MinCloud:基于 MinHash 的可信和可转移框架,用于检测 Linux 云环境中的未知恶意软件

IF 3.8 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS Journal of Information Security and Applications Pub Date : 2024-11-06 DOI:10.1016/j.jisa.2024.103907
Tomer Panker , Aviad Cohen , Tom Landman , Chen Bery , Nir Nissim
{"title":"MinCloud:基于 MinHash 的可信和可转移框架,用于检测 Linux 云环境中的未知恶意软件","authors":"Tomer Panker ,&nbsp;Aviad Cohen ,&nbsp;Tom Landman ,&nbsp;Chen Bery ,&nbsp;Nir Nissim","doi":"10.1016/j.jisa.2024.103907","DOIUrl":null,"url":null,"abstract":"<div><div>Linux clouds have become an attractive target for cyber-attacks. However, existing detection solutions for Linux clouds have variety of limitations. Some of the solutions are untrusted, incapable of detecting unknown malware, or rely on a human expert to define the features. Other solutions are trusted but require a large amount of computational resources or have a limited ability to detect rootkits, fileless malware, or malware on a different server. In this study, we propose MinCloud, a trusted and transferable MinHash-based framework for unknown malware detection in Linux virtual servers that overcomes the limitations of existing solutions. In the first stage, we acquired volatile memory dumps from virtual servers by querying the hypervisor in a trusted manner and then analyzed them using the MinHash method. Finally, the MinHash characteristics are harnessed by applying machine learning classifiers to achieve precise malware detection. MinCloud was evaluated on widely used Linux virtual servers, various benign and malicious applications, and 23,000 volatile memory dumps, each representing different behaviors of the examined servers and the executed applications over time. MinCloud's evaluation shows it can (1) detect unknown malware, (2) classify unknown malware according to its malware category, (3) detect fileless attacks and rootkit malware, and (4) provide accurately transfer detection between different Linux servers. MinCloud outperformed state-of-the-art trusted detection methods and commonly used antiviruses.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"87 ","pages":"Article 103907"},"PeriodicalIF":3.8000,"publicationDate":"2024-11-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"MinCloud: Trusted and transferable MinHash-based framework for unknown malware detection for Linux cloud environments\",\"authors\":\"Tomer Panker ,&nbsp;Aviad Cohen ,&nbsp;Tom Landman ,&nbsp;Chen Bery ,&nbsp;Nir Nissim\",\"doi\":\"10.1016/j.jisa.2024.103907\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Linux clouds have become an attractive target for cyber-attacks. However, existing detection solutions for Linux clouds have variety of limitations. Some of the solutions are untrusted, incapable of detecting unknown malware, or rely on a human expert to define the features. Other solutions are trusted but require a large amount of computational resources or have a limited ability to detect rootkits, fileless malware, or malware on a different server. In this study, we propose MinCloud, a trusted and transferable MinHash-based framework for unknown malware detection in Linux virtual servers that overcomes the limitations of existing solutions. In the first stage, we acquired volatile memory dumps from virtual servers by querying the hypervisor in a trusted manner and then analyzed them using the MinHash method. Finally, the MinHash characteristics are harnessed by applying machine learning classifiers to achieve precise malware detection. MinCloud was evaluated on widely used Linux virtual servers, various benign and malicious applications, and 23,000 volatile memory dumps, each representing different behaviors of the examined servers and the executed applications over time. MinCloud's evaluation shows it can (1) detect unknown malware, (2) classify unknown malware according to its malware category, (3) detect fileless attacks and rootkit malware, and (4) provide accurately transfer detection between different Linux servers. MinCloud outperformed state-of-the-art trusted detection methods and commonly used antiviruses.</div></div>\",\"PeriodicalId\":48638,\"journal\":{\"name\":\"Journal of Information Security and Applications\",\"volume\":\"87 \",\"pages\":\"Article 103907\"},\"PeriodicalIF\":3.8000,\"publicationDate\":\"2024-11-06\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Information Security and Applications\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2214212624002096\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212624002096","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

摘要

Linux 云已成为网络攻击的诱人目标。然而,现有的 Linux 云检测解决方案存在各种局限性。有些解决方案不可信,无法检测未知恶意软件,或依赖人类专家来定义特征。其他解决方案虽然可信,但需要大量计算资源,或者检测 rootkit、无文件恶意软件或不同服务器上的恶意软件的能力有限。在本研究中,我们提出了 MinCloud,这是一个基于 MinHash 的可信和可转移框架,用于检测 Linux 虚拟服务器中的未知恶意软件,克服了现有解决方案的局限性。在第一阶段,我们以可信的方式通过查询管理程序获取虚拟服务器的易失性内存转储,然后使用 MinHash 方法对其进行分析。最后,通过应用机器学习分类器来利用 MinHash 特性,从而实现精确的恶意软件检测。MinCloud 在广泛使用的 Linux 虚拟服务器、各种良性和恶意应用程序以及 23,000 个易失性内存转储上进行了评估,每个转储都代表了受检服务器和所执行应用程序在一段时间内的不同行为。MinCloud 的评估结果表明,它可以:(1)检测未知恶意软件;(2)根据恶意软件类别对未知恶意软件进行分类;(3)检测无文件攻击和 rootkit 恶意软件;(4)在不同 Linux 服务器之间提供准确的传输检测。MinCloud 的表现优于最先进的可信检测方法和常用的反病毒软件。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
MinCloud: Trusted and transferable MinHash-based framework for unknown malware detection for Linux cloud environments
Linux clouds have become an attractive target for cyber-attacks. However, existing detection solutions for Linux clouds have variety of limitations. Some of the solutions are untrusted, incapable of detecting unknown malware, or rely on a human expert to define the features. Other solutions are trusted but require a large amount of computational resources or have a limited ability to detect rootkits, fileless malware, or malware on a different server. In this study, we propose MinCloud, a trusted and transferable MinHash-based framework for unknown malware detection in Linux virtual servers that overcomes the limitations of existing solutions. In the first stage, we acquired volatile memory dumps from virtual servers by querying the hypervisor in a trusted manner and then analyzed them using the MinHash method. Finally, the MinHash characteristics are harnessed by applying machine learning classifiers to achieve precise malware detection. MinCloud was evaluated on widely used Linux virtual servers, various benign and malicious applications, and 23,000 volatile memory dumps, each representing different behaviors of the examined servers and the executed applications over time. MinCloud's evaluation shows it can (1) detect unknown malware, (2) classify unknown malware according to its malware category, (3) detect fileless attacks and rootkit malware, and (4) provide accurately transfer detection between different Linux servers. MinCloud outperformed state-of-the-art trusted detection methods and commonly used antiviruses.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Journal of Information Security and Applications
Journal of Information Security and Applications Computer Science-Computer Networks and Communications
CiteScore
10.90
自引率
5.40%
发文量
206
审稿时长
56 days
期刊介绍: Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.
期刊最新文献
Fed-LSAE: Thwarting poisoning attacks against federated cyber threat detection system via Autoencoder-based latent space inspection Lightweight privacy-preserving authenticated key agreements using physically unclonable functions for internet of drones BCRS-DS: A Privacy-protected data sharing scheme for IoT based on blockchain and certificateless ring signature Privacy-preserving verifiable fuzzy phrase search over cloud-based data Robust coverless video steganography based on pose estimation and object tracking
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1