Analyzing CNN Based Behavioural Malware Detection Techniques on Cloud IaaS

  • Andrew McDoleEmail author
  • Mahmoud AbdelsalamEmail author
  • Maanak GuptaEmail author
  • Sudip MittalEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12403)


Cloud Infrastructure as a Service (IaaS) is vulnerable to malware due to its exposure to external adversaries, making it a lucrative attack vector for malicious actors. A datacenter infected with malware can cause data loss and/or major disruptions to service for its users. This paper analyzes and compares various Convolutional Neural Networks (CNNs) for online detection of malware in cloud IaaS. The detection is performed based on behavioural data using process level performance metrics including cpu usage, memory usage, disk usage etc. We have used the state of the art DenseNets and ResNets in effectively detecting malware in online cloud system. These CNNs are designed to extract features from data gathered from live malware running on a real cloud environment. Experiments are performed on OpenStack (a cloud IaaS software) testbed designed to replicate a typical 3-tier web architecture. Comparative analysis is performed for different CNN models.


Deep learning Convolutional Neural Network Cloud IaaS Residual networks Dense networks 



This work is partially supported by NSF SFS Grant DGE-1565562.


  1. 1.
    Mell, P., Grance, T., et al.: The NIST definition of cloud computing (2011)Google Scholar
  2. 2.
    Gruschka, N., et al.: Attack surfaces: a taxonomy for attacks on cloud services. In: Proceedings of IEEE International Conference on Cloud Computing, pp. 276–279 (2010)Google Scholar
  3. 3.
    Abdelsalam, M., et al.: Malware detection in cloud infrastructures using convolutional neural networks. In: Proceedings of IEEE International Conference on Cloud Computing (CLOUD), pp. 162–169 (2018)Google Scholar
  4. 4.
    Abdelsalam, M., Krishnan, R., Sandhu, R.: Clustering-based IaaS cloud monitoring. In: Proceedings of IEEE International Conference on Cloud Computing (CLOUD), pp. 672–679 (2017)Google Scholar
  5. 5.
    Abdelsalam, M., Krishnan, R., Sandhu, R.: Online malware detection in cloud auto-scaling systems using shallow convolutional neural networks. In: Foley, S.N. (ed.) DBSec 2019. LNCS, vol. 11559, pp. 381–397. Springer, Cham (2019). Scholar
  6. 6.
    Pannu, H.S. Liu, J., Fu, S.: Aad: adaptive anomaly detection system for cloud computing infrastructures. In: Proceedings of IEEE Symposium on Reliable Distributed Systems, pp. 396–397 (2012)Google Scholar
  7. 7.
    Dawson, J.A., et al.: Phase space detection of virtual machine cyber events through hypervisor-level system call analysis. In: Proceedings of IEEE International Conference on Data Intelligence and Security (ICDIS), pp. 159–167 (2018)Google Scholar
  8. 8.
    Wang, C.: Ebat: online methods for detecting utility cloud anomalies. In: Proceedings of the Middleware Doctoral Symposium, pp. 1–6 (2009)Google Scholar
  9. 9.
    Watson, M.R., et al.: Malware detection in cloud computing infrastructures. IEEE Trans. Dependable Secure Comput. 13(2), 192–205 (2015)CrossRefGoogle Scholar
  10. 10.
    Alazab, M., et al.: Zero-day malware detection based on supervised learning algorithms of API call signatures. In: Proceedings of the Australasian Data Mining Conference, pp. 171–182. Australian Computer Society Inc. (2011)Google Scholar
  11. 11.
    Pirscoveanu, R.S., et al.: Analysis of malware behavior: type classification using machine learning. In: Proceedings of IEEE International Conference on Cyber Situational Awareness, Data Analytics and Assessment, pp. 1–7 (2015)Google Scholar
  12. 12.
    Tobiyama, S., et al.: Malware detection with deep neural network using process behavior. In: Proceedings of IEEE Annual Computer Software and Applications Conference, vol. 2, pp. 577–582 (2016)Google Scholar
  13. 13.
    Luckett, P., et al.: Neural network analysis of system call timing for rootkit detection. In: Proceedings of Cybersecurity Symposium (CYBERSEC), pp. 1–6, April 2016Google Scholar
  14. 14.
    Dini, G., Martinelli, F., Saracino, A., Sgandurra, D.: MADAM: a multi-level anomaly detector for android malware. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 240–253. Springer, Heidelberg (2012). Scholar
  15. 15.
    Demme, J., et al.: On the feasibility of online malware detection with performance counters. ACM SIGARCH Comput. Archit. News 41(3), 559–570 (2013)CrossRefGoogle Scholar
  16. 16.
    Khasawneh, K.N., Ozsoy, M., Donovick, C., Abu-Ghazaleh, N., Ponomarev, D.: Ensemble learning for low-level hardware-supported malware detection. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 3–25. Springer, Cham (2015). Scholar
  17. 17.
    Xu, Z., et al.: Malware detection using machine learning based analysis of virtual memory access patterns. In: Proceedings of IEEE Design, Automation & Test in Europe Conference & Exhibition, pp. 169–174 (2017)Google Scholar
  18. 18.
    Sterbenz, J.P.G., et al.: Resilience and survivability in communication networks: Strategies, principles, and survey of disciplines. Comput. Networks 54(8), 1245–1265 (2010)CrossRefGoogle Scholar
  19. 19.
    Watson, M.R., Shirazi, N.--H., Marnerides, A.K., Mauthe, A., Hutchison, D.: Towards a distributed, self-organising approach to malware detection in cloud computing. In: Elmenreich, W., Dressler, F., Loreto, V. (eds.) IWSOS 2013. LNCS, vol. 8221, pp. 182–185. Springer, Heidelberg (2014). Scholar
  20. 20.
    Marnerides, A.K., et al.: A multi-level resilience framework for unified networked environments. In: Proceedings of IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 1369–1372 (2015)Google Scholar
  21. 21.
    Fan, Y., Ye, Y., Chen, L.: Malicious sequential pattern mining for automatic malware detection. Expert Syst. Appl. 52, 16–25 (2016)CrossRefGoogle Scholar
  22. 22.
    Firdausi, I., et al.: Analysis of machine learning techniques used in behavior-based malware detection. In: Proceedings of IEEE International Conference on Advances in Computing, Control, and Telecommunication Technologies, pp. 201–203 (2010)Google Scholar
  23. 23.
    Azmandian, F., et al.: Virtual machine monitor-based lightweight intrusion detection. ACM SIGOPS Oper. Syst. Rev. 45(2), 38–53 (2011)CrossRefGoogle Scholar
  24. 24.
    LeCun, Y., et al.: Gradient-based learning applied to document recognition. Proc. IEEE 86(11), 2278–2324 (1998)CrossRefGoogle Scholar
  25. 25.
    Agarap, A.F.: Deep learning using rectified linear units (relu). arXiv preprint arXiv:1803.08375 (2018)
  26. 26.
    Kingma, D.P., Ba, J.: Adam: a method for stochastic optimization. arXiv preprint arXiv:1412.6980 (2014)
  27. 27.
    He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. arXiv preprint arXiv:1512.03385 (2015)
  28. 28.
    Huang, G., Liu, Z., Weinberger, K.Q.: Densely connected convolutional networks. CoRR, abs/1608.06993 (2016)Google Scholar
  29. 29.
    Pascanu, R., Mikolov, T., Bengio, Y.: Understanding the exploding gradient problem. CoRR, abs/1211.5063 (2012)Google Scholar
  30. 30.
    Metz, C.E.: Receiver operating characteristic analysis: a tool for the quantitative evaluation of observer performance and imaging systems. J. Am. College Radiol. 3(6), 413–422 (2006)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Tennessee Technological UniversityCookevilleUSA
  2. 2.Manhattan CollegeRiverdaleUSA
  3. 3.University of North Carolina at WilmingtonWilmingtonUSA

Personalised recommendations