VMAnalyzer: Malware Semantic Analysis using Integrated CNN and Bi-Directional LSTM for Detecting VM-level Attacks in Cloud

Abstract

Cloud computing is one of the most emerging field in the IT Industry which provides scalable, expandable and almost perfectly elastic software or hardware services to the users. As the scalability and elasticity of cloud computing services increases, it also increases the risk of malicious intervention into cloud. Since the number and types of malware attacks are increasing day by day, it triggers the need of an efficient, robust and scalable malware detection approach for securing virtual domains running in cloud. In this paper, we propose a dynamic analysis approach, called VMAnalyzer which applies deep learning based machine learning techniques for detecting attacks at VM-layer in cloud environment. The VMAnalyzer extracts the ordered sequence of system calls of all the monitored programs and performs the two-layer classification. In layer-1, convolutional neural network (CNN) is applied to extract and select the relevant system call sequences. A number of potentially diverse layers in CNN not only provides the architecture for important feature extraction but also take care of convolution of n-grams with full sequential modelling. The layer-1 output is fed as a input to layer-2 using pipelining. In layer-2, Bi-Directional Long Short Term Memory (LSTM) is applied for learning and detecting the behavior of malicious system call sequences. Our evaluation results demonstrate that our approach outperforms previously used methods for malware detection in cloud. The approach has been validated using University of New Maxico (UNM) dataset and results seem to be promising.