The next generation of cloud security through hypervisor-based virtual machine introspection

Abstract

Cloud computing has become increasingly prevalent in recent years, providing organizations with on-demand re-sources. While cloud infrastructure has matured with security en-hancements, attackers' strategies for launching attacks on cloud networks are also becoming more sophisticated, posing a risk to the system's confidentiality, integrity, and availability. Virtualization is a key aspect of cloud computing, which allows physical computers to share their resources and computing power. To secure cloud infrastructure, multiple defensive measures are used such as virtual level segregation, intrusion detection prevention systems (IDS/IPS), cloud access and security brokers (CASB), and endpoint detection & response. These safeguards are often run on the virtual machine shared across a common network, making them vulnerable to deceivability, insider threat, and network-level attacks. Previous research has primarily relied on the traditional approaches discussed, with limited compliance with hypervisor-based introspection. In this paper, we propose a novel hypervisor-based virtual machine introspection (HVMI) tool to detect and perform runtime forensic analysis of attacks on the cloud platform. The proposed solution consists of a client application that runs on a host of the cloud provider. In case of any security breach, the HVMI notifies the cloud provider and starts forensic analysis to detect and minimize the impact of the breach. Additionally, HVMI uses structured threat information expression (STIX) to generate standard threat details that are easy to understand and widely adopted by cyber professionals. STIX patterns may also be made publicly available, allowing security organizations to deduce defensive strategies against certain types of cyberattacks that occur in the cloud.