Combined side-channels malware detection for NFV infrastructure

Proceedings of the Third Central European Cybersecurity Conference Pub Date : 2019-11-14 DOI:10.1145/3360664.3360727

Andrew Sergeev, Eyal Ben-Sa'adon, Elad Tannenbaum, Asi Saar

{"title":"Combined side-channels malware detection for NFV infrastructure","authors":"Andrew Sergeev, Eyal Ben-Sa'adon, Elad Tannenbaum, Asi Saar","doi":"10.1145/3360664.3360727","DOIUrl":null,"url":null,"abstract":"Network Function Virtualization (NFV) is an emerging approach gaining popularity among network providers. Nowadays, NFV infrastructure platforms are, predominantly based on x86 architecture CPUs. However, vulnerabilities of the CPU architecture may allow an attacker to obtain root privileges and to plant malware. Among such malware is crypto mining, which is hardly detectable either by malware scanner or by a firewall. In this paper we investigate the applicability of side-channels Key Performance Indicators (KPIs) for malware detection. We propose detecting the abnormal behavior using Machine Learning tools. Upon analyzing different side-channel technologies, we suggest using a combination of CPU performance KPIs with KPIs for the forwarding latency of NFV applications as an input to a Neural Network model. The model shall be trained in advance using two data sets: one set representing a clean system and the second set -- a compromised system (containing planted crypto-mining malware). The proposed approach would allow us to detect abnormal behavior caused by activation of the malware.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"130 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Third Central European Cybersecurity Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3360664.3360727","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

Network Function Virtualization (NFV) is an emerging approach gaining popularity among network providers. Nowadays, NFV infrastructure platforms are, predominantly based on x86 architecture CPUs. However, vulnerabilities of the CPU architecture may allow an attacker to obtain root privileges and to plant malware. Among such malware is crypto mining, which is hardly detectable either by malware scanner or by a firewall. In this paper we investigate the applicability of side-channels Key Performance Indicators (KPIs) for malware detection. We propose detecting the abnormal behavior using Machine Learning tools. Upon analyzing different side-channel technologies, we suggest using a combination of CPU performance KPIs with KPIs for the forwarding latency of NFV applications as an input to a Neural Network model. The model shall be trained in advance using two data sets: one set representing a clean system and the second set -- a compromised system (containing planted crypto-mining malware). The proposed approach would allow us to detect abnormal behavior caused by activation of the malware.

查看原文本刊更多论文

结合侧通道恶意软件检测NFV基础设施

网络功能虚拟化(NFV)是一种新兴的方法，在网络提供商中越来越受欢迎。目前，NFV基础设施平台主要基于x86架构的cpu。然而，CPU架构的漏洞可能允许攻击者获得根权限并植入恶意软件。其中一种恶意软件是加密挖掘，它很难被恶意软件扫描器或防火墙检测到。本文研究了边信道关键性能指标(kpi)在恶意软件检测中的适用性。我们建议使用机器学习工具检测异常行为。在分析了不同的侧信道技术后，我们建议将CPU性能kpi与NFV应用程序转发延迟的kpi相结合，作为神经网络模型的输入。该模型应事先使用两个数据集进行训练:一个数据集代表一个干净的系统，另一个数据集代表一个受损的系统(包含植入的加密挖矿恶意软件)。提出的方法将允许我们检测由激活恶意软件引起的异常行为。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the Third Central European Cybersecurity Conference

自引率

0.00%

发文量