HyperGuard: on designing out-VM malware analysis approach to detect intrusions from hypervisor in cloud environment.

Cloud computing provides delivery of computing resources as a service on a pay-as-you-go basis. It represents a shift from products being purchased, to products being subscribed as a service, delivered to consumers over the internet from a large scale data centre. The main issue with cloud services is security from attackers who can easily compromise the Virtual Machines (VMs) and applications running over it. In this paper, we present a HyperGuard mechanism to detect malware attacks which hide their presence by sensing the analysing environment or security tools installed in VMs. They may attach themselves with the legitimate processes. Hence, HyperGuard is deployed at the hypervisor, outside the monitored VMs to detect such evasive attacks. It employs open source introspection libraries such as DRAKVUF, LIbVMI etc. to capture the VM behaviour from hypervisor inform of syscall logs. It extracts the features in form of n-grams. It makes use of Recursive Feature Elimination (RFE) and Support Vector Machine (SVM) to learn and detect the abnormal behaviour of evasive malware. The approach has been validated with a publicly available dataset (Trojan binaries) and dataset obtained on request from University of New California (evasive malware binaries). The results seem to be promising.