Behavioral Modeling for Suspicious Process Detection in Cloud Computing Environments

One of the defining features of cloud computing, multi-tenancy provides significant benefits to both clients and service providers by supporting elastic on-demand resource provisioning and efficient resource allocation. However, this architecture also introduces additional security implications. Client virtual machine (VM) instances running on the same physical machine are susceptible to side-channel and escape-to-hypervisor attacks. Timely detection/mitigation of intrusive behaviors of malicious processes using signature based intrusion detection technologies or system call level anomaly analysis due to high false alarm rate presents a challenging task. In this work, a behavioral modeling scheme is proposed to detect suspicious processes on the highest semantic level. Our preliminary results have validated the effectiveness and efficiency of this novel approach.