vProVal: Introspection based Process Validation for Detecting Malware in KVM-based Cloud Environment

Abstract

In the modern era of computing, Cloud security is of paramount importance. Most of the research mainly focused on In-Virtual Machine (VM) security techniques for detecting malware affecting virtual domains running in the Cloud. In-VM security techniques are deployed inside the VM and hence they are very much prone to subversion attacks. In this paper, an-VM monitoring approach based on introspection, called vProVal, is proposed. The vProVal is designed to detect the hidden processes and rootkits that disable the security tool, running in the monitored VM in Kernel VM (KVM)-based cloud environment. It performs the malware detection from outside the VM at the KVM-layer and hence more robust to attacks. The introspection technique used is to extract the low-level details of a running VM from hypervisor by viewing its memory, trapping on hardware events, and accessing the vCPU registers. A preliminary analysis has been performed and the approach is found to be promising.