Virtualized in-cloud security services for mobile devices

Today's desktop PCs rely on security software such as anti-virus products and personal firewalls for protection. Unfortunately, malware authors have adapted by specifically targeting and disabling these defenses, a practice exacerbated by the rise in zero-day exploits. In this paper, we present the design, implementation, and evaluation of SAV-V, a platform that enhances the detection capabilities of antivirus software. Our platform leverages virtualization to preserve the integrity of AV software and to guarantee access to AV updates. SAV-V also uses secure logging and a split file system to preserve the fidelity of input to the AV program. Combined with our technique of fake shutdowns, these measures allow SAV-V to eventually detect any zero-day malware that writes to disk. Benchmarks of our prototype system suggest that SAV-V can be implemented efficiently, and we validate our prototype by testing it against real-world malware. *

Advances in Science, Technology and Engineering Systems Journal

In today's information based world, it is increasingly important to safeguard the data owned by any organization, be it intellectual property or personal information. With ever increasing sophistication of malware, it is imperative to come up with an automated and advanced methods of attack vector recognition and isolation. Existing methods are not dynamic enough to adapt to the behavioral complexity of new malware. Widely used operating systems, especially Linux, have a popular perception of being more secure than other operating systems (e.g. Windows), but this is not necessarily true. The open source nature of the Linux operating system is a double edge sword; malicious actors having full access to the kernel code does not reassure the IT world of Linux's vulnerabilities. Recent widely reported hacking attacks on reputable organizations have mostly been on Linux servers. Most new malwares are able to neutralize existing defenses on the Linux operating system. A radical solution for malware detection is neededone which cannot be detected and damaged by malicious code. In this paper, we propose a novel framework design that uses virtualization to isolate and monitor Linux environments. The framework uses the wellknown Xen hypervisor to host server environments and uses a Virtual Memory Introspection framework to capture process behavior. The behavioral data is analyzed using sophisticated machine learning algorithms to flag potential cyber threats. The framework can be enhanced to have self-healing properties: any compromised hosts are immediately replaced by their uncompromised versions, limiting the exposure to the wider enterprise network.

2012

This article presents an overview of some of the major works that focus on the use of virtualization in intrusion detection systems to protect against threats in cloud computing environments. The elasticity and abundant availability of computational resources are attractive to attackers in order to exploit vulnerabilities of the cloud, and launch attacks against legitimate users to gain access to private and privileged data. To effectively protect the cloud users, an IDS should have the ability to expand, increase or rapidly decrease the quantity of sensors according to the quantity of resources, as well as the ability to isolate access to the system levels and infrastructures. For this purpose, characteristics of virtual machines as quick startup, fast recovery, stop, migration between different hosts and execution across multiple platforms can be exploited in VM-based IDS, making it a great alternative for monitoring intrusions in cloud computing environments.

Antivirus software is one of the most widely used tools for detecting and stopping malicious and unwanted files. However, the long term effect of traditional host based antivirus is questionable. Antivirus software fails to detect many modern threats and its increasing complexity has resulted in vulnerabilities that are being exploited by malware. This paper advocates a new model for malware detection on end hosts based on providing antivirus as an in-cloud network service. This model enables identification of malicious and unwanted software by multiple detection engines Respectively,This approach provides several important benefits including better detection of malicious software, enhanced forensics capabilities and improved deployability. Malware detection in cloud computing includes a lightweight, cross-Storge host agent and a network service. In this paper Combines detection techniques, static signatures analyze and Dynamic analysis detection. Using this mechanism we find that cloud-malware detection provides 35% better detection coverage against recent threats compared to a single antivirus engine and a 98% detection rate across the cloud environment.

Security and Communication Networks, 2011

The ever-increasing malware variants pose serious challenges for traditional signature-based anti-virus (AV) scan engines. To effectively handle the scale and magnitude of new malware variants, AV functionality is being moved from the user desktop into the cloud. AV in-the-cloud service is becoming the next-generation security infrastructure designed to defend against virus threats. It provides reliable protection service delivered through data centers worldwide, which are built on virtualization technologies. Nowadays, cloud-based security services are gaining bullish projections in both consumer and enterprise markets. However, are we getting ready for the cloud evolution? Security vendors are facing various challenges regarding the architectural design, implementation, and validation. Owing to the lack of operation standards among vendors and very few research works conducted up to this point, researchers have no references of AV cloud testing to rely on. In this paper, the architecture of AV in-the-cloud service is described. The challenges and solutions are discussed and illustrated by examples taken from our cutting-edge research on practical applications.

International Journal of Advanced Trends in Computer Science and Engineering, 2020

Cloud security is of paramount importance in the new era of computing. Advanced malware can hide their behavior on detection of the presence of a security tool at a tenant virtual machine (TVM).When the client and server exchange messages among each other, there is an activity that can be observed and tracked in detail of the activities that occur in a network that shows the, login and logout durations, the user's behavior etc. There are several types of attacks occurring from the internet. VM Guard applies the software breakpoint injection technique by storing the activities performed by the user on cloud-based ecommerce application and then habitat file is generated. From the habitat file Text Frequency and Inverse Document Frequency of the user actions is performed and then by applying random forest algorithm to classify the users into intruders and non-intruders.

Universität Würzburg, 2016

Virtualization allows the creation of virtual instances of physical devices, such as network and processing units. In a virtualized system, governed by a hypervisor, resources are shared among virtual machines (VMs). Virtualization has been receiving increasing interest as a way to reduce costs through server consolidation and to enhance the flexibility of physical infrastructures. Although virtualization provides many benefits, it introduces new security challenges; that is, the introduction of a hypervisor introduces threats since hypervisors expose new attack surfaces. Workloads Pure benign/mixed/pure malicious →Executable form Key information: Generated workloads closely resemble real workloads • Multiple evaluation runs are required to ensure statistical significance of IDS behavior • Generated malicious workloads require specific victim environments-Replicating experiments when using malicious workloads is challenging (Pure benign)→Workload drivers (Section 3.2.1) Key information: Generated workloads can be customized in terms of their temporal and intensity characteristics-Generated workloads do not resemble real-life workloads as closely as those manually generated

International Journal of Advanced Computer Science and Applications, 2014

Antivirus software is one of the most widely used tools for detecting and stopping malicious and unwanted files. However, the long term effect of traditional host based antivirus is questionable. Antivirus software fails to detect many modern threats and its increasing complexity has resulted in vulnerabilities that are being exploited by malware. This paper advocates a new model for malware detection on end hosts based on providing antivirus as an in-cloud network service. This model enables identification of malicious and unwanted software by multiple detection engines Respectively,This approach provides several important benefits including better detection of malicious software, enhanced forensics capabilities and improved deployability. Malware detection in cloud computing includes a lightweight, cross-Storge host agent and a network service. In this paper Combines detection techniques, static signatures analyze and Dynamic analysis detection. Using this mechanism we find that cloud-malware detection provides 35% better detection coverage against recent threats compared to a single antivirus engine and a 98% detection rate across the cloud environment.

Proceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, 2017

Traditional Intrusion Detection Systems (IDSes) are generally implemented on vendor proprietary appliances or middleboxes, which usually lack a general programming interface, and their versatility and flexibility are also very poor. Emerging Network Function Virtualization (NFV) technology can virtualize IDSes and elastically scale them to deal with attack tra c variations. However, existing NFV solutions treat a virtualized IDS as a monolithic piece of software, which could lead to inflexibility and significant waste of resources. In this paper, we propose a novel approach to virtualize IDSes as microservices where the virtualized ID-Ses can be customized on demand, and the underlying microservices could be shared and scaled independently. We also conduct experiments, which demonstrate that virtualizing IDSes as microservices can gain greater flexibility and resource e ciency.

Virtual machines (VMs) are underlying technologies of IT solutions such as cloud computing. VMs provide ease of use through their on-demand characteristics and provide huge benefits in terms of lowering costs and improving scalability. VMs are also being used as malware detection systems, and with the rapidly expanding usage of mobile devices, besides of their usage as honeypots, VMs are coming to be used as emulators for detecting malware in apps. This is due to the limited resources, such as processing power, available in mobile devices. Currently, the security of applications for mobile devices is checked by running them in VM environments before they are released to the end user. We argue that such a process may cause or overlook serious security threats to the end user. In particular, if a piece of malware can detect its current running environment, it may change its behavior such that it doesn't perform malicious operations in environments it suspects to be emulators. In this way, when the malware detects that its running environment is on a VM, it may be able to hide from the security system on the VM. This is a potential security hazard for end users, especially users of mobile devices. In this paper, we present a VM detection method that we argue could be used for remotely detecting VM environments. The detection method works by analyzing the pattern of IP timestamps in replies sent from the target environment. The method does not require any installation of software on the target machine which further increase its potential harm if it were to be used by malware to detect VM environments. In this paper, we also present a technique to disguise a real PC machine such that it shows the similar IP timestamp patterns as the VM. By using this technique, malware may not be able to differentiate between a real machine and a VM, thus providing protection to PC end users.