Abstract
Virtualization is critical to the infrastructure of cloud computing environment and other online services. Hypercall interface is provided by hypervisor to offer privileged requests by the guest domains. Attackers may use this interface to send malicious hypercalls. In the reported work, repetitive hypercall attacks and sending hypercalls within irregular sequences to Xen hypervisor were analyzed, and finally, an intrusion detection system (IDS) is proposed to detect these attacks. The proposed system is placed in the host domain (Dom0). Monitoring hypercalls traffic the system operates based on the identification of irregular behaviors in hypercalls sent from guest domains to hypervisor. Later on, the association rule algorithm is applied on the collected data within a fixed time window, and a set of thresholds for maximum number of all types of the hypercalls is extracted. The results from the implementation of the proposed system show 91% true positive rate.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.References
Hashizume, K., Rosado, D., Fernández-Medina, E., Fernandez, E.: An analysis of security issues for cloud computing. J. Intern. Serv. Appl. 4, 1–13 (2013)
Zheng, M.: Virtualization security in data centers and clouds. http://www.cse.wustl.edu/~jain/cse571-11/ftp/virtual/index.html (2011)
von Hagen, W.: Professional Xen Virtualization. Wiley Publishing, Hoboken (2008)
Cully, B.: The virtual monkey monitor. Technical report (2006)
Ormandy, T.: An empirical study into the security exposure to hosts of hostile virtualized environments. Technical report (2007)
Chonka, A., Xiang, Y., Zhou, W., Bonti, A.: Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks. J. Netw. Comput. Appl. 34, 1097–1107 (2011)
Bacon, J., Eyers, D., Pasquier, T.F.J.M., Singh, J., Papagiannis, I., Pietzuch, P.: Information flow control for secure cloud computing. IEEE Trans. Netw. Serv. Manag. 11, 76–89 (2014)
Patel, A., Taghavi, M., Bakhtiyari, K., Celestino Júnior, J.: An intrusion detection and prevention system in cloud computing: a systematic review. J. Netw. Comput. Appl. 36(1), 25–41 (2013)
Chen, X., Garfinkel, T., Lewis, E.C., Subrahmanyam, P., Waldspurger, C.A., Boneh, D., et al.: Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. ACM SIGARCH Comput. Archit. News 36, 2–13 (2008)
Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. Presented at the Proceedings of the 16th ACM conference on Computer and communications security, Chicago, Illinois, USA (2009)
Zhang, F., Chen, J., Chen, H., Zang, B.: CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. Presented at the Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, Cascais, Portugal (2011)
Colp, P., Nanavati, M., Zhu, J., Aiello, W., Coker, G., Deegan, T., et al.: Breaking up is hard to do: security and functionality in a commodity hypervisor. Presented at the Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, Cascais, Portugal (2011)
Hoang, C.: Protecting Xen hypercalls: intrusion detection/prevention in a virtualized environment. MSc, Computer Science, University of British Columbia (2009)
Jingzheng, W., Liping, D., Yuqi, L., Min-Allah, N., Wang, Y.: XenPump: a new method to mitigate timing channel in cloud computing. In: IEEE 5th International Conference on Cloud Computing (CLOUD) 2012, pp. 678–685 (2012)
Bharadwaja, S., Weiqing, S., Niamat, M., Fangyang, S.: Collabra: a Xen hypervisor based collaborative intrusion detection system. In: Eighth International Conference on Information Technology: New Generations (ITNG) 2011, pp. 695–700 (2011)
Wang, F., Chen, P., Mao, B., Xie, L.: RandHyp: preventing attacks via Xen hypercall interface. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) Information Security and Privacy Research, vol. 376, pp. 138–149. Springer, Berlin (2012)
Yu, C., Li, L.X., Wang, K., Yu, W.T.: Protecting the security and privacy of the virtual machine through privilege separation. Appl. Mech. Mater. 347–350, 2488–2494 (2013)
Li, C., Raghunathan, A. Jha, N.K.: Secure virtual machine execution under an untrusted management OS. In: IEEE 3rd International Conference on Cloud Computing, pp. 172–179 (2010)
Milenkoski., Payne, B.D., Antunes, N., Vieira, M., Kounev, S.: HInjector: injecting hypercall attacks for evaluating vmi-based intrusion detection systems. Presented at the Annual Computer Security Applications Conference (ACSAC) (2013)
National vulnerability database (NVD). CVE-2017-8903. https://nvd.nist.gov/vuln/detail/CVE-2017-8903 (2017)
Milenkoski, Payne, B.D., Antunes, N., Vieira, M., Kounev, S.: Experience report: an analysis of hypercall handler vulnerabilities. In: IEEE 25th International Symposium on Software Reliability Engineering (ISSRE) 2014, pp. 100–111 (2014)
National vulnerability database (NVD). CVE-2013-4494. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4494 (2013)
National vulnerability database (NVD). CVE-2013-1920. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1920 (2013)
Shropshire, J.: Hyperthreats: hypercall-based DoS attacks. In: IEEE SoutheastCon 2015, pp. 1–7 (2015)
Milenkoski, Payne, B.D., Antunes, N., Vieira, M., Kounev, S., Avritzer, A., et al.: Evaluation of intrusion detection systems in virtualized environments using attack injection. In: Bos, H., Monrose, F., Blanc, G. (Eds.) Research in Attacks, Intrusions, and Defenses: 18th International Symposium, RAID 2015, Kyoto, Japan, November 2–4, 2015. Proceedings, pp. 471–492. Springer International Publishing, Cham (2015)
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., et al.: Xen and the art of virtualization. Presented at the Proceedings of the nineteenth ACM symposium on Operating systems principles, Bolton Landing, NY, USA (2003)
Faggioli, D.: Tracing with Xentrace and Xenalyze. https://blog.xenproject.org/2012/09/27/tracing-with-xentrace-and-xenalyze/ (2012)
Tan, P.-N., Steinbach, M., Kumar, V.: Introduction to Datamining, 1st edn. Pearson, London (2005)
Weka 3: data mining software in Java. http://www.cs.waikato.ac.nz/ml/weka/ (2013)
Sedgewick, R., Wayne, K.: Algorithms, 4th edn. Addison-Wesley Professional, Boston (2011)
Rocha, F., Gross, T., Van Moorsel, A.: Defense-in-depth against malicious insiders in the cloud. In: IEEE International Conference on Cloud Engineering (IC2E) 2013, pp. 88–97 (2013)
National vulnerability database (NVD). CVE-2015-7969. https://nvd.nist.gov/vuln/detail/CVE-2015-7969 (2015)
National vulnerability database (NVD). CVE-2015-7971. https://nvd.nist.gov/vuln/detail/CVE-2015-7971 (2015)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Mostafavi, M., Kabiri, P. Detection of repetitive and irregular hypercall attacks from guest virtual machines to Xen hypervisor. Iran J Comput Sci 1, 89–97 (2018). https://doi.org/10.1007/s42044-018-0006-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s42044-018-0006-5