vDefender: An explainable and introspection-based approach for identifying emerging malware behaviour at hypervisor-layer in virtualization environment
IF 4 3区 计算机科学Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE
Avantika Gaur , Preeti Mishra , Vinod P. , Arjun Singh , Vijay Varadharajan , Uday Tupakula , Mauro Conti
{"title":"vDefender: An explainable and introspection-based approach for identifying emerging malware behaviour at hypervisor-layer in virtualization environment","authors":"Avantika Gaur , Preeti Mishra , Vinod P. , Arjun Singh , Vijay Varadharajan , Uday Tupakula , Mauro Conti","doi":"10.1016/j.compeleceng.2024.109742","DOIUrl":null,"url":null,"abstract":"<div><div>Virtualization can be defined as the backbone of cloud computing services, which has gathered significant attention from organizations and users. Due to the increasing number of cyberattacks, virtualization security has become a crucial area of study. In this paper, we propose an explainable and introspection-based malware detection approach called <em>vDefender</em> for fine-grain monitoring of virtual machine (VM) processes at the hypervisor to identify the malicious behaviour of 17 different malware families of Windows exhibiting new evolving behaviour. Initially, it performs a basic security check to detect hidden processes and ensures the presence of security-critical processes. Then, deep memory introspection is performed using a software breakpoints injection approach to intercept the execution of processes. Various process activity logs are captured that include process-related, file manipulation, kernel heap object creation, exception-related activities, etc. Hybrid feature vectors are derived from these logs, which are reconstructed using the proposed mechanism to eliminate the redundant behaviour. The features are then learnt using Random Forest (RF) algorithm to classify distinct malware families. The interpretation and analysis of RF results involve the use of explainability techniques. The proposed approach achieves an accuracy of 95.49%, F1-score of 95.82% with 0.05% false alarms when evaluated using an emerging malware dataset. The contribution includes a comprehensive discussion of results, accompanied by a comparative analysis of current approaches that gives readers insight towards future research directions.</div></div>","PeriodicalId":50630,"journal":{"name":"Computers & Electrical Engineering","volume":"120 ","pages":"Article 109742"},"PeriodicalIF":4.0000,"publicationDate":"2024-10-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Electrical Engineering","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0045790624006694","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}
引用次数: 0
Abstract
Virtualization can be defined as the backbone of cloud computing services, which has gathered significant attention from organizations and users. Due to the increasing number of cyberattacks, virtualization security has become a crucial area of study. In this paper, we propose an explainable and introspection-based malware detection approach called vDefender for fine-grain monitoring of virtual machine (VM) processes at the hypervisor to identify the malicious behaviour of 17 different malware families of Windows exhibiting new evolving behaviour. Initially, it performs a basic security check to detect hidden processes and ensures the presence of security-critical processes. Then, deep memory introspection is performed using a software breakpoints injection approach to intercept the execution of processes. Various process activity logs are captured that include process-related, file manipulation, kernel heap object creation, exception-related activities, etc. Hybrid feature vectors are derived from these logs, which are reconstructed using the proposed mechanism to eliminate the redundant behaviour. The features are then learnt using Random Forest (RF) algorithm to classify distinct malware families. The interpretation and analysis of RF results involve the use of explainability techniques. The proposed approach achieves an accuracy of 95.49%, F1-score of 95.82% with 0.05% false alarms when evaluated using an emerging malware dataset. The contribution includes a comprehensive discussion of results, accompanied by a comparative analysis of current approaches that gives readers insight towards future research directions.
期刊介绍:
The impact of computers has nowhere been more revolutionary than in electrical engineering. The design, analysis, and operation of electrical and electronic systems are now dominated by computers, a transformation that has been motivated by the natural ease of interface between computers and electrical systems, and the promise of spectacular improvements in speed and efficiency.
Published since 1973, Computers & Electrical Engineering provides rapid publication of topical research into the integration of computer technology and computational techniques with electrical and electronic systems. The journal publishes papers featuring novel implementations of computers and computational techniques in areas like signal and image processing, high-performance computing, parallel processing, and communications. Special attention will be paid to papers describing innovative architectures, algorithms, and software tools.