Network Based Malware Detection within Virtualised Environments

  • Pushpinder Kaur Chouhan
  • Matthew Hagan
  • Gavin McWilliams
  • Sakir Sezer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8805)


While virtualisation can provide many benefits to a networks infrastructure, securing the virtualised environment is a big challenge. The security of a fully virtualised solution is dependent on the security of each of its underlying components, such as the hypervisor, guest operating systems and storage.

This paper presents a single security service running on the hypervisor that could potentially work to provide security service to all virtual machines running on the system. This paper presents a hypervisor hosted framework which performs specialised security tasks for all underlying virtual machines to protect against any malicious attacks by passively analysing the network traffic of VMs. This framework has been implemented using Xen Server and has been evaluated by detecting a Zeus Server setup and infected clients, distributed over a number of virtual machines. This framework is capable of detecting and identifying all infected VMs with no false positive or false negative detection.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Azmandian, F., Moffie, M., Alshawabkeh, M., Dy, J., Aslam, J., Kaeli, D.: Virtual machine monitor-based lightweight intrusion detection. SIGOPS Oper. Syst. Rev. 45(2), 38–53 (2011)CrossRefGoogle Scholar
  2. 2.
    Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. SIGOPS Oper. Syst. Rev. 37(5), 164–177 (2003)CrossRefGoogle Scholar
  3. 3.
    Borders, K., Zhao, X., Prakash, A.: Siren: Catching evasive malware (short paper). In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, SP 2006, pp. 78–85. IEEE Computer Society, Washington, DC (2006)Google Scholar
  4. 4.
    Bugiel, S., Nürnberger, S., Sadeghi, A.-R., Schneider, T.: Twin clouds: Secure cloud computing with low latency. In: De Decker, B., Lapon, J., Naessens, V., Uhl, A. (eds.) CMS 2011. LNCS, vol. 7025, pp. 32–44. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  5. 5.
    Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: Revirt: Enabling intrusion analysis through virtual-machine logging and replay. SIGOPS Oper. Syst. Rev. 36(SI), 211–224 (2002)CrossRefGoogle Scholar
  6. 6.
    Falliere, N., Chien, E.: Zeus: King of the bots (2009)Google Scholar
  7. 7.
    Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: A virtual machine-based platform for trusted computing. In: 9th ACM Symposium on Operating Systems Principles, SOSP 2003, pp. 193–206. ACM, New York (2003)Google Scholar
  8. 8.
    Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proc. Network and Distributed Systems Security Symposium, pp. 191–206 (2003)Google Scholar
  9. 9.
    Han-zhang, W., Liu-sheng, H.: An improved trusted cloud computing platform model based on daa and privacy ca scheme. In: 2010 International Conference on Computer Application and System Modeling (ICCASM), Oct 2010, vol. 13 (2010)Google Scholar
  10. 10.
    Harrison, K., Bordbar, B., Ali, S.T.T., Dalton, C.I., Norman, A.: A Framework for Detecting Malware in Cloud by Identifying Symptoms, pp. 164–172. IEEE (2012)Google Scholar
  11. 11.
    Hurley, J., Munoz, A., Sezer, S.: Itaca: Flexible, scalable network analysis. In: ICC, pp. 1069–1073. IEEE (2012)Google Scholar
  12. 12.
    King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: Subvirt: Implementing malware with virtual machines. In: IEEE Symposium on Security and Privacy, SP 2006, pp. 314–327. IEEE Computer Society (2006)Google Scholar
  13. 13.
    Nguyen, A.-Q., Takefuji, Y.: A novel approach for a file-system integrity monitor tool of xen virtual machine. In: Bao, F., Miller, S. (eds.) ASIACCS, ACM (2007)Google Scholar
  14. 14.
    Oberheide, J., Veeraraghavan, K., Cooke, E., Flinn, J., Jahanian, F.: Virtualized in-cloud security services for mobile devices. In: 1st Workshop on Virtualization in Mobile Computing, MobiVirt 2008, pp. 31–35. ACM, New York (2008)Google Scholar
  15. 15.
    Porras, P.A.: Directions in network-based security monitoring. IEEE Security & Privacy 7(1), 82–85 (2009)CrossRefGoogle Scholar
  16. 16.
    Santos, N., Gummadi, K.P., Rodrigues, R.: Towards trusted cloud computing. In: Proceedings of the 2009 Conference on Hot Topics in Cloud Computing, HotCloud 2009. USENIX Association, Berkeley (2009)Google Scholar
  17. 17.
    Shen, Z., Li, L., Yan, F., Wu, X.: Cloud computing system based on trusted computing platform. In: International Conference on Intelligent Computation Technology and Automation, ICICTA 2010, vol. 01. IEEE Computer Society (2010)Google Scholar
  18. 18.
    Thakar, N.: Botnets remain a leading threat (2013),
  19. 19.
    Wang, H., Zhou, H., Wang, C.: Virtual machine-based intrusion detection system framework in cloud computing environment. JCP 7(10), 2397–2403 (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Pushpinder Kaur Chouhan
    • 1
  • Matthew Hagan
    • 1
  • Gavin McWilliams
    • 1
  • Sakir Sezer
    • 1
  1. 1.Centre for Secure Information TechnologiesQueens University of BelfastNorthern Ireland, UK

Personalised recommendations