skip to main content


The NSF Public Access Repository (NSF-PAR) system and access will be unavailable from 11:00PM ET on Friday, December 15 until 2:00 AM ET on Saturday, December 16 due to maintenance. We apologize for the inconvenience.

Title: Bio-inspired VM Introspection for Securing Collaboration Platforms
As organizations drastically expand their usage of collaborative systems and multi-user applications during this period of mass remote work, it is crucial to understand and manage the risks that such platforms may introduce. Improperly or carelessly deployed and configured systems hide security threats that can impact not only a single organization, but the whole economy. Cloud-based architecture is used in many collaborative systems, such as audio/video conferencing, collaborative document sharing/editing, distance learning and others. Therefore, it is important to understand that safety risk can be triggered by attacks on remote servers and confidential information might be compromised. In this paper, we present an AI powered application that aims to constantly introspect multiple virtual servers in order to detect malicious activities based on their anomalous behavior. Once the suspicious process(es) detected, the application in real-time notifies system administrator about the potential threat. Developed software is able to detect user space based keyloggers, rootkits, process hiding and other intrusion artifacts via agent-less operation, by operating directly from the host machine. Remote memory introspection means no software to install, no notice to malware to evacuate or destroy data. Conducted experiments on more than twenty different types of malicious applications provide evidence of high detection accuracy  more » « less
Award ID(s):
Author(s) / Creator(s):
; ;
Date Published:
Journal Name:
International Conference on Intelligent Networking and Collaborative Systems (INCoS 2021)
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. null (Ed.)
    The extreme bandwidth and performance of 5G mobile networks changes the way we develop and utilize digital services. Within a few years, 5G will not only touch technology and applications, but dramatically change the economy, our society and individual life. One of the emerging technologies that enables the evolution to 5G by bringing cloud capabilities near to the end users is Edge Computing or also known as Multi-Access Edge Computing (MEC) that will become pertinent towards the evolution of 5G. This evolution also entails growth in the threat landscape and increase privacy in concerns at different application areas, hence security and privacy plays a central role in the evolution towards 5G. Since MEC application instantiated in the virtualized infrastructure, in this paper we present a distributed application that aims to constantly introspect multiple virtual machines (VMs) in order to detect malicious activities based on their anomalous behavior. Once suspicious processes detected, our IDS in real-time notifies system administrator about the potential threat. Developed software is able to detect keyloggers, rootkits, trojans, process hiding and other intrusion artifacts via agent-less operation, by operating remotely or directly from the host machine. Remote memory introspection means no software to install, no notice to malware to evacuate or destroy data. Experimental results of remote VMI on more than 50 different malicious code demonstrate average anomaly detection rate close to 97%. We have established wide testbed environment connecting networks of two universities Kyushu Institute of Technology and The City College of New York through secure GRE tunnel. Conducted experiments on this testbed deliver high response time of the proposed system. 
    more » « less
  2. Software Keyloggers are dominant class of malicious applications that surreptitiously logs all the user activity to gather confidential information. Among many other types of keyloggers, API-based keyloggers can pretend as unprivileged program running in a user-space to eavesdrop and record all the keystrokes typed by the user. In a Linux environment, defending against these types of malware means defending the kernel against being compromised and it is still an open and difficult problem. Considering how recent trend of edge computing extends cloud computing and the Internet of Things (IoT) to the edge of the network, a new types of intrusiondetection system (IDS) has been used to mitigate cybersecurity threats in edge computing. Proposed work aims to provide secure environment by constantly checking virtual machines for the presence of keyloggers using cutting edge artificial immune system (AIS) based technology. The algorithms that exist in the field of AIS exploit the immune system’s characteristics of learning and memory to solve diverse problems. We further present our approach by employing an architecture where host OS and a virtual machine (VM) layer actively collaborate to guarantee kernel integrity. This collaborative approach allows us to introspect VM by tracking events (interrupts, system calls, memory writes, network activities, etc.) and to detect anomalies by employing negative selection algorithm (NSA). 
    more » « less
  3. Many have predicted the future of the Web to be the integration of Web content with the real-world through technologies such as Augmented Reality (AR). This has led to the rise of Extended Reality (XR) Web Browsers used to shorten the long AR application development and deployment cycle of native applications especially across different platforms. As XR Browsers mature, we face new challenges related to collaborative and multi-user applications that span users, devices, and machines. These collaborative XR applications require: (1) networking support for scaling to many users, (2) mechanisms for content access control and application isolation, and (3) the ability to host application logic near clients or data sources to reduce application latency. In this paper, we present the design and evaluation of the AR Edge Networking Architecture (ARENA) which is a platform that simplifies building and hosting collaborative XR applications on WebXR capable browsers. ARENA provides a number of critical components including: a hierarchical geospatial directory service that connects users to nearby servers and content, a token-based authentication system for controlling user access to content, and an application/service runtime supervisor that can dispatch programs across any network connected device. All of the content within ARENA exists as endpoints in a PubSub scene graph model that is synchronized across all users. We evaluate ARENA in terms of client performance as well as benchmark end-to-end response-time as load on the system scales. We show the ability to horizontally scale the system to Internet-scale with scenes containing hundreds of users and latencies on the order of tens of milliseconds. Finally, we highlight projects built using ARENA and showcase how our approach dramatically simplifies collaborative multi-user XR development compared to monolithic approaches. 
    more » « less
  4. Sudeepa Roy and Jun Yang (Ed.)
    Data we encounter in the real-world such as printed menus, business documents, and nutrition labels, are often ad-hoc. Valuable insights can be gathered from this data when combined with additional information. Recent advances in computer vision and augmented reality have made it possible to understand and enrich such data. Joining real-world data with remote data stores and surfacing those enhanced results in place, within an augmented reality interface can lead to better and more informed decision-making capabilities. However, building end-user applications that perform these joins with minimal human effort is not straightforward. It requires a diverse set of expertise, including machine learning, database systems, computer vision, and data visualization. To address this complexity, we present Quill – a framework to develop end-to-end applications that model augmented reality applications as a join between real- world data and remote data stores. Using an intuitive domain-specific language, Quill accelerates the development of end-user applications that join real-world data with remote data stores. Through experiments on applications from multiple different domains, we show that Quill not only expedites the process of development, but also allows developers to build applications that are more performant than those built using standard developer tools, thanks to the ability to optimize declarative specifications. We also perform a user-focused study to investigate how easy (or difficult) it is to use Quill for developing augmented reality applications than other existing tools. Our results show that Quill allows developers to build and deploy applications with a lower technical background than building the same application using existing developer tools. 
    more » « less
  5. null (Ed.)
    Access control and information flow are the two building blocks in the design of secure software. Of the two, access control seems ubiquitous, being widely used in operating systems, databases, firewalls, servers, web applications, and so on. The successes of information flow seem less obvious, and its benefits and potential underappreciated. Yet, when it comes to defending against malicious code, access control based defenses have proved susceptible to evasion, or they end up being so restrictive as to interfere with legitimate use. In this talk, I will argue that defenses based on information flow can be more discerning, as they utilize not only the operations performed but also their context, e.g., whether malicious actors could be exerting control over these operation or their key arguments. I will then describe successful applications of information flow to defend against every stage of a cyber attack campaign, including: (a) exploit mitigation for a wide range of software vulnerabilities, (b) malware containment across diverse OSes, including Linux, BSD, and Windows XP through Windows 10, and (c) attack campaign reconstruction, where we achieve a five to six orders of magnitude data reduction by applying our techniques. 
    more » « less