SBGen: A Framework to Efficiently Supply Runtime Information for a Learning-Based HIDS for Multiple Virtual Machines

Abstract

Much compelling evidence urges that the isolation provided by the hypervisor in a virtualized system is not complete at all, and in practice can be neutralized by elaborated adversaries, which consequently emphasizes the need of techniques to detect attacks on the guest VM kernels. In this regard, learning-based HIDSs have received much attention, which inspect the internals of each VM through monitoring models built by machine learning techniques. The inspection capability of learning-based HIDSs depends on the quality of the monitoring models, which in turn can be improved by using rich runtime information reflecting the exact behavior of VMs. However, as extracting such runtime behavior information is onerous on account of its vast quantity, many learning-based HIDSs have resorted to using only fragmentary runtime behavior information. To address this problem, in this paper, we present SBGen, a framework for efficient extraction of rich runtime behavior information of VMs, namely the system call traces and the execution paths of the kernel taken to serve system calls. To trace execution of the kernel efficiently, SBGen leverages a salient hardware feature, Intel Processor Trace (PT). Once receiving the execution of the kernel traces from PT, SBGen elaborately decodes and purifies them to extract execution paths of the kernel associated with system calls. The extracted runtime behavior information of VMs is fed into learning-based HIDSs to improve their detection accuracy. Our experiments show that SBGen can extract and supply runtime behavior information efficiently enough for learning-based HIDSs to detect in a timely fashion real-world attacks on the guest VM kernels running in a virtualized system, while incurring a reasonable amount of performance overhead.