[Ongoing Project] From Jan. 2014 to Dec. 2016 @ Institute of Information Science, Sinica as Postdoctoral Fellow under the supervision of Dr. Meng Chang Chen with National Taiwan University, National Cheng Kung University and National Chengchi University. 中文名稱：虛擬化環境安全隔離之雲端即時連續資安防禦偵測系統。
Problem and Goal. In a multi-tenancy cloud environment, the cloud platform manager needs a key security-analyzing tool to inspect and control the applications in a virtual machine in order to avoid it compromising the other physical and virtual machines in the same cloud. To achieve the goal of security isolation, the cloud managers should continuously inspect the operation of individual applications in a VM to guarantee that when one VM is compromised we can detect the existence of the malware immediately and record its behavior. Under this circumstance, in this research project, we propose a real-time continuous security protection, RCSP, system in the cloud virtualization environment. The system has the capability to continuously monitor, inspect and describe the operation of a VM in the real-time, and it can determine whether a VM contains malware and/or goodware or not. Also, it can take necessary defense actions before the malware hurts the cloud environment.
Design. RCSP has 3 phases: VMI-based Profiling, Profile Analysis, and Runtime Detection and Forensics, that is shown and explained in figure below.
Data Analysis. The collected profiles are in terms of a sequence of Windows API calls with the runtime parameters and return values. I applied different sequence analysis method and similarity analysis method to analysis the behavior patterns in the malware profiles. The data analysis process is shown in Fig. 5. A visualized behavior pattern figure and the tree-based relationship between malwares are generated automatically.
- A open-source profile analysis library for academic use, including Principal Component Analysis for identifying significant behavior in behavior profile, pre-calculated Jaccard distance for each malware pairs, and UPGMA library.
- The phylogenetic tree of analyzed malware.
- A decision tree of identifying different malware families.