Watson, Michael and Shirazi, Syed Noor Ul Hassan and Marnerides, Angelos and Mauthe, Andreas Ulrich and Hutchison, David (2016) Malware detection in cloud computing infrastructures. IEEE Transactions on Dependable and Secure Computing, 13 (2). pp. 192-205. ISSN 1545-5971
s1_ln199646832140517760_1939656818Hwf1727749427IdV_127961054119964683PDF_HI0001.pdf - Accepted Version
Available under License Creative Commons Attribution.
Download (2MB)
Abstract
Cloud services are prominent within the private, public and commercial domains. Many of these services are expected to be always on and have a critical nature; therefore, security and resilience are increasingly important aspects. In order to remain resilient, a cloud needs to possess the ability to react not only to known threats, but also to new challenges that target cloud infrastructures. In this paper we introduce and discuss an online cloud anomaly detection approach, comprising dedicated detection components of our cloud resilience architecture. More specifically, we exhibit the applicability of novelty detection under the one-class support Vector Machine (SVM) formulation at the hypervisor level, through the utilisation of features gathered at the system and network levels of a cloud node. We demonstrate that our scheme can reach a high detection accuracy of over 90% whilst detecting various types of malware and DoS attacks. Furthermore, we evaluate the merits of considering not only system-level data, but also network-level data depending on the attack type. Finally, the paper shows that our approach to detection using dedicated monitoring components per VM is particularly applicable to cloud scenarios and leads to a flexible detection system capable of detecting new malware strains with no prior knowledge of their functionality or their underlying instructions.