Graph-Neural Threat Detection at the Hypervisor Layer
Keywords:
hypervisor, graph neural networks, virtual machines, intrusion detection, temporal graphs, lateral movement, zero-day detection, ESXiAbstract
The objective of this paper is to present a threat detection approach at the hypervisor layer method which uses Graph Neural Networks (GNNs) to examine inter-VM communication patterns. An abnormal behaviour of lateral movement represented in temporal communication flows as dynamic graphs is detected using a lightweight GNN while traditional intrusion detection systems (IDS) miss these behaviours, while this solution supports Microsoft Hyper-V and VMware ESXi which allows to see real-time zero-day exploit footprints without affecting performance.
Downloads
References
V. Paxson, "Bro: A System for Detecting Network Intruders in Real-Time," Computer Networks, vol. 31, no. 23-24, pp. 2435–2463, Dec. 1999.
R. Sommer and V. Paxson, "Outside the Closed World: On Using Machine Learning for Network Intrusion Detection," in Proc. IEEE Symp. Security and Privacy, May 2010, pp. 305–316.
S. J. Stolfo et al., "Toward Insider Threat Detection: Collecting and Analyzing Audit Data," in Proc. DARPA Information Survivability Conf. and Exposition (DISCEX), 2008, pp. 2–3.
J. Anderson, "Computer Security Threat Monitoring and Surveillance," Technical Report, James P. Anderson Co., Fort Washington, PA, 1980.
P. J. Porras, M. W. Fong, and A. Valdes, "A Mission-Impact-Based Approach to INFOSEC Alarm Correlation," in Proc. Recent Advances in Intrusion Detection (RAID), 2002, pp. 95–114.
M. D. Zeiler, "Adversarial Machine Learning," Ph.D. Dissertation, Univ. of Maryland, 2016.
Y. LeCun, Y. Bengio, and G. Hinton, "Deep Learning," Nature, vol. 521, no. 7553, pp. 436–444, May 2015.
W. L. Hamilton, R. Ying, and J. Leskovec, "Inductive Representation Learning on Large Graphs," in Proc. NIPS, 2017, pp. 1025–1035.
Z. Ying et al., "Hierarchical Graph Representation Learning with Differentiable Pooling," in Proc. NeurIPS, 2018, pp. 4800–4810.
C. Chen, J. Zhang, and B. Xu, "Graph Convolutional Networks for Intrusion Detection," in Proc. IEEE Int. Conf. Big Data (Big Data), 2018, pp. 1612–1617.
VMware, "VMware ESXi Architecture," VMware Technical White Paper, 2018.
Microsoft, "Hyper-V Architecture and Implementation," Microsoft Docs, 2018.
M. Conti et al., "A Survey on Security and Privacy Issues of Blockchain Technology," IEEE Communications Surveys & Tutorials, vol. 21, no. 2, pp. 1508–1546, Secondquarter 2019.
B. Ransford et al., "Hypervisor-based Cloud Malware Detection," in Proc. ACM Conf. Computer and Communications Security (CCS), 2013, pp. 477–488.
H. S. Kim and A. Mohaisen, "The Art of Hypervisor-based Malware Detection," IEEE Security & Privacy, vol. 15, no. 3, pp. 52–58, May-June 2017.
D. E. Denning, "An Intrusion-Detection Model," IEEE Trans. Software Engineering, vol. SE-13, no. 2, pp. 222–232, Feb. 1987.
F. A. Zulkernine and A. Haque, "Intrusion Detection Using Improved Self-Organizing Maps," in Proc. IEEE Int. Conf. Dependable, Autonomic and Secure Computing (DASC), 2007, pp. 183–190.
L. Akoglu, H. Tong, and D. Koutra, "Graph-Based Anomaly Detection and Description: A Survey," Data Mining and Knowledge Discovery, vol. 29, no. 3, pp. 626–688, May 2015.
S. J. Stolfo et al., "Behavioral Anomaly Detection in Network Traffic Using Graphs," in Proc. IEEE Int. Conf. Data Mining Workshops (ICDMW), 2013, pp. 133–140.
M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, "Network Anomaly Detection: Methods, Systems and Tools," IEEE Communications Surveys & Tutorials, vol. 16, no. 1, pp. 303–336, Firstquarter 2014.
Downloads
Published
Issue
Section
License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
