CloudIDEA: A Malware Defense Architecture for Cloud Data Centers

  • Andreas Fischer
  • Thomas Kittel
  • Bojan Kolosnjaji
  • Tamas K. Lengyel
  • Waseem Mandarawi
  • Hermann de Meer
  • Tilo Müller
  • Mykola Protsenko
  • Hans P. Reiser
  • Benjamin TaubmannEmail author
  • Eva Weishäupl
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9415)


Due to the proliferation of cloud computing, cloud-based systems are becoming an increasingly attractive target for malware. In an Infrastructure-as-a-Service (IaaS) cloud, malware located in a customer’s virtual machine (VM) affects not only this customer, but may also attack the cloud infrastructure and other co-hosted customers directly. This paper presents CloudIDEA, an architecture that provides a security service for malware defens in cloud environments. It combines lightweight intrusion monitoring with on-demand isolation, evidence collection, and in-depth analysis of VMs on dedicated analysis hosts. A dynamic decision engine makes on-demand decisions on how to handle suspicious events considering cost-efficiency and quality-of-service constraints.


Cloud Computing Virtual Machine Intrusion Detection System Call Cloud Provider 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Akoush, S., Sohan, R., Rice, A., Moore, A., Hopper, A.: Predicting the performance of virtual machine migration. In: IEEE Int. Symp. on Modeling, Analysis Simulation of Comp. and Telecomm. Systems (MASCOTS), pp. 37–46 (2010)Google Scholar
  2. 2.
    Bitdefender: Xen: Emulate with no writes (2014).
  3. 3.
    Butler, J.: DKOM (direct kernel object manipulation). Black Hat Windows Security (2004)Google Scholar
  4. 4.
    Butler, J., Silberman, P.: Raide: Rootkit analysis identification elimination. Black Hat USA 47 (2006)Google Scholar
  5. 5.
    Chen, P.M., Noble, B.D.: When virtual is better than real. In: Proc. of the 8th Workshop on Hot Topics in Operating Systems, pp. 133–138. IEEE (2001)Google Scholar
  6. 6.
    Coker, G.: Xen security modules (xsm), March 24, 2015.
  7. 7.
    Deng, Z., Zhang, X., Xu, D.: SPIDER: stealthy binary program instrumentation and debugging via hardware virtualization. In: Proc. of the 29th Annual Computer Security Applications Conference, ACSAC 2013, pp. 289–298. ACM (2013)Google Scholar
  8. 8.
    Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 51–62. ACM (2008)Google Scholar
  9. 9.
    Dolan-Gavitt, B., Srivastava, A., Traynor, P., Giffin, J.: Robust signatures for kernel data structures. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 566–577. ACM (2009)Google Scholar
  10. 10.
    Dolgikh, A., Birnbaum, Z., Chen, Y., Skormin, V.: Behavioral modeling for suspicious process detection in cloud computing environments. In: IEEE 14th Int. Conf. on Mobile Data Management (MDM), vol. 2, pp. 177–181, June 2013Google Scholar
  11. 11.
    Dontu, M., Sahita, R.: Zero-footprint guest memory introspection from xen, January 15, 2015.
  12. 12.
    Dykstra, J., Sherman, A.T.: Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform. Digit. Investig. 10, 87–95 (2013)CrossRefGoogle Scholar
  13. 13.
    Florio, E.: When malware meets rootkits. Virus Bulletin (2005)Google Scholar
  14. 14.
    Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proc. Network and Distributed Systems Security Symposium, pp. 191–206 (2003)Google Scholar
  15. 15.
    Gionta, J., Azab, A., Enck, W., Ning, P., Zhang, X.: Seer: practical memory virus scanning as a service. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 186–195. ACM (2014)Google Scholar
  16. 16.
    Gonzalez, N., Miers, C., Redigolo, F., Carvalho, T., Simplicio, M., Naslund, M., Pourzandi, M.: A quantitative analysis of current security concerns and solutions for cloud computing. In: Proc. of the 2011 IEEE 3rd Int. Conf. on Cloud Computing Technology and Science, CLOUDCOM 2011, pp. 231–238. IEEE CS (2011)Google Scholar
  17. 17.
    Harrison, K., Bordbar, B., Ali, S., Dalton, C., Norman, A.: A framework for detecting malware in cloud by identifying symptoms. In: IEEE 16th Int. Enterprise Distributed Object Computing Conference (EDOC), pp. 164–172, September 2012Google Scholar
  18. 18.
    Heller, K., Svore, K., Keromytis, A.D., Stolfo, S.: One class support vector machines for detecting anomalous windows registry accesses. In: Workshop on Data Mining for Computer Security (DMSEC), pp. 2–9 (2003)Google Scholar
  19. 19.
    Hofmeyr, S.A., Somayaji, A., Forrest, S.: Intrusion detection using sequences of system calls. Journal of Computer Security 6, 151–180 (1998)Google Scholar
  20. 20.
    Ivaturi, K., Wolf, T.: Mapping of delay-sensitive virtual networks. In: Int. Conf. on Computing, Networking and Communications (ICNC), pp. 341–347 (2014)Google Scholar
  21. 21.
    Jain, B., Baig, M.B., Zhang, D., Porter, D.E., Sion, R.: Sok: Introspections on trust and the semantic gap. In: Proc. of the 2014 IEEE Symp. on Security and Privacy, SP 2014, pp. 605–620. IEEE CS (2014)Google Scholar
  22. 22.
    Jansen, R., Brenner, P.: Energy efficient virtual machine allocation in the cloud. In: Int. Green Computing Conference and Workshops (IGCC), pp. 1–8, July 2011Google Scholar
  23. 23.
    Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through vmm-based “out-of-the-box” semantic view reconstruction. In: Proc. of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 128–138. ACM (2007)Google Scholar
  24. 24.
    Kirat, D., Vigna, G., Kruegel, C.: Barecloud: bare-metal analysis-based evasive malware detection. In: Proc. of the 23rd USENIX Conference on Security Symposium, SEC 2014, pp. 287–301. USENIX Association, Berkeley (2014)Google Scholar
  25. 25.
    Kittel, T., Vogl, S., Lengyel, T.K., Pfoh, J., Eckert, C.: Code validation for modern os kernels. In: Workshop on Malware Memory Forensics (MMF), December 2014Google Scholar
  26. 26.
    Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the drakvuf dynamic malware analysis system. In: Proc. of the 30th Annual Computer Security Applications Conference (2014)Google Scholar
  27. 27.
    Lobo, D., Watters, P., Wu, X., Sun, L., et al.: Windows rootkits: attacks and countermeasures. In: 2010 Second Cybercrime and Trustworthy Computing Workshop, pp. 69–78. IEEE (2010)Google Scholar
  28. 28.
    Marnerides, A., Watson, M., Shirazi, N., Mauthe, A., Hutchison, D.: Malware analysis in cloud computing: network and system characteristics. In: 2013 IEEE Globecom Workshops (GC Wkshps), pp. 482–487, December 2013Google Scholar
  29. 29.
    Martini, B., Choo, K.R.: An integrated conceptual digital forensic framework for cloud computing. Digital Investigation 9(2), 71–80 (2012)CrossRefGoogle Scholar
  30. 30.
    Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: An architecture for secure active monitoring using virtualization. In: IEEE Symposium on Security and Privacy, SP 2008, pp. 233–247. IEEE (2008)Google Scholar
  31. 31.
    Perez-Botero, D., Szefer, J., Lee, R.B.: Characterizing hypervisor vulnerabilities in cloud computing servers. In: Proc. of the 2013 Int. Workshop on Security in Cloud Computing. Cloud Computing 2013, pp. 3–10. ACM (2013)Google Scholar
  32. 32.
    Pfoh, J., Schneider, C., Eckert, C.: Leveraging string kernels for malware detection. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 206–219. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  33. 33.
    Poisel, R., Malzer, E., Tjoa, S.: Evidence and cloud computing: The virtual machine introspection approach. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA) 4(1), 135–152 (2013)Google Scholar
  34. 34.
    Rhee, J., Riley, R., Xu, D., Jiang, X.: Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 178–197. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  35. 35.
    Rieck, K., Trinius, P., Willems, C., Holz, T.: Automatic analysis of malware behavior using machine learning. Journal of Computer Security 19(4), 639–668 (2011)Google Scholar
  36. 36.
    Salfner, F., Tröger, P., Richly, M.: Dependable Estimation of Downtime for Virtual Machine Live Migration. Int. J. on Advances in Systems and Measurements 5 (2012)Google Scholar
  37. 37.
    Schmidt, M., Baumgartner, L., Graubner, P., Bock, D., Freisleben, B.: Malware detection and kernel rootkit prevention in cloud computing environments. In: 2011 19th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP), pp. 603–610, February 2011Google Scholar
  38. 38.
    Shea, R., Liu, J.: Performance of virtual machines under networked denial of service attacks: Experiments and analysis. IEEE Systems Journal 7(2), 335–345 (2013)CrossRefGoogle Scholar
  39. 39.
    Somorovsky, J., Heiderich, M., Jensen, M., Schwenk, J., Gruschka, N., Lo Iacono, L.: All your clouds are belong to us: security analysis of cloud management interfaces. In: Proc. of the 3rd ACM Workshop on Cloud Computing Security, CCSW 2011, pp. 3–14. ACM, New York (2011)Google Scholar
  40. 40.
    Studnia, I., Alata, E., Deswarte, Y., Kaaniche, M., Nicomette, V.: Survey of security problems in cloud computing virtual machines. Tech. rep., CNRS, LAAS, 7 Avenue du colonel Roche, F-31400 Toulouse, France (2012)Google Scholar
  41. 41.
    Szekeres, L., Payer, M., Wei, T., Song, D.: Sok: Eternal war in memory. In: IEEE Symp. on Security and Privacy, pp. 48–62. IEEE (2013)Google Scholar
  42. 42.
    Tegeler, F., Fu, X., Vigna, G., Kruegel, C.: Botfinder: finding bots in network traffic without deep packet inspection. In: Proc. of the 8th Int. Conf. on Emerging Networking Experiments and Technologies, pp. 349–360. ACM (2012)Google Scholar
  43. 43.
    Vasudevan, A., Yerraballi, R.: Cobra: fine-grained malware analysis using stealth localized-executions. In: IEEE Symp. on Security and Privacy, pp. 15–279 (2006)Google Scholar
  44. 44.
    Voorsluys, W., Broberg, J., Venugopal, S., Buyya, R.: Cost of virtual machine live migration in clouds: a performance evaluation. In: Jaatun, M.G., Zhao, G., Rong, C. (eds.) Cloud Computing. LNCS, vol. 5931, pp. 254–265. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  45. 45.
    Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: alternative data models. In: Proc. of the IEEE Symp. on Security and Privacy, pp. 133–145. IEEE (1999)Google Scholar
  46. 46.
    Willems, C., Hund, R., Fobian, A., Felsch, D., Holz, T., Vasudevan, A.: Down to the bare metal: using processor features for binary analysis. In: Proc. of the 28th Ann. Computer Security Applications Conf. (ACSAC), pp. 189–198. ACM (2012)Google Scholar
  47. 47.
    Willems, C., Hund, R., Holz, T.: Cxpinspector: Hypervisor-based, hardware-assisted system monitoring. Ruhr-Universitat Bochum, Tech. rep. (2013)Google Scholar
  48. 48.
    Wood, T., Cecchet, E., Ramakrishnan, K.K., Shenoy, P., van der Merwe, J., Venkataramani, A.: Disaster recovery as a cloud service: economic benefits & deployment challenges. In: Proc. of the 2nd USENIX Conf. on Hot Topics in Cloud Computing. HotCloud 2010, p. 8. USENIX Association (2010)Google Scholar
  49. 49.
    Xiao, H., Stibor, T.: A supervised topic transition model for detecting malicious system call sequences. In: Proceedings of the 2011 Workshop on Knowledge Discovery, Modeling and Simulation, pp. 23–30. ACM (2011)Google Scholar
  50. 50.
    Yin, H., Poosankam, P., Hanna, S., Song, D.: Hookscout: proactive binary-centric hook detection. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 1–20. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  51. 51.
    Zafarullah, Anwar, F., Anwar, Z.: Digital forensics for eucalyptus. In: Proc. of the 2011 Frontiers of Information Technology, FIT 2011, pp. 110–116. IEEE CS (2011)Google Scholar
  52. 52.
    Zhang, Y., Juels, A., Oprea, A., Reiter, M.: Homealone: co-residency detection in the cloud via side-channel analysis. In: IEEE Sympl. on Security and Privacy, pp. 313–328, May 2011Google Scholar
  53. 53.
    Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-vm side channels and their use to extract private keys. In: Proc. of the 2012 ACM Conf. on Computer and Communications Security, CCS 2012, pp. 305–316. ACM (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Andreas Fischer
    • 3
  • Thomas Kittel
    • 1
  • Bojan Kolosnjaji
    • 1
  • Tamas K. Lengyel
    • 1
  • Waseem Mandarawi
    • 3
  • Hermann de Meer
    • 3
  • Tilo Müller
    • 2
  • Mykola Protsenko
    • 2
  • Hans P. Reiser
    • 3
  • Benjamin Taubmann
    • 3
    Email author
  • Eva Weishäupl
    • 4
  1. 1.Technische Universität MünchenMünchenGermany
  2. 2.University of Erlangen-NürnbergErlangenGermany
  3. 3.University of PassauPassauGermany
  4. 4.University of RegensburgRegensburgGermany

Personalised recommendations