Andrew Patrick Norman

A Framework for Detecting Malware in Cloud by Identifying Symptoms

Security is seen as one of the major challenges of the Cloud computing. Recent malware are not only becoming more sophisticated, but have also demonstrated a trend to make use of components, which can easily be distributed through the Internet to develop newer and better malware. As a result, the key problem facing Cloud security is to cope with identifying diverse sets of malware. This paper presents a method of detecting malware by identifying the symptoms of malicious behaviour as opposed to looking for the malware itself. This can be compared to the use of symptoms in human pathology, in which study of symptoms direct physicians to diagnosis of a disease or possible causes of illnesses. The main advantage of shifting the attention to the symptoms is that a wide range of malicious behaviour can result in the same set of symptoms. We propose the creation of Forensic Virtual Machines (FVM), which are mini Virtual Machines (VM) that can monitor other VMs to discover the symptoms. In this paper, we shall present a framework to support the FVMs so that they collaborate with each other in identifying symptoms by exchanging messages via secure channels. The FVMs report to a Command & Control module that collects and correlates the information so that suitable remedial actions can take place in real-time. The Command & Control can be compared to the physician who infers possibility of an illness from the occurring symptoms. In addition, as FVMs make use of the computational resources of the system we will present an algorithm for sharing of the FVMs so that they can be guided to search for the symptoms in the VMs with higher priority.