MinCloud: Trusted and transferable MinHash-based framework for unknown malware detection for Linux cloud environments

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2024-11-06 DOI:10.1016/j.jisa.2024.103907

Tomer Panker , Aviad Cohen , Tom Landman , Chen Bery , Nir Nissim

{"title":"MinCloud: Trusted and transferable MinHash-based framework for unknown malware detection for Linux cloud environments","authors":"Tomer Panker , Aviad Cohen , Tom Landman , Chen Bery , Nir Nissim","doi":"10.1016/j.jisa.2024.103907","DOIUrl":null,"url":null,"abstract":"<div><div>Linux clouds have become an attractive target for cyber-attacks. However, existing detection solutions for Linux clouds have variety of limitations. Some of the solutions are untrusted, incapable of detecting unknown malware, or rely on a human expert to define the features. Other solutions are trusted but require a large amount of computational resources or have a limited ability to detect rootkits, fileless malware, or malware on a different server. In this study, we propose MinCloud, a trusted and transferable MinHash-based framework for unknown malware detection in Linux virtual servers that overcomes the limitations of existing solutions. In the first stage, we acquired volatile memory dumps from virtual servers by querying the hypervisor in a trusted manner and then analyzed them using the MinHash method. Finally, the MinHash characteristics are harnessed by applying machine learning classifiers to achieve precise malware detection. MinCloud was evaluated on widely used Linux virtual servers, various benign and malicious applications, and 23,000 volatile memory dumps, each representing different behaviors of the examined servers and the executed applications over time. MinCloud's evaluation shows it can (1) detect unknown malware, (2) classify unknown malware according to its malware category, (3) detect fileless attacks and rootkit malware, and (4) provide accurately transfer detection between different Linux servers. MinCloud outperformed state-of-the-art trusted detection methods and commonly used antiviruses.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"87 ","pages":"Article 103907"},"PeriodicalIF":3.8000,"publicationDate":"2024-11-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212624002096","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Linux clouds have become an attractive target for cyber-attacks. However, existing detection solutions for Linux clouds have variety of limitations. Some of the solutions are untrusted, incapable of detecting unknown malware, or rely on a human expert to define the features. Other solutions are trusted but require a large amount of computational resources or have a limited ability to detect rootkits, fileless malware, or malware on a different server. In this study, we propose MinCloud, a trusted and transferable MinHash-based framework for unknown malware detection in Linux virtual servers that overcomes the limitations of existing solutions. In the first stage, we acquired volatile memory dumps from virtual servers by querying the hypervisor in a trusted manner and then analyzed them using the MinHash method. Finally, the MinHash characteristics are harnessed by applying machine learning classifiers to achieve precise malware detection. MinCloud was evaluated on widely used Linux virtual servers, various benign and malicious applications, and 23,000 volatile memory dumps, each representing different behaviors of the examined servers and the executed applications over time. MinCloud's evaluation shows it can (1) detect unknown malware, (2) classify unknown malware according to its malware category, (3) detect fileless attacks and rootkit malware, and (4) provide accurately transfer detection between different Linux servers. MinCloud outperformed state-of-the-art trusted detection methods and commonly used antiviruses.

查看原文本刊更多论文

MinCloud：基于 MinHash 的可信和可转移框架，用于检测 Linux 云环境中的未知恶意软件

Linux 云已成为网络攻击的诱人目标。然而，现有的 Linux 云检测解决方案存在各种局限性。有些解决方案不可信，无法检测未知恶意软件，或依赖人类专家来定义特征。其他解决方案虽然可信，但需要大量计算资源，或者检测 rootkit、无文件恶意软件或不同服务器上的恶意软件的能力有限。在本研究中，我们提出了 MinCloud，这是一个基于 MinHash 的可信和可转移框架，用于检测 Linux 虚拟服务器中的未知恶意软件，克服了现有解决方案的局限性。在第一阶段，我们以可信的方式通过查询管理程序获取虚拟服务器的易失性内存转储，然后使用 MinHash 方法对其进行分析。最后，通过应用机器学习分类器来利用 MinHash 特性，从而实现精确的恶意软件检测。MinCloud 在广泛使用的 Linux 虚拟服务器、各种良性和恶意应用程序以及 23,000 个易失性内存转储上进行了评估，每个转储都代表了受检服务器和所执行应用程序在一段时间内的不同行为。MinCloud 的评估结果表明，它可以：（1）检测未知恶意软件；（2）根据恶意软件类别对未知恶意软件进行分类；（3）检测无文件攻击和 rootkit 恶意软件；（4）在不同 Linux 服务器之间提供准确的传输检测。MinCloud 的表现优于最先进的可信检测方法和常用的反病毒软件。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.