Leveraging Static Probe Instrumentation for VM-based Anomaly Detection System

  • Ady Wahyudi Paundu
  • Takeshi Okuda
  • Youki Kadobayashi
  • Suguru Yamaguchi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9543)


In this preliminary study, we introduce a framework to predict anomaly behavior from Virtual Machines (VMs) deployed in public IaaS cloud model. Within this framework we propose to use a static probe instrumentation technique inside hypervisor in order to collect monitoring data and a black-box signature based feature selection method using Linear Discriminant Analysis. As a proof of concept, we run several evaluation tests to measure the output quality and computation overhead of our Anomaly Detection System (ADS) using feature selection. The results show that our feature selection technique does not significantly reduce the anomaly prediction quality when compared with full featured ADS and gives a better accuracy when compared to ADS with system-call data. Furthermore, ADS with feature selection method creates lower computing overhead compared to the other two ADS.


Anomaly detection system Virtual Machine Static probe instrumentation Cloud security 


  1. 1.
    Chandramouli, R.: Security recomendations for hypervisor deployment. Draft NIST Special Publication 800–125-A, NIST - National Institute of Standards and Technology (2014)Google Scholar
  2. 2.
    Bhaduri, K., Das, K., Matthews, B.L.: Detecting abnormal machine characteristics in cloud infrastructures. In: ICDMW 2011 Proceedings of the IEEE 11th International Conference on Data Mining Workshops (2011)Google Scholar
  3. 3.
    Vallis, O., Hochenbaum, J., Kejariwal, A.: A novel technique for long term anomaly detection in the cloud. In: 6th USENIX Conference on Hot Topics in Cloud Computing (2014)Google Scholar
  4. 4.
    Asrigo, K., Litty, L., Lie, D.: Using vmm-based sensors to monitor honeypots. In: Proceedings of the 2nd International Conference on Virtual Execution Environments, VEE 2006, pp. 13–23 (2006)Google Scholar
  5. 5.
    Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: The 10th Annual Network and Distributed System Security Symposium (2003)Google Scholar
  6. 6.
    Adamova, K., Schatzmann, D., Plattner, B., Smith, P.: Network anomaly detection in the cloud: the challenge of virtual service migration. In: 2014 IEEE International Conference on Communications (ICC), Proceedings, pp. 3770–3775 (2014)Google Scholar
  7. 7.
    Huang, T., Zhu, Y., Zhang, Q., Zhu, Y., Wang, D., Qiu, M., Liu, L.: An lof-based adaptive anomaly detection scheme for cloud computing. In: IEEE 37th Annual Computer Software and Applications Conference Workshops (COMPSACW) (2013)Google Scholar
  8. 8.
    Dean, D.J., Nguyen, H., Xiaohui, G.: Ubl: unsupervised behavior learning for predicting performance anomalies in virtualized cloud systems. In: ICAC 2012 Proceedings of the 9th International Conference on Autonomic Computing (2012)Google Scholar
  9. 9.
    Wang, C., Viswanathan, K., Choudur, L., Talwar, V., Satterfield, W., Schwann, K.: Statistical techniques for online anomaly detection in data centers. In: IFIP/IEEE International Symposium on Integrated Network Management (2011)Google Scholar
  10. 10.
    Sha, W., Zhu, Y., Chen, M., Huang, T.: Statistical learning for anomaly detection in cloud server systems: a multi-order markov chain framework. IEEE Trans. Cloud Comput. PrePrinted (99) (2015). Doi:  10.1109/TCC.2015.2415813
  11. 11.
    Alarifi, S.S., Wolthusen, S.D.: Detecting anomalies in iaas environment through virtual machine host system call analysis. In: The 7th International Conference for Internet Technology and Secured Transactions (ICITST), 2012 (2012)Google Scholar
  12. 12.
    Avritzer, A., Tanikella, R., James, K., Cole, R.G., Weyuker, E.J.: Monitoring for security intrusion using performance signatures. In: WOSP/SIPEW, pp. 93–104 (2010)Google Scholar
  13. 13.
    R Core Team: R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing, Vienna, Austria (2014)Google Scholar
  14. 14.
    Cerdeira, J.O., Silva, P.D., Cadima, J., Minhoto, M.: Subselect: selecting variable subsets, R package version 0.12-4 (2014)Google Scholar
  15. 15.
    Pedregosa, F., Varoquaux, G., Gramfort, A., Michel, V., Thirion, B., Grisel, O., Blondel, M., Prettenhofer, P., Weiss, R., Dubourg, V., Vanderplas, J., Passos, A., Cournapeau, D., Brucher, M., Perrot, M., Duchesnay, E.: Scikit-learn: machine learning in python. J. Mach. Learn. Res. 12, 2825–2830 (2011)MathSciNetMATHGoogle Scholar
  16. 16.
    Doelitzscher, F., Knahl, M., Reich, C., Clarke, N.: Anomaly detection in iaas clouds. In: IEEE International Conference on Cloud Computing Technology and Science (2013)Google Scholar
  17. 17.
    Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system call. J. Comput. Secur. 6(3), 151–180 (1998)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Ady Wahyudi Paundu
    • 1
  • Takeshi Okuda
    • 1
  • Youki Kadobayashi
    • 1
  • Suguru Yamaguchi
    • 1
  1. 1.Nara Institute of Science and TechnologyIkomaJapan

Personalised recommendations