Project 1: DeepHyperv: A deep neural network based virtual memory analysis for malware detection at hypervisor-layer

Project Description: Security holds great significance in this new era of on-demand virtual computing. As software and hardware update daily, malware is also modifying its behaviour rapidly. Some researchers are still working in this area to handle the recent cyber-attacks in critical virtualization ecosystems. The existing research works may not be suitable with the existing updated virtualization environment as they have been validated with older datasets. In this project, a deep neural network (DNN) based malware (Trojan) detection approach has been proposed and implemented, called DeepHyperv, to detect the malware threats in a virtualization environment by doing the deep virtual memory analysis. Direct access to the analysis components is prohibited in the proposed architecture by deploying them inside the privileged domain of the hypervisor. The process execution logs are collected at the hypervisor using the memory introspection technique with the support of recent hardware and software configurations of analysis setup and virtualization environment. The logs are pre-processed and converted into a discrete feature vector matrix. The approach uses DNN to learn & test the extracted features at the hypervisor. The approach is validated in the test bed setup of our lab, and results seem to promising.

Datasets: A malware dataset (in the form of exe) is taken from San Jose State University (SJSU) on request. Some of the benign applications have been downloaded from SourceForge and some of them are taken from system32 folder of Windows system. In the first scenario, 2592 benign samples and 9896 malware samples are considered (termed HyperMalware) and in the later scenario 25000 malware samples and 20000 benign samples have been considered (termed HyperMalware’).

Publication: A. Gaur, A. Singh, A. Nautiyal, G. Kothari, P. Mishra, A. Jha. “DeepHyperv: A deep neural network based virtual memory analysis for malware detection at hypervisor-layer”, In “AICAPS 2023” pp. 1-6, 2023. DOI:10.1109/AICAPS57044.2023.10074347

Project 2: Advanced malware and their impact on virtualization: A case study on hybrid feature extraction using deep memory introspection

Project Description: The security concerns in virtualization are the central issue for the researchers as well as organizations. Attackers use different tactics to exploit the vulnerabilities present in virtual components. In this paper, we provide a detailed study on the malware families & along with their impact on virtualization. In addition, malware log extraction using deep memory introspection has been explored. Various plugins have been explained, along with the variety of features that are essential for malware analysis purposes. A case study has also been provided using the testbed set up in our lab to provide the practical insight on deep memory introspection using open-source tools, along with their usage to extract different features outside the VM at the hypervisor. We hope that our work will help readers to understand the malware logs and extract important features for malware analysis in a virtual environment.

Dataset Created: In this project, we have used various opensource introspection tools and libraries to generate malware dataset logs. The malware dataset is collected from San Jose State University for analysis and is injected from host to VM.

Publication:. Bhatt, A. Gaur, S. Badoni, and Preeti Mishra, “Advanced malware and their impact on virtualization: A case study on hybrid feature extraction using deep memory introspection,” Proceedings of the 2022 Fourteenth International Conference on Contemporary Computing, Aug. 2022, pp. 74--80. DOI: 10.1145/3549206.3549223

Project 3: Introspection-assisted evolutionary bag-of-ngram approach to detect malware in cloud servers

Project Description: Cloud computing has become very popular and extremely demanding in the market. Several emerging technologies such as Industrial Internet of Things (IIoT), microservices and Bigdata analytics etc. are adopting cloud computing due to the availability of the high-end computing servers. However, security breaches have also started to grow along with its popularity. The advanced malware can target virtualization-based infrastructure and can harm virtual resources and thereby becoming threat to industrial applications & data hosted in cloud. The modern malware is difficult to be detected by using traditional security tools. In this project, an introspection-assisted evolutionary bag-of-ngram approach is proposed, named as vServiceInspector for doing process monitoring from both inside the virtual machine (In-VM) & outside virtual machine (Out-VM). It employs advanced memory introspection to extract the system call sequences at Out-VM location (i.e. hypervisor). Genetic Algorithm (GA) is employed to find the most discriminating sequences of system calls and extract optimal feature set. Convolutional Neural Network (CNN), a deep learning algorithm is then used to learn and detect the malicious program execution patterns. An accuracy of 83.13%–99.63% is achieved by using University of New Mexico (UNM) dataset and an accuracy of 97.8%–99% is achieved by using University of California (Barecloud) dataset. The vServiceInspector is more accurate and more attack resilient when compared to previously proposed techniques.

Datasets Used: vServiceInspector dataset provided by the University of New Mexico through their repositories and Barecloud dataset from University of California are being used here.

Publication: Preeti Mishra, A. Gupta, P. Aggarwal and E. Pilli, "vServiceInspector: Introspection-assisted evolutionary bag-of-ngram approach to detect malware in cloud servers", Ad hoc Networks, Elsevier, vol. 131, pp. 1—9, 2022. [SCI, IF: 4.816]https://www.sciencedirect.com/science/article/abs/pii/S1570870522000439

Project 4: A state-of-the art survey on various attacks and security tools at virtualization-layer of cloud computing: A virtual network security perspective.

Project Description: With the advent of technologies such as the internet of things (IoT), big Data analytics, and cloud computing; most businesses have adopted virtualization technologies. Virtualization is a key technology that enables the execution of multiple operating systems in one physical machine, thereby allowing the sharing of resources within the same environment. The pay-per-use and on-demand sharing of resources, have increased the utilization of cloud-based services, thereby increasing various security concerns. There are various attacks possible at different cloud computing layers i.e., application-layer, virtualization-layer, network-layer, hardware-layer etc. In this project, we have explored various attacking possibilities and defensive tools, specially focusing on network-layer of cloud computing. Various traditional security solutions such as Network Intrusion Prevention System (NIPS) and Network Intrusion Detection System (NIDS) are used by researchers to protect cloud from network attacks. To effectively secure network layer, these traditional tools are no longer sufficient. One has to relentlessly search for tools that specifically focus on virtualization layer of cloud. Cloud design architecture differs significantly from traditional network design architectures. Moreover, there are different design constraints at different layers of cloud. Therefore, the same tool cannot be deployed at all layers. Hence, it is crucial to classify all the tools according to the layered architecture of cloud. In this project, we have discussed different security and attacking tools, providing a detailed study of the tools. Each of the category is further classified based on target layer of deployment at the virtualization layer.

Datasets Used: A network attack dataset (UNSW-NB 15) has been considered during analysis purpose along with various XAI machine learning (ML) algorithms. A case study on “Explainable Artificial Intelligence based Network Intrusion Detection System” (XAI-NIDS) has been performed using UNSW-NB15 dataset.

Publication: A. Nautiyal, S. Saklani, P. Mishra, S. Kumar, H. Bisht. “A state-of-the art survey on various attacks and security tools at virtualization-layer of cloud computing: A virtual network security perspective” In “Integration of Cloud Computing with Emerging Technologies: Issues, Challenges, and Practices”, 2023, pp. 1-12. (In Press)

Project 5: VNSecure: An explainable virtual network attack detection framework at VMM-Layer in virtualization environment.

Project Description: In recent years, virtualization has become popular with the usage of emerging technologies in different domains. With the increasing number of attacking incidents in recent times, virtualization security has become one of the primary focus of research. The traditional network attack detection systems are inefficient enough to detect attacks over the virtual network. In this project, we have proposed a virtual network security framework, called VNSecure that detects malicious network activities by analysing virtual machine (VM) traffic profile. VNsecure operates on a hypervisor layer and has access to both underlying hardware and guest operating system. It does VM-level activity analysis from the privileged domain of the hypervisor, serving as the main line of defence against intrusions at the virtual network level. Initially, VM traffic validation is performed to detect spoofing attacks by analysing the traffic captured at the backend driver of the virtual network interface of the monitored VM. To perform detailed behaviour analysis, a deep learning approach is used to learn and detect VM-specific network attacks. On detection of malicious traffic, an alert is raised to the administrator. VNSecure then carries out essential mitigation to lower the risk and store the occurrence of malicious packets in its database.

Datasets Used: Two datasets have been used in our project; one is the most recent Amazon Web Service (AWS) based network flow dataset, CICIDS2017. The second dataset is the self-generated dataset, MALNetwork2023, developed in the test bed of our laboratory using malware executable. The malware executable has been taken from online sources. The malware executable belong to zbot, vundo, vobfus, and zeroaccesss families.

Project 6: Robust, Efficient and Interpretable Adversarial AI Models for Intrusion Detection in Virtualization Environment

Project Description: Cyber-attacking incidents have been increasing day by day along with the technological growth in the era of post-COVID. Due to the evolving behaviour of the attacks, it has become difficult for traditional security tools to capture the stealthy new attack patterns. In this project a thorough study on various advanced techniques for intrusion detection, has been carried out. An intrusion detection system (IDS) can be considered as effective system if it possesses the following key features: robustness, efficiency, and interpretability. Adversarial Machine Learning (AML) is an advanced field of study that help to improve the robustness. Likewise, optimization methods help in achieving the good efficiency, and explainable AI (XAI) assist in improving the interpretability of IDS results. All these approaches are well investigated and compared in the project to give a direction to researchers working in the area of intrusion detection system. At the end, a case study on malware detection has been performed and the use of XAI libraries such as SHAP and LIME libraries has been demonstrated to interpret the IDS results.

Datasets Used: The malware dataset (executables) have been taken from online source which consists of four malware families: Zbot, Vundo, Vobfus, and Zeroaccess.

Publication: A. Singh, A. Gaur, G. Kothari, Y. Agarwal, Tejaswi, P. Mishra, S. K. Jagatheesaperumal. “Robust, Efficient and Interpretable Adversarial AI Models” In “Artificial Intelligence for Intrusion Detection Systems” in CRC Press, Taylor & Francis Group, 2023, pp. 1-38. (In Press)

Project 7: HyperGuard: On designing out-VM malware analysis approach to detect intrusions from hypervisor in cloud environment.

Project Description: Cloud computing provides delivery of computing resources as a service on a pay-as-you-go basis. It represents a shift from products being purchased, to products being subscribed as a service, delivered to consumers over the internet from a large scale data centre. The main issue with cloud services is security from attackers who can easily compromise the Virtual Machines (VMs) and applications running over it. In this project, we present a HyperGuard mechanism to detect malware attacks which hide their presence by sensing the analyzing environment or security tools installed in VMs. They may attach themselves with the legitimate processes. Hence, HyperGuard is deployed at the hypervisor, outside the monitored VMs to detect such evasive attacks. It employs open-source introspection libraries to capture the VM behaviour from hypervisor inform of syscall logs. It extracts the features in form of n-grams. It makes use of Recursive Feature Elimination (RFE) and Support Vector Machine (SVM) to learn and detect the abnormal behaviour of evasive malware. The approach has been validated with a publicly available dataset (Trojan binaries) and dataset. The results seem to be promising.

Datasets used: We have collected Trojan malware dataset from Virus Share (2013) and Evasive malware dataset from online sources.

Publication: Prithviraj Singh Bisht, Preeti MishraPushpanjali Chauhan, R. C. Joshi, "HyperGuard: On designing Out-VM Malware Analysis Approach to Detect Intrusions from Hypervisor in Cloud Environment," International Journal of Grid and Utility Computing (IJGUC), pp. 1—12, 2020. ISSN: 1741-847X / 1741-8488.(In-Press, ESCI and Scopus Indexed)https://www.inderscience.com/info/ingeneral/forthcoming.php?jcode=IJGUC