Malware Detection Based on Dynamic Multi-Feature Using Ensemble Learning at Hypervisor

Abstract

More data and applications are moving to the cloud, which presents many new security risks. Malware is one of the most significant threats to cloud computing. In this paper, we explore to employ virtual machine introspection(VMI) and memory forensics analysis(MFA) techniques to detect malware running in guest virtual machines. Our scheme differs from existing malware detection methods based on virtualization technology in three aspects. First, this paper combines VMI with MFA to extract multiple type features in the guest virtual machine at the same time. Our scheme can effectively minimize the data acquisition overhead. Second,compared with single dynamic feature or multiple static feature detection methods, our data acquisition method employs dynamic multiple type features, and effectively promotes the ability of sophisticated malware detection. Finally,we use AdaBoost ensemble learning method and combination strategy of voting to improve the accuracy and generalization ability of the overall classifier. The experimental results based on a lot of real-world malware show that our scheme can achieve a detection accuracy of 0.9975. Our approach can improve virtual machines security, and further effectively enhance the security of cloud computing environment.