal behaviors and 2200 memory dump files containing abnormal behaviors. For each file, the first 10 MB of system sensitive area is extracted and then converted into a 2-dimensional image using SFC. Finally, convolutional neural network is used to classify the memory images to judge whether there are abnormal behaviors in the virtualization platform. Experimental results show that the system achieves 98.78% classification accuracy and can effectively detect abnormal behaviors in virtualization platform.

Key words: cloud computing, virtualization, abnormal behavior detection, convolutional neural network

CLC Number:

TP309

LIN Faxin, ZHANG Jian. Design and Implementation of Abnormal Behavior Detection System for Virtualization Platform[J]. Netinfo Security, 2022, 22(11): 62-67.

Figures/Tables 12

References 16

[1]	MANSOURI Y, BABAR M A. A Review of Edge Computing: Features and Resource Virtualization[J]. Journal of Parallel and Distributed Computing, 2021, 150: 155-183. doi: 10.1016/j.jpdc.2020.12.015 URL
[2]	UEKI K, KOURAI K. Fine-Grained Autoscaling with In-VM Containers and VM Introspection[C]//IEEE. 2020 IEEE/ACM 13th International Conference on Utility and Cloud Computing (UCC). New York:IEEE, 2020: 155-164.
[3]	GARFINKEL T, ROSENBLUM M. A Virtual Machine Introspection Based Architecture for Intrusion Detection[EB/OL]. [2022-06-08].
[4]	CONTI G, DEAN E, SINDA M, et al. Visual Reverse Engineering of Binary and Data Files[C]// Springer. International Workshop on Visualization for Computer Security. Heidelberg: Springer, 2008: 1-17.
[5]	NATARAJ L, KARTHIKEYAN S, JACOB G, et al. Malware Images: Visualization and Automatic Classification[C]// ACM. Proceedings of the 8th International Symposium on Visualization for Cyber Security. New York: ACM, 2011: 1-7.
[6]	LUO J S, LO D C T. Binary Malware Image Classification Using Machine Learning with Local Binary Pattern[C]// IEEE. 2017 IEEE International Conference on Big Data (Big Data). New York:IEEE, 2017: 4664-4667.
[7]	LE Q, BOYDELL O, MAC NAMEE M B, et al. Deep Learning at the Shallow End: Malware Classification for Non-Domain Experts[J]. Digital Investigation, 2018, 26: 118-126.
[8]	QIAO Yanchen, JIANG Qingshan, JIANG Zhenchao, et al. A Multi-Channel Visualization Method for Malware Classification Based on Deep Learning[C]//IEEE. 2019 18th IEEE International Conference On Trust, Security And Privacy in Computing and Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). New York:IEEE, 2019: 757-762.
[9]	PINHERO A, ANUPAMA M L, VINOD P, et al. Malware Detection Employed by Visualization and Deep Neural Network[J]. Computers & Security, 2021, 105: 102247. doi: 10.1016/j.cose.2021.102247 URL
[10]	LIN W C, YEH Y R. Efficient Malware Classification by Binary Sequences with One-Dimensional Convolutional Neural Networks[J]. Mathematics, 2022, 10(4): 608. doi: 10.3390/math10040608 URL
[11]	O’SHAUGHNESSY S, SHERIDAN S. Image-Based Malware Classification Hybrid Framework Based on Space-Filling Curves[J]. Computers & Security, 2022, 116: 102660. doi: 10.1016/j.cose.2022.102660 URL
[12]	O’SHAUGHNESSY S. Image-Based Malware Classification: A Space Filling Curve Approach[C]//IEEE. 2019 IEEE Symposium on Visualization for Cyber Security (VizSec). New York:IEEE, 2019: 1-10.
[13]	WANG Xiangyi, ZHANG Jian. Abnormal Behavior Detection of Virtualization Platform Based on Image and Machine Learning[J]. Netinfo Security, 2020, 20(9): 92-96.
	王湘懿, 张健. 基于图像和机器学习的虚拟化平台异常检测[J]. 信息网络安全, 2020, 20(9): 92-96.
[14]	BASU K, KRISHNAMURTHY P, KHORRAMI F, et al. A Theoretical Study of Hardware Performance Counters-Based Malware Detection[J]. IEEE Transactions on Information Forensics and Security, 2019, 15: 512-525. doi: 10.1109/TIFS.2019.2924549 URL
[15]	KUMAR R, PATI S, LAHIRI K. Darts: Performance-Counter Driven Sampling Using Binary Translators[C]//IEEE. 2017 IEEE International Symposium on Performance Analysis of Systems and Software(ISPASS). New York:IEEE, 2017: 131-132.
[16]	TRIPATHI S, GRIECO G, RAWAT S. Exniffer: Learning to Prioritize Crashes by Assessing the Exploitability from Memory Dump[C]//IEEE. 2017 24th Asia-Pacific Software Engineering Conference (APSEC). New York:IEEE, 2017: 239-248.

类别	训练集/张	验证集/张	总计/张
正常软件内存图像	990	110	1100
恶意软件内存图像	1980	220	2200
总计	2970	330	3300

	预测为恶意软件内存图像	预测为正常软件内存图像
实际为恶意软件内存图像	TP	FN
实际为正常软件内存图像	FP	TN

Model	Hilbert			Z-order			Gray-code
Model	Accuracy	Precision	Recall	Accuracy	Precision	Recall	Accuracy	Precision	Recall
AlexNet	96.68%	98.17%	96.83%	94.26%	96.55%	95.37%	92.43%	94.59%	92.11%
InceptionV3	98.78%	98.12%	98.57%	97.28%	97.12%	97.66%	96.26%	96.22%	96.38%
ResNet34	90.03%	90.87%	94.57%	89.68%	90.17%	88.25%	88.16%	89.18%	88.09%
VGG16	91.25%	90.29%	89.66%	88.31%	87.64%	89.42%	90.17%	90.33%	90.59%
Efficient	93.96%	95.61%	94.38%	92.79%	92.74%	92.52%	91.06%	90.78%	91.78%
DenseNet	92.18%	92.14%	92.18%	89.55%	89.72%	88.48%	91.39%	90.45%	92.96%

模型	Batch_size
模型	16	32
AlexNet	24 s	23 s
InceptionV3	25 s	23 s
ResNet34	27 s	25 s
VGG16	33 s	31 s
Efficient	28 s	26 s
DenseNet	27 s	25 s

模型	输入图像大小
模型	112×112	224×224	448×448
AlexNet	95.88%	96.68%	97.81%
InceptionV3	96.25%	99.78%	97.34%
ResNet34	89.76%	90.03%	91.25%
VGG16	90.33%	91.25%	91.33%
Efficient	92.56%	93.96%	94.42%
DenseNet	91.49%	92.18%	90.16%