TY - JOUR
T1 - Malware Detection Based on Dynamic Multi-Feature Using Ensemble Learning at Hypervisor
AU - Zhang, Jian
AU - Gao, Cheng
AU - Gong, Liangyi
AU - Gu, Zhaojun
AU - Man, Dapeng
AU - Yang, Wu
AU - Du, Xiaojiang
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018
Y1 - 2018
N2 - More data and applications are moving to the cloud, which presents many new security risks. Malware is one of the most significant threats to cloud computing. In this paper, we explore to employ virtual machine introspection(VMI) and memory forensics analysis(MFA) techniques to detect malware running in guest virtual machines. Our scheme differs from existing malware detection methods based on virtualization technology in three aspects. First, this paper combines VMI with MFA to extract multiple type features in the guest virtual machine at the same time. Our scheme can effectively minimize the data acquisition overhead. Second,compared with single dynamic feature or multiple static feature detection methods, our data acquisition method employs dynamic multiple type features, and effectively promotes the ability of sophisticated malware detection. Finally,we use AdaBoost ensemble learning method and combination strategy of voting to improve the accuracy and generalization ability of the overall classifier. The experimental results based on a lot of real-world malware show that our scheme can achieve a detection accuracy of 0.9975. Our approach can improve virtual machines security, and further effectively enhance the security of cloud computing environment.
AB - More data and applications are moving to the cloud, which presents many new security risks. Malware is one of the most significant threats to cloud computing. In this paper, we explore to employ virtual machine introspection(VMI) and memory forensics analysis(MFA) techniques to detect malware running in guest virtual machines. Our scheme differs from existing malware detection methods based on virtualization technology in three aspects. First, this paper combines VMI with MFA to extract multiple type features in the guest virtual machine at the same time. Our scheme can effectively minimize the data acquisition overhead. Second,compared with single dynamic feature or multiple static feature detection methods, our data acquisition method employs dynamic multiple type features, and effectively promotes the ability of sophisticated malware detection. Finally,we use AdaBoost ensemble learning method and combination strategy of voting to improve the accuracy and generalization ability of the overall classifier. The experimental results based on a lot of real-world malware show that our scheme can achieve a detection accuracy of 0.9975. Our approach can improve virtual machines security, and further effectively enhance the security of cloud computing environment.
KW - Dynamic Multi-feature
KW - Ensemble learning
KW - Malware detection
KW - Memory forensics analysis
KW - Virtual machine introspection
UR - http://www.scopus.com/inward/record.url?scp=85063497008&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85063497008&partnerID=8YFLogxK
U2 - 10.1109/GLOCOM.2018.8648070
DO - 10.1109/GLOCOM.2018.8648070
M3 - Conference article
AN - SCOPUS:85063497008
SN - 2334-0983
JO - Proceedings - IEEE Global Communications Conference, GLOBECOM
JF - Proceedings - IEEE Global Communications Conference, GLOBECOM
M1 - 8648070
T2 - 2018 IEEE Global Communications Conference, GLOBECOM 2018
Y2 - 9 December 2018 through 13 December 2018
ER -