1. NCCU Academic Hub
  2. Publications
  3. College of Commerce
  4. Theses
  5. Item

Publications-Theses

Article View/Open

Publication Export

Google ScholarTM

NCCU Library

Citation Infomation

Related Publications in TAIR

題名 用虛擬機內省技術強化OpenStack雲端安全機制
Enhancing OpenStack Cloud Security with Virtual Machine Introspection
作者 李彥亨
Lee, Yen Heng
貢獻者 蔡瑞煌<br>郁方
Tsaih, Rua Huan<br>Yu, Fang
李彥亨
Lee, Yen Heng
關鍵詞 虛擬機內省
雲端安全
惡意程式行為
VMI
Cloud Security
Malware behavior
日期 2015
上傳時間 3-Aug-2015 13:21:02 (UTC+8)
摘要 如今,我們能夠受益於各式各樣的雲端服務(如Google及Amazon)全歸功於虛擬化技術的成熟。隨著雲端服務使用量的劇增,雲端安全的議題也不容忽視。傳統上使用網路型及主機型的入侵防衛系統來作雲端安全防護,但隨著虛擬化技術的發展,虛擬機內省機制為基底的防禦機制有著絕對於傳統入侵防衛系統優越的獨立性及可見度並逐漸成為主流的防禦機制。
我們研究提倡的雲端防禦系統框架(VISO)便是以虛擬機內省機制為基底以及透過行為模式辨識的方式作惡意行為偵測且富有可擴增性,並強調所有的解決方案皆為開源的,也是為何我們以OpenStack作為我們的雲端環境防護系統的實驗環境。
關於我們的實驗研究方法,我們採用監督式與非監督式的神經網路來作惡意程式行為分析。而所有惡意程式皆從官方OWL網站取得,並以防毒軟體作標籤的動作。目的是想要確認是否能夠透過同種類且已知的惡意程式行為模式去辨識出未知的同種類惡意程式行為。
Today, we attributes it to virtualization technology that the application of cloud computing is so well-developed that the world-wide famous company can make use of this technique to reap the profits, just likes Google and Amazon etc. While cloud service bringing kinds of benefit to system vendors and cloud tenants, cloud security is exposed to many threats. Traditionally, two main kinds of intrusion detection system (IDS) are host-based IDS (HIDS) and network-based IDS (NIDS). With virtualization technology development, virtual machine monitor (VMM) based IDS is superior to HIDS and NIDS both on isolation and visibility properties as far as cloud security concerned.
We address a cloud security protection framework, called Virtualization Introspection System for OpenStack (VISO), to strengthen OpenStack security defensive mechanism. VISO has some following characteristics. (1) VMI based monitoring mechanism (2) behavior-based analysis (3) elastic to expand system functionality and easy to operate (4) all apparatuses in VISO are free on Internet that is why we also choose the most famous private cloud solution, OpenStack, to deploying cloud environment.
About our experiment method, we using supervised and unsupervised artificial technology algorithm to analyze behaviors monitored in a sandbox environment. All malwares are downloaded from OWL Taiwan official malware knowledge base and labeled by anti-virus scanner. The purpose is to see how effective the features of behaviors collected by VISO can recognize the same family malwares. Detecting unknown malware variants previously not recognized by commercial anti-virus software by training the same family known malware samples.
參考文獻 [1] Albayrak, S., Scheel, C., Milosevic, D., & Muller, A. (2005, November). Combining self-organizing map algorithms for robust and scalable intrusion detection. In Computational Intelligence for Modelling, Control and Automation, 2005 and International Conference on Intelligent Agents, Web Technologies and Internet Commerce, International Conference on (Vol. 2, pp. 123-130). IEEE.
[2] Bayer, U., Comparetti, P. M., Hlauschek, C., Kruegel, C., & Kirda, E. (2009, February). Scalable, Behavior-Based Malware Clustering. In NDSS (Vol. 9, pp. 8-11).
[3] Bayer, U., Moser, A., Kruegel, C., & Kirda, E. (2006). Dynamic analysis of malicious code. Journal in Computer Virology, 2(1), 67-77.
[4] Chen, S., & Zhang, Y. Malware Process Detecting Via Hypervisor.
[5] Dinaburg, A., Royal, P., Sharif, M., & Lee, W. (2008, October). Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM conference on Computer and communications security (pp. 51-62). ACM.
[6] Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., & Lee, W. (2011, May). Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Security and Privacy (SP), 2011 IEEE Symposium on (pp. 297-312). IEEE.
[7] Dynamic-link library (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Dynamic-link library
[8] Egele, M., Scholte, T., Kirda, E., & Kruegel, C. (2012). A survey on automated dynamic malware-analysis techniques and tools. ACM Computing Surveys (CSUR), 44(2), 6.
[9] European Union Agency for Network and Information Security (n.d.). Cloud Computing Security Risk Assessment Retrieved March 24, 2015, from http://www.enisa.europa.eu/activities/riskmanagement/files/deliverables/cloud-computing-risk-assessment
[10] Feyereisl, J., & Aickelin, U. (2009). Self-Organising Maps in Computer Security. Computer Security: Intrusion, Detection and Prevention, Ed. Ronald D. Hopkins, Wesley P. Tokere, 1-30.
[11] Fu, Y., & Lin, Z. (2012, May). Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In Security and Privacy (SP), 2012 IEEE Symposium on (pp. 586-600). IEEE.
[12] Garfinkel, T., & Rosenblum, M. (2003, February). A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS (Vol. 3, pp. 191-206).
[13] Growing self-organizing map (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Growing_self-organizing_map
[14] Hofmeyr, S. A., Forrest, S., & Somayaji, A. (1998). Intrusion detection using sequences of system calls. Journal of computer security, 6(3), 151-180.
[15] Hsiao, S. W., Chen, Y. N., Sun, Y. S., & Chen, M. C. (2013, October). A cooperative botnet profiling and detection in virtualized environment. In Communications and Network Security (CNS), 2013 IEEE Conference on (pp. 154-162). IEEE.
[16] Hypervisor (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Hypervisor
[17] Inoue, H., Adelstein, F., Donovan, M., & Brueckner, S. (2011, June). Automatically Bridging the Semantic Gap using C Interpreter. In 6th Annual Symposium on Information Assurance (ASIA’11) (p. 51).
[18] Jiang, X., Wang, X., & Xu, D. (2007, October). Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM conference on Computer and communications security (pp. 128-138). ACM.
[19] Kosoresow, A. P., & Hofmeyr, S. A. (1997). Intrusion detection via system call traces. IEEE software, 14(5), 35-42.
[20] Lee, S. W., & Yu, F. (2014, January). Securing KVM-Based Cloud Systems via Virtualization Introspection. In System Sciences (HICSS), 2014 47th Hawaii International Conference on (pp. 5028-5037). IEEE.
[21] Lengyel, T. K., Neumann, J., Maresca, S., Payne, B. D., & Kiayias, A. (2012, August). Virtual Machine Introspection in a Hybrid Honeypot Architecture. In CSET.
[22] LibVMI (n.d.). LibVMI. Retrieved March 24, 2015, from http://libvmi.com/
[23] Ligh, M. H., Case, A., Levy, J., & Walters, A. (2014). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. John Wiley & Sons.
[24] Macine learning (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Machine_learning
[25] Moser, A., Kruegel, C., & Kirda, E. (2007, December). Limits of static analysis for malware detection. In Computer security applications conference, 2007. ACSAC 2007. Twenty-third annual (pp. 421-430). IEEE.
[26] Mukkamala, S., Janoski, G., & Sung, A. (2002). Intrusion detection using neural networks and support vector machines. In Neural Networks, 2002. IJCNN`02. Proceedings of the 2002 International Joint Conference on (Vol. 2, pp. 1702-1707). IEEE.
[27] Nanavati, M., Colp, P., Aiello, B., & Warfield, A. (2014). Cloud security: A gathering storm. Communications of the ACM, 57(5), 70-79.
[28] Nasab, M. R. (2012). Security functions for virtual machines via introspection.
[29] OpenStack (n.d.). OpenStack Documentation for Havana. Retrieved March 24, 2015, from http://docs.openstack.org/havana/
[30] OpenStack (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/OpenStack
[31] Option Volatility (n.d.). Retrieved March 24, 2015, from http://www.investopedia.com/university/optionvolatility/
[32] Payne, B. D. (2012). Simplifying virtual machine introspection using libvmi. Sandia Report.
[33] Payne, B. D., Carbone, M., Sharif, M., & Lee, W. (2008, May). Lares: An architecture for secure active monitoring using virtualization. In Security and Privacy, 2008. SP 2008. IEEE Symposium on (pp. 233-247). IEEE.
[34] Payne, B. D., De Carbone, M. D. P., & Lee, W. (2007, December). Secure and flexible monitoring of virtual machines. In Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual (pp. 385-397). IEEE.
[35] Pfoh, J., Schneider, C., & Eckert, C. (2009, November). A formal model for virtual machine introspection. In Proceedings of the 1st ACM workshop on Virtual machine security (pp. 1-10). ACM.
[36] Pfoh, J., Schneider, C., & Eckert, C. (2011). Nitro: Hardware-based system call tracing for virtual machines. In Advances in Information and Computer Security (pp. 96-112). Springer Berlin Heidelberg.
[37] Rieck, K., Holz, T., Willems, C., Düssel, P., & Laskov, P. (2008). Learning and classification of malware behavior. In Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 108-125). Springer Berlin Heidelberg.
[38] Rieck, K., Trinius, P., Willems, C., & Holz, T. (2011). Automatic analysis of malware behavior using machine learning. Journal of Computer Security, 19(4), 639-668.
[39] Sahs, J., & Khan, L. (2012, August). A machine learning approach to android malware detection. In Intelligence and Security Informatics Conference (EISIC), 2012 European (pp. 141-147). IEEE.
[40] Schneider, C., Pfoh, J., & Eckert, C. (2011). A universal semantic bridge for virtual machine introspection. In Information Systems Security (pp. 370-373). Springer Berlin Heidelberg.
[41] Sevilla, M. (2012). CMPS223 Final Project Virtual Machine Introspection Techniques.
[42] Sharif, M. I., Lee, W., Cui, W., & Lanzi, A. (2009, November). Secure in-vm monitoring using hardware virtualization. In Proceedings of the 16th ACM conference on Computer and communications security (pp. 477-487). ACM.
[43] Support vector machine (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Support_vector_machine
[44] System call (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/System_call
[45] Virtualization (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Virtualization
[46] Wu, Y. S., Sun, P. K., Huang, C. C., Lu, S. J., Lai, S. F., & Chen, Y. Y. (2013, June). EagleEye: Towards mandatory security monitoring in virtualized datacenter environment. In Dependable Systems and Networks (DSN), 2013 43rd Annual IEEE/IFIP International Conference on (pp. 1-12). IEEE.
[47] Yoo, I. (2004, October). Visualizing windows executable viruses using self-organizing maps. In Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security (pp. 82-89). ACM.
[48] Yu, F., Huang, S. Y., Chiou, L. C., & Tsaih, R. H. (2013, August). Clustering iOS executable using self-organizing maps. In Neural Networks (IJCNN), The 2013 International Joint Conference on (pp. 1-8). IEEE.
描述 碩士
國立政治大學
資訊管理研究所
102356044
資料來源 http://thesis.lib.nccu.edu.tw/record/#G0102356044
資料類型 thesis
dc.contributor.advisor 蔡瑞煌<br>郁方zh_TW
dc.contributor.advisor Tsaih, Rua Huan<br>Yu, Fangen_US
dc.contributor.author (Authors) 李彥亨zh_TW
dc.contributor.author (Authors) Lee, Yen Hengen_US
dc.creator (作者) 李彥亨zh_TW
dc.creator (作者) Lee, Yen Hengen_US
dc.date (日期) 2015en_US
dc.date.accessioned 3-Aug-2015 13:21:02 (UTC+8)-
dc.date.available 3-Aug-2015 13:21:02 (UTC+8)-
dc.date.issued (上傳時間) 3-Aug-2015 13:21:02 (UTC+8)-
dc.identifier (Other Identifiers) G0102356044en_US
dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/77178-
dc.description (描述) 碩士zh_TW
dc.description (描述) 國立政治大學zh_TW
dc.description (描述) 資訊管理研究所zh_TW
dc.description (描述) 102356044zh_TW
dc.description.abstract (摘要) 如今,我們能夠受益於各式各樣的雲端服務(如Google及Amazon)全歸功於虛擬化技術的成熟。隨著雲端服務使用量的劇增,雲端安全的議題也不容忽視。傳統上使用網路型及主機型的入侵防衛系統來作雲端安全防護,但隨著虛擬化技術的發展,虛擬機內省機制為基底的防禦機制有著絕對於傳統入侵防衛系統優越的獨立性及可見度並逐漸成為主流的防禦機制。
我們研究提倡的雲端防禦系統框架(VISO)便是以虛擬機內省機制為基底以及透過行為模式辨識的方式作惡意行為偵測且富有可擴增性,並強調所有的解決方案皆為開源的,也是為何我們以OpenStack作為我們的雲端環境防護系統的實驗環境。
關於我們的實驗研究方法,我們採用監督式與非監督式的神經網路來作惡意程式行為分析。而所有惡意程式皆從官方OWL網站取得,並以防毒軟體作標籤的動作。目的是想要確認是否能夠透過同種類且已知的惡意程式行為模式去辨識出未知的同種類惡意程式行為。		zh_TW
dc.description.abstract (摘要) Today, we attributes it to virtualization technology that the application of cloud computing is so well-developed that the world-wide famous company can make use of this technique to reap the profits, just likes Google and Amazon etc. While cloud service bringing kinds of benefit to system vendors and cloud tenants, cloud security is exposed to many threats. Traditionally, two main kinds of intrusion detection system (IDS) are host-based IDS (HIDS) and network-based IDS (NIDS). With virtualization technology development, virtual machine monitor (VMM) based IDS is superior to HIDS and NIDS both on isolation and visibility properties as far as cloud security concerned.
We address a cloud security protection framework, called Virtualization Introspection System for OpenStack (VISO), to strengthen OpenStack security defensive mechanism. VISO has some following characteristics. (1) VMI based monitoring mechanism (2) behavior-based analysis (3) elastic to expand system functionality and easy to operate (4) all apparatuses in VISO are free on Internet that is why we also choose the most famous private cloud solution, OpenStack, to deploying cloud environment.
About our experiment method, we using supervised and unsupervised artificial technology algorithm to analyze behaviors monitored in a sandbox environment. All malwares are downloaded from OWL Taiwan official malware knowledge base and labeled by anti-virus scanner. The purpose is to see how effective the features of behaviors collected by VISO can recognize the same family malwares. Detecting unknown malware variants previously not recognized by commercial anti-virus software by training the same family known malware samples.		en_US
dc.description.tableofcontents Abstract i
Contents ii
List of Figures iii
List of Tables iv
List of Appendixes v
Chapter 1 Introduction 1
1.1 Background and Motivation 1
1.2 Approach: Open Source Cloud Security Solution Based on VMI 2
1.3 Contribution 4
1.4 Content Organization 5
Chapter 2 Related work 6
2.1 Hardware Virtualization, Virtual Machine Monitor and OpenStack 6
2.2 Virtual Machine Introspection 9
2.3 Artificial Intelligence 10
2.4 Malware Detection 12
2.5 Clustering and classifying malwares 13
2.6 Uniqueness of VISO 14
Chapter 3 Methodology 16
3.1 Architecture and Deployment 16
3.2 Components and profiles of VISO Framework 19
3.3 Detail of Operation in Training and Testing phase 21
3.3.1 Training phase 22
3.3.2 Testing phase 28
Chapter 4 Experiment 35
Chapter 5 Conclusion 45
Reference 46
Appendix 52		zh_TW
dc.format.extent 8136659 bytes-
dc.format.mimetype application/pdf-
dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0102356044en_US
dc.subject (關鍵詞) 虛擬機內省zh_TW
dc.subject (關鍵詞) 雲端安全zh_TW
dc.subject (關鍵詞) 惡意程式行為zh_TW
dc.subject (關鍵詞) VMIen_US
dc.subject (關鍵詞) Cloud Securityen_US
dc.subject (關鍵詞) Malware behavioren_US
dc.title (題名) 用虛擬機內省技術強化OpenStack雲端安全機制zh_TW
dc.title (題名) Enhancing OpenStack Cloud Security with Virtual Machine Introspectionen_US
dc.type (資料類型) thesisen
dc.relation.reference (參考文獻) [1] Albayrak, S., Scheel, C., Milosevic, D., & Muller, A. (2005, November). Combining self-organizing map algorithms for robust and scalable intrusion detection. In Computational Intelligence for Modelling, Control and Automation, 2005 and International Conference on Intelligent Agents, Web Technologies and Internet Commerce, International Conference on (Vol. 2, pp. 123-130). IEEE.
[2] Bayer, U., Comparetti, P. M., Hlauschek, C., Kruegel, C., & Kirda, E. (2009, February). Scalable, Behavior-Based Malware Clustering. In NDSS (Vol. 9, pp. 8-11).
[3] Bayer, U., Moser, A., Kruegel, C., & Kirda, E. (2006). Dynamic analysis of malicious code. Journal in Computer Virology, 2(1), 67-77.
[4] Chen, S., & Zhang, Y. Malware Process Detecting Via Hypervisor.
[5] Dinaburg, A., Royal, P., Sharif, M., & Lee, W. (2008, October). Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM conference on Computer and communications security (pp. 51-62). ACM.
[6] Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., & Lee, W. (2011, May). Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Security and Privacy (SP), 2011 IEEE Symposium on (pp. 297-312). IEEE.
[7] Dynamic-link library (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Dynamic-link library
[8] Egele, M., Scholte, T., Kirda, E., & Kruegel, C. (2012). A survey on automated dynamic malware-analysis techniques and tools. ACM Computing Surveys (CSUR), 44(2), 6.
[9] European Union Agency for Network and Information Security (n.d.). Cloud Computing Security Risk Assessment Retrieved March 24, 2015, from http://www.enisa.europa.eu/activities/riskmanagement/files/deliverables/cloud-computing-risk-assessment
[10] Feyereisl, J., & Aickelin, U. (2009). Self-Organising Maps in Computer Security. Computer Security: Intrusion, Detection and Prevention, Ed. Ronald D. Hopkins, Wesley P. Tokere, 1-30.
[11] Fu, Y., & Lin, Z. (2012, May). Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In Security and Privacy (SP), 2012 IEEE Symposium on (pp. 586-600). IEEE.
[12] Garfinkel, T., & Rosenblum, M. (2003, February). A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS (Vol. 3, pp. 191-206).
[13] Growing self-organizing map (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Growing_self-organizing_map
[14] Hofmeyr, S. A., Forrest, S., & Somayaji, A. (1998). Intrusion detection using sequences of system calls. Journal of computer security, 6(3), 151-180.
[15] Hsiao, S. W., Chen, Y. N., Sun, Y. S., & Chen, M. C. (2013, October). A cooperative botnet profiling and detection in virtualized environment. In Communications and Network Security (CNS), 2013 IEEE Conference on (pp. 154-162). IEEE.
[16] Hypervisor (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Hypervisor
[17] Inoue, H., Adelstein, F., Donovan, M., & Brueckner, S. (2011, June). Automatically Bridging the Semantic Gap using C Interpreter. In 6th Annual Symposium on Information Assurance (ASIA’11) (p. 51).
[18] Jiang, X., Wang, X., & Xu, D. (2007, October). Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM conference on Computer and communications security (pp. 128-138). ACM.
[19] Kosoresow, A. P., & Hofmeyr, S. A. (1997). Intrusion detection via system call traces. IEEE software, 14(5), 35-42.
[20] Lee, S. W., & Yu, F. (2014, January). Securing KVM-Based Cloud Systems via Virtualization Introspection. In System Sciences (HICSS), 2014 47th Hawaii International Conference on (pp. 5028-5037). IEEE.
[21] Lengyel, T. K., Neumann, J., Maresca, S., Payne, B. D., & Kiayias, A. (2012, August). Virtual Machine Introspection in a Hybrid Honeypot Architecture. In CSET.
[22] LibVMI (n.d.). LibVMI. Retrieved March 24, 2015, from http://libvmi.com/
[23] Ligh, M. H., Case, A., Levy, J., & Walters, A. (2014). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. John Wiley & Sons.
[24] Macine learning (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Machine_learning
[25] Moser, A., Kruegel, C., & Kirda, E. (2007, December). Limits of static analysis for malware detection. In Computer security applications conference, 2007. ACSAC 2007. Twenty-third annual (pp. 421-430). IEEE.
[26] Mukkamala, S., Janoski, G., & Sung, A. (2002). Intrusion detection using neural networks and support vector machines. In Neural Networks, 2002. IJCNN`02. Proceedings of the 2002 International Joint Conference on (Vol. 2, pp. 1702-1707). IEEE.
[27] Nanavati, M., Colp, P., Aiello, B., & Warfield, A. (2014). Cloud security: A gathering storm. Communications of the ACM, 57(5), 70-79.
[28] Nasab, M. R. (2012). Security functions for virtual machines via introspection.
[29] OpenStack (n.d.). OpenStack Documentation for Havana. Retrieved March 24, 2015, from http://docs.openstack.org/havana/
[30] OpenStack (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/OpenStack
[31] Option Volatility (n.d.). Retrieved March 24, 2015, from http://www.investopedia.com/university/optionvolatility/
[32] Payne, B. D. (2012). Simplifying virtual machine introspection using libvmi. Sandia Report.
[33] Payne, B. D., Carbone, M., Sharif, M., & Lee, W. (2008, May). Lares: An architecture for secure active monitoring using virtualization. In Security and Privacy, 2008. SP 2008. IEEE Symposium on (pp. 233-247). IEEE.
[34] Payne, B. D., De Carbone, M. D. P., & Lee, W. (2007, December). Secure and flexible monitoring of virtual machines. In Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual (pp. 385-397). IEEE.
[35] Pfoh, J., Schneider, C., & Eckert, C. (2009, November). A formal model for virtual machine introspection. In Proceedings of the 1st ACM workshop on Virtual machine security (pp. 1-10). ACM.
[36] Pfoh, J., Schneider, C., & Eckert, C. (2011). Nitro: Hardware-based system call tracing for virtual machines. In Advances in Information and Computer Security (pp. 96-112). Springer Berlin Heidelberg.
[37] Rieck, K., Holz, T., Willems, C., Düssel, P., & Laskov, P. (2008). Learning and classification of malware behavior. In Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 108-125). Springer Berlin Heidelberg.
[38] Rieck, K., Trinius, P., Willems, C., & Holz, T. (2011). Automatic analysis of malware behavior using machine learning. Journal of Computer Security, 19(4), 639-668.
[39] Sahs, J., & Khan, L. (2012, August). A machine learning approach to android malware detection. In Intelligence and Security Informatics Conference (EISIC), 2012 European (pp. 141-147). IEEE.
[40] Schneider, C., Pfoh, J., & Eckert, C. (2011). A universal semantic bridge for virtual machine introspection. In Information Systems Security (pp. 370-373). Springer Berlin Heidelberg.
[41] Sevilla, M. (2012). CMPS223 Final Project Virtual Machine Introspection Techniques.
[42] Sharif, M. I., Lee, W., Cui, W., & Lanzi, A. (2009, November). Secure in-vm monitoring using hardware virtualization. In Proceedings of the 16th ACM conference on Computer and communications security (pp. 477-487). ACM.
[43] Support vector machine (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Support_vector_machine
[44] System call (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/System_call
[45] Virtualization (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Virtualization
[46] Wu, Y. S., Sun, P. K., Huang, C. C., Lu, S. J., Lai, S. F., & Chen, Y. Y. (2013, June). EagleEye: Towards mandatory security monitoring in virtualized datacenter environment. In Dependable Systems and Networks (DSN), 2013 43rd Annual IEEE/IFIP International Conference on (pp. 1-12). IEEE.
[47] Yoo, I. (2004, October). Visualizing windows executable viruses using self-organizing maps. In Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security (pp. 82-89). ACM.
[48] Yu, F., Huang, S. Y., Chiou, L. C., & Tsaih, R. H. (2013, August). Clustering iOS executable using self-organizing maps. In Neural Networks (IJCNN), The 2013 International Joint Conference on (pp. 1-8). IEEE.		zh_TW