IDEA #2SI7TP Anomaly Based Keylogger Detection through Unix-based VM Introspection. 21A0003

Key Words: Keylogger; Spyware; Invasive Software; Anomaly Detection; Genetic Algorithm; Artificial Immune System; Evolutionary Computation; Edge Computing; Virtual Machine Introspection Primary Contact Tarek Saadawi, CCNY/Electrical Engineering 4C. What is the purpose and utility of the invention in general terms? Our invention is an Intrusion Detection System (IDS) based software that aims to introspect multiple Linux based virtual machines (VMs) in order to detect malicious applications (keyloggers, adware, rootkits, trojans, etc.) while running from the outside of the infected VM. Our approach is based on employing an architecture where host operating system and a virtual machine layer actively collaborate to guarantee kernel integrity. This collaborative approach allows us to introspect VM by tracking events (interrupts, system calls, memory writes, network activities, etc.) and to detect suspicious processes by employing necessary IDS algorithms. Software keyloggers are one of the most serious types of malware that surreptitiously log keyboard activity and exfiltrate the recorded data to third parties. Despite many conducted research and commercial efforts, keyloggers can pose a significant threat of stealing personal and commercial information. In this work we have deeply studied how Linux operating system handles entered keystrokes, the mechanism behind Linux keyboard driver. How a single key press, initiated by user, can produce a sequence of up to six corresponding scan-codes to the keyboard driver. We focus on providing a single Artificial Intelligence (AI) based solution as comprehensive protection for multiple platforms, contrary to existing signature-based threat detection techniques. Our application is able to effectively detect keyloggers and timely notify system administrator about detected anomalies. The crucial part of this software is Virtual Machine Introspection (VMI), which addresses several security issues from outside of the guest OS without relying on functionality that can be rendered unreliably by advanced malware. Our VMI tool (KVMonitor) acts by tracking the events (interrupts, memory read/writes, network activities, and so on). Collected data is then being processed and analyzed as part of the Intrusion Detection System (IDS) for anomaly detection. Considering proliferation of cloud technologies and edge computation, as well as started fifth generation (5G) mobile radio systems and network architecture, needs in sophisticated and fast security tools are growing. Since modern edge computing extends its performance through virtualization technology, proposed application provides secure environment by constantly checking virtual machines from the host operating system (OS) using cutting-edge technology.