SBGen: A Framework to Efficiently Supply Runtime Information for a Learning-Based HIDS for Multiple Virtual Machines

SBGen: A Framework to Efficiently Supply Runtime Information for a Learning-Based HIDS for Multiple Virtual Machines

Much compelling evidence urges that the isolation provided by the hypervisor in a virtualized system is not complete at all, and in practice can be neutralized by elaborated adversaries, which consequently emphasizes the need of techniques to detect attacks on the guest VM kernels. In this regard, l...

Full description

Bibliographic Details
Main Authors: Jiwon Seo, Inyoung Bang, Junseung You, Yeongpil Cho, Yunheung Paek
Format: Article
Language:English
Published: IEEE 2020-01-01
Series:IEEE Access
Subjects:
Intel Processor Trace (PT)
learning-based HIDS
VM monitoring
extraction of runtime behavior information
guest VM kernel execution traces
Online Access:https://ieeexplore.ieee.org/document/9272991/
id doaj-c03d341f1cf3482d93c7524558f599b5
record_format Article
spelling doaj-c03d341f1cf3482d93c7524558f599b52021-03-30T04:44:17ZengIEEEIEEE Access2169-35362020-01-01822535622536910.1109/ACCESS.2020.30413029272991SBGen: A Framework to Efficiently Supply Runtime Information for a Learning-Based HIDS for Multiple Virtual MachinesJiwon Seo0https://orcid.org/0000-0003-1848-750XInyoung Bang1https://orcid.org/0000-0003-3042-3023Junseung You2https://orcid.org/0000-0003-1539-229XYeongpil Cho3https://orcid.org/0000-0001-7842-1719Yunheung Paek4https://orcid.org/0000-0002-6412-2926Department of Electrical and Computer Engineering and ISRC, Seoul National University, Seoul, South KoreaDepartment of Electrical and Computer Engineering and ISRC, Seoul National University, Seoul, South KoreaDepartment of Electrical and Computer Engineering and ISRC, Seoul National University, Seoul, South KoreaDepartment of Computer Science, Hanyang University, Seoul, South KoreaDepartment of Electrical and Computer Engineering and ISRC, Seoul National University, Seoul, South KoreaMuch compelling evidence urges that the isolation provided by the hypervisor in a virtualized system is not complete at all, and in practice can be neutralized by elaborated adversaries, which consequently emphasizes the need of techniques to detect attacks on the guest VM kernels. In this regard, learning-based HIDSs have received much attention, which inspect the internals of each VM through monitoring models built by machine learning techniques. The inspection capability of learning-based HIDSs depends on the quality of the monitoring models, which in turn can be improved by using rich runtime information reflecting the exact behavior of VMs. However, as extracting such runtime behavior information is onerous on account of its vast quantity, many learning-based HIDSs have resorted to using only fragmentary runtime behavior information. To address this problem, in this paper, we present SBGen, a framework for efficient extraction of rich runtime behavior information of VMs, namely the system call traces and the execution paths of the kernel taken to serve system calls. To trace execution of the kernel efficiently, SBGen leverages a salient hardware feature, Intel Processor Trace (PT). Once receiving the execution of the kernel traces from PT, SBGen elaborately decodes and purifies them to extract execution paths of the kernel associated with system calls. The extracted runtime behavior information of VMs is fed into learning-based HIDSs to improve their detection accuracy. Our experiments show that SBGen can extract and supply runtime behavior information efficiently enough for learning-based HIDSs to detect in a timely fashion real-world attacks on the guest VM kernels running in a virtualized system, while incurring a reasonable amount of performance overhead.https://ieeexplore.ieee.org/document/9272991/Intel Processor Trace (PT)learning-based HIDSVM monitoringextraction of runtime behavior informationguest VM kernel execution traces
collection DOAJ
language English
format Article
sources DOAJ
author Jiwon Seo
Inyoung Bang
Junseung You
Yeongpil Cho
Yunheung Paek
spellingShingle Jiwon Seo
Inyoung Bang
Junseung You
Yeongpil Cho
Yunheung Paek
SBGen: A Framework to Efficiently Supply Runtime Information for a Learning-Based HIDS for Multiple Virtual Machines
IEEE Access
Intel Processor Trace (PT)
learning-based HIDS
VM monitoring
extraction of runtime behavior information
guest VM kernel execution traces
author_facet Jiwon Seo
Inyoung Bang
Junseung You
Yeongpil Cho
Yunheung Paek
author_sort Jiwon Seo
title SBGen: A Framework to Efficiently Supply Runtime Information for a Learning-Based HIDS for Multiple Virtual Machines
title_short SBGen: A Framework to Efficiently Supply Runtime Information for a Learning-Based HIDS for Multiple Virtual Machines
title_full SBGen: A Framework to Efficiently Supply Runtime Information for a Learning-Based HIDS for Multiple Virtual Machines
title_fullStr SBGen: A Framework to Efficiently Supply Runtime Information for a Learning-Based HIDS for Multiple Virtual Machines
title_full_unstemmed SBGen: A Framework to Efficiently Supply Runtime Information for a Learning-Based HIDS for Multiple Virtual Machines
title_sort sbgen: a framework to efficiently supply runtime information for a learning-based hids for multiple virtual machines
publisher IEEE
series IEEE Access
issn 2169-3536
publishDate 2020-01-01
description Much compelling evidence urges that the isolation provided by the hypervisor in a virtualized system is not complete at all, and in practice can be neutralized by elaborated adversaries, which consequently emphasizes the need of techniques to detect attacks on the guest VM kernels. In this regard, learning-based HIDSs have received much attention, which inspect the internals of each VM through monitoring models built by machine learning techniques. The inspection capability of learning-based HIDSs depends on the quality of the monitoring models, which in turn can be improved by using rich runtime information reflecting the exact behavior of VMs. However, as extracting such runtime behavior information is onerous on account of its vast quantity, many learning-based HIDSs have resorted to using only fragmentary runtime behavior information. To address this problem, in this paper, we present SBGen, a framework for efficient extraction of rich runtime behavior information of VMs, namely the system call traces and the execution paths of the kernel taken to serve system calls. To trace execution of the kernel efficiently, SBGen leverages a salient hardware feature, Intel Processor Trace (PT). Once receiving the execution of the kernel traces from PT, SBGen elaborately decodes and purifies them to extract execution paths of the kernel associated with system calls. The extracted runtime behavior information of VMs is fed into learning-based HIDSs to improve their detection accuracy. Our experiments show that SBGen can extract and supply runtime behavior information efficiently enough for learning-based HIDSs to detect in a timely fashion real-world attacks on the guest VM kernels running in a virtualized system, while incurring a reasonable amount of performance overhead.
topic Intel Processor Trace (PT)
learning-based HIDS
VM monitoring
extraction of runtime behavior information
guest VM kernel execution traces
url https://ieeexplore.ieee.org/document/9272991/
work_keys_str_mv AT jiwonseo sbgenaframeworktoefficientlysupplyruntimeinformationforalearningbasedhidsformultiplevirtualmachines
AT inyoungbang sbgenaframeworktoefficientlysupplyruntimeinformationforalearningbasedhidsformultiplevirtualmachines
AT junseungyou sbgenaframeworktoefficientlysupplyruntimeinformationforalearningbasedhidsformultiplevirtualmachines
AT yeongpilcho sbgenaframeworktoefficientlysupplyruntimeinformationforalearningbasedhidsformultiplevirtualmachines
AT yunheungpaek sbgenaframeworktoefficientlysupplyruntimeinformationforalearningbasedhidsformultiplevirtualmachines
_version_ 1724181368657674240

Similar Items