Research and Implementation on Abnormal Behavior Detection Technology of Virtualization Platform Based on HPC

doi:10.3969/j.issn.1671-1122.2023.10.009

Abstract

Abstract:

This paper proposed a dynamic detection method based on Hardware Performance Counter(HPC) and ensemble learning to solve the abnormal behavior detection problem of virtualization platform. This method collected HPC values of samples running on the KVM virtualization platform, and used feature importance scores generated during RF learning to filter features, so as to improve the accuracy of RF classification model and realized anomaly detection. This paper collected 1040 benign program samples and 1040 malicious program samples on the platform, and selected 8 important HPC events to judge malicious samples in the feature selection stage. The experimental results show that the RF classification model after feature selection can reach 95.38% accuracy on the test set, which has higher accuracy and stability than the similar model before feature selection and other traditional machine learning models. The method proposed in this paper can effectively detect the abnormal behavior on the virtualization platform

Key words: abnormal behavior detection, virtualization, hardware performance counter, ensemble learning

CLC Number:

TP309

XING Lingkai, ZHANG Jian. Research and Implementation on Abnormal Behavior Detection Technology of Virtualization Platform Based on HPC[J]. Netinfo Security, 2023, 23(10): 64-69.

Figures/Tables 7

References 19

[1]	VMware. VMware Security Response Center(vSRC) Response to ‘ESXiArgs’ Ransomware Attacks[EB/OL]. (2023-02-06) [2023-04-20]. https://blogs.vmware.com/security/2023/02/83330.html.
[2]	Shenzhen Yunzhan Information Technology Co., Ltd. Ransomware Virus Targeting VMware ESXi Server Attacks are Spreading, Ransomware Defense, Emergency Rescue, Hardening Guide[EB/OL]. (2023-03-28) [2023-04-20]. https://www.sohu.com/a/660016097_121679003.
	深圳云展信息技术有限公司. 勒索病毒针对VMware ESXi服务器攻击正在蔓延,勒索防御,紧急救援,加固指南[EB/OL]. (2023-03-28) [2023-04-20]. https://www.sohu.com/a/660016097_121679003.
[3]	UEKI K, KOURAI K. Fine-Grained Autoscaling with In-VM Containers and VM Introspection[C]// IEEE. 2020 IEEE/ACM 13th International Conference on Utility and Cloud Computing(UCC). New York: IEEE, 2020: 155-164.
[4]	SHARIF M, LEE W, CUI Weidong. Secure In-VM Monitoring Using Hardware Virtualization[C]// ACM. ACM Conference on Computer and Communications Security. New York: ACM, 2009: 477-488.
[5]	BILL B. The Rootkit Arsenal Escape and Evasion in the Dark Corners of the System[M]. Sudbury: Wordware Publishing, 2012.
[6]	YAN Guanglu, LUO Senlin, LIU Wangtong, et al. Highly Reliable In-VM Hidden Process Adversarial Detection Method[J]. Transaction of Beijing Institute of Technology, 2018, 38(3): 305-312.
	闫广禄, 罗森林, 刘望桐, 等. 高可靠In-VM隐藏进程对抗检测方法[J]. 北京理工大学学报, 2018, 38(3):305-312.
[7]	ENRICO B, PIETRO F, MARIUS M, et al. Branch History Injection: On the Effectiveness of Hardware Mitigations Against Cross-Privilege Spectre-v2 Attacks[C]// NDSS. 30th ISOC Network and Distributed System Security Symposium. San Diego: ISOC, 2023: 1-18.
[8]	ROBERT B, HANS N J, THILO K, et al. One Glitch to Rule Them All: Fault Injection Attacks Against AMD’s Secure Encrypted Virtualization[C]// ACM. The 2021 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2022: 971-988.
[9]	PATEL N, SASAN A, HOMAYOUN H. Analyzing Hardware Based Malware Detectors[C]// IEEE. The 54th Annual Design Automation Conference 2017. New York: IEEE, 2017: 1-6.
[10]	NIU Weina, ZHAO Chengyang, ZHANG Xiaosong, et al. ROPDetector: A Real-Time Detection Method for ROP Attacks Based on Hardware Performance Counters[J]. Chinese Journal of Computers, 2021, 44(4): 761-772.
	牛伟纳, 赵成洋, 张小松, 等. ROPDetector:一种基于硬件性能计数器的ROP攻击实时检测方法[J]. 计算机学报, 2021, 44(4):761-772.
[11]	Shanghai Yucheng Information Technology Co., Ltd. Introduction and Use of System-Level Performance Analysis Tools PERF[EB/OL]. (2019-11-18) [2023-04-23]. https://www.cnblogs.com/xuanbjut/p/11884262.html.
	上海语程信息科技有限公司. 系统级性能分析工具PERF的介绍与使用[EB/OL]. (2019-11-18) [2023-04-23]. https://www.cnblogs.com/xuanbjut/p/11884262.html.
[12]	REN Yongjie, CHENG Zhou. KVM in Action: Principles, Advanced and Performance Tuning[M]. Beijing: China Machine Press, 2019.
	任永杰, 程舟. KVM实战:原理、进阶与性能调优[M]. 北京: 机械工业出版社, 2019.
[13]	RED Hat. Perf_events[EB/OL]. (2018-04-20) [2023-04-23]. https://www.linux-kvm.org/page/Perf_events.
[14]	XU Jiayun, LI Yingjiu, ROBERT H, et al. Differential Training: A Generic Framework to Reduce Label Noises for Android Malware Detection[C]// NDSS. The Network and Distributed System Security Symposium(NDSS) 2021. San Diego: ISOC, 2021: 1-14.
[15]	ZHOU Zhihua. Machine Learning[M]. Beijing: Tsinghua University Press, 2016.
	周志华. 机器学习[M]. 北京: 清华大学出版社, 2016.
[16]	SINGH B, EVTYUSHKIN D, EWELL J, et al. On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters[C]// ACM. Asia Conference on Computer and Communications Security(ASIACCS) 2017. New York: ACM, 2017: 483-493.
[17]	SAYADI H, SAI M, HOUMANSADR A, et al. Comprehensive Assessment of Run-Time Hardware-Supported Malware Detection Using General and Ensemble Learning[C]// ACM. International Conference on Computing Frontiers. New York: ACM, 2018: 212-215.
[18]	GAN Yuyou, MAO Yuhao, ZHANG Xuhong, et al. “Is Your Explanation Stable?”: A Robustness Evaluation Framework for Feature Attribution[C]// ACM. The 2022 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2022: 1157-1171.
[19]	SAYADI H, PATEL N, MANOJ P, et al. Ensemble Learning for Effective Run-Time Hardware-Based Malware Detection: A Comprehensive Analysis and Classification[C]// ACM. ACM/IEEE Design Automation Conference. New York: ACM, 2018: 1-6.

类型	训练集/条	验证集/条
良性程序	832	208
恶意程序	832	208

HPC事件名称	平均权重	HPC事件名称	平均权重
instructions	0.203351	iTLB-load-misses	0.025661
L1-icache-load-misses	0.167181	dTLB-stores	0.024406
cache-references	0.092756	dTLB-loads	0.024112
branch-load-misses	0.065809	branch-loads	0.023056
L1-dcache-load-misses	0.064845	L1-dcache-stores	0.022282
cycles	0.062174	L1-dcache-loads	0.021630
faults	0.051012	dTLB-load-misses	0.021491
iTLB-loads	0.032164	dTLB-store-misses	0.016320
LLC-store-misses	0.030016	LLC-loads	0.014983
LLC-load-misses	0.022998	LLC-stores	0.013761

模型	HPC事件	准确率	F1分数
Ridge	8	55.53%	0.4504
Ridge	20	60.00%	0.4290
Logistics	8	58.65%	0.5795
Logistics	20	74.23%	0.7418
Adaboost	8	95.00%	0.9500
Adaboost	20	88.85%	0.8884
RF	8	95.38%	0.9538
RF	20	92.69%	0.9267