學術產出-學位論文
文章檢視/開啟
書目匯出
-
題名 用虛擬機內省技術強化OpenStack雲端安全機制
Enhancing OpenStack Cloud Security with Virtual Machine Introspection作者 李彥亨
Lee, Yen Heng貢獻者 蔡瑞煌<br>郁方
Tsaih, Rua Huan<br>Yu, Fang
李彥亨
Lee, Yen Heng關鍵詞 虛擬機內省
雲端安全
惡意程式行為
VMI
Cloud Security
Malware behavior日期 2015 上傳時間 3-八月-2015 13:21:02 (UTC+8) 摘要 如今,我們能夠受益於各式各樣的雲端服務(如Google及Amazon)全歸功於虛擬化技術的成熟。隨著雲端服務使用量的劇增,雲端安全的議題也不容忽視。傳統上使用網路型及主機型的入侵防衛系統來作雲端安全防護,但隨著虛擬化技術的發展,虛擬機內省機制為基底的防禦機制有著絕對於傳統入侵防衛系統優越的獨立性及可見度並逐漸成為主流的防禦機制。我們研究提倡的雲端防禦系統框架(VISO)便是以虛擬機內省機制為基底以及透過行為模式辨識的方式作惡意行為偵測且富有可擴增性,並強調所有的解決方案皆為開源的,也是為何我們以OpenStack作為我們的雲端環境防護系統的實驗環境。關於我們的實驗研究方法,我們採用監督式與非監督式的神經網路來作惡意程式行為分析。而所有惡意程式皆從官方OWL網站取得,並以防毒軟體作標籤的動作。目的是想要確認是否能夠透過同種類且已知的惡意程式行為模式去辨識出未知的同種類惡意程式行為。
Today, we attributes it to virtualization technology that the application of cloud computing is so well-developed that the world-wide famous company can make use of this technique to reap the profits, just likes Google and Amazon etc. While cloud service bringing kinds of benefit to system vendors and cloud tenants, cloud security is exposed to many threats. Traditionally, two main kinds of intrusion detection system (IDS) are host-based IDS (HIDS) and network-based IDS (NIDS). With virtualization technology development, virtual machine monitor (VMM) based IDS is superior to HIDS and NIDS both on isolation and visibility properties as far as cloud security concerned. We address a cloud security protection framework, called Virtualization Introspection System for OpenStack (VISO), to strengthen OpenStack security defensive mechanism. VISO has some following characteristics. (1) VMI based monitoring mechanism (2) behavior-based analysis (3) elastic to expand system functionality and easy to operate (4) all apparatuses in VISO are free on Internet that is why we also choose the most famous private cloud solution, OpenStack, to deploying cloud environment. About our experiment method, we using supervised and unsupervised artificial technology algorithm to analyze behaviors monitored in a sandbox environment. All malwares are downloaded from OWL Taiwan official malware knowledge base and labeled by anti-virus scanner. The purpose is to see how effective the features of behaviors collected by VISO can recognize the same family malwares. Detecting unknown malware variants previously not recognized by commercial anti-virus software by training the same family known malware samples.參考文獻 [1] Albayrak, S., Scheel, C., Milosevic, D., & Muller, A. (2005, November). Combining self-organizing map algorithms for robust and scalable intrusion detection. In Computational Intelligence for Modelling, Control and Automation, 2005 and International Conference on Intelligent Agents, Web Technologies and Internet Commerce, International Conference on (Vol. 2, pp. 123-130). IEEE.[2] Bayer, U., Comparetti, P. M., Hlauschek, C., Kruegel, C., & Kirda, E. (2009, February). Scalable, Behavior-Based Malware Clustering. In NDSS (Vol. 9, pp. 8-11).[3] Bayer, U., Moser, A., Kruegel, C., & Kirda, E. (2006). Dynamic analysis of malicious code. Journal in Computer Virology, 2(1), 67-77.[4] Chen, S., & Zhang, Y. Malware Process Detecting Via Hypervisor.[5] Dinaburg, A., Royal, P., Sharif, M., & Lee, W. (2008, October). Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM conference on Computer and communications security (pp. 51-62). ACM.[6] Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., & Lee, W. (2011, May). Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Security and Privacy (SP), 2011 IEEE Symposium on (pp. 297-312). IEEE.[7] Dynamic-link library (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Dynamic-link library[8] Egele, M., Scholte, T., Kirda, E., & Kruegel, C. (2012). A survey on automated dynamic malware-analysis techniques and tools. ACM Computing Surveys (CSUR), 44(2), 6.[9] European Union Agency for Network and Information Security (n.d.). Cloud Computing Security Risk Assessment Retrieved March 24, 2015, from http://www.enisa.europa.eu/activities/riskmanagement/files/deliverables/cloud-computing-risk-assessment[10] Feyereisl, J., & Aickelin, U. (2009). Self-Organising Maps in Computer Security. Computer Security: Intrusion, Detection and Prevention, Ed. Ronald D. Hopkins, Wesley P. Tokere, 1-30.[11] Fu, Y., & Lin, Z. (2012, May). Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In Security and Privacy (SP), 2012 IEEE Symposium on (pp. 586-600). IEEE.[12] Garfinkel, T., & Rosenblum, M. (2003, February). A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS (Vol. 3, pp. 191-206).[13] Growing self-organizing map (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Growing_self-organizing_map[14] Hofmeyr, S. A., Forrest, S., & Somayaji, A. (1998). Intrusion detection using sequences of system calls. Journal of computer security, 6(3), 151-180.[15] Hsiao, S. W., Chen, Y. N., Sun, Y. S., & Chen, M. C. (2013, October). A cooperative botnet profiling and detection in virtualized environment. In Communications and Network Security (CNS), 2013 IEEE Conference on (pp. 154-162). IEEE.[16] Hypervisor (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Hypervisor[17] Inoue, H., Adelstein, F., Donovan, M., & Brueckner, S. (2011, June). Automatically Bridging the Semantic Gap using C Interpreter. In 6th Annual Symposium on Information Assurance (ASIA’11) (p. 51).[18] Jiang, X., Wang, X., & Xu, D. (2007, October). Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM conference on Computer and communications security (pp. 128-138). ACM.[19] Kosoresow, A. P., & Hofmeyr, S. A. (1997). Intrusion detection via system call traces. IEEE software, 14(5), 35-42.[20] Lee, S. W., & Yu, F. (2014, January). Securing KVM-Based Cloud Systems via Virtualization Introspection. In System Sciences (HICSS), 2014 47th Hawaii International Conference on (pp. 5028-5037). IEEE.[21] Lengyel, T. K., Neumann, J., Maresca, S., Payne, B. D., & Kiayias, A. (2012, August). Virtual Machine Introspection in a Hybrid Honeypot Architecture. In CSET.[22] LibVMI (n.d.). LibVMI. Retrieved March 24, 2015, from http://libvmi.com/[23] Ligh, M. H., Case, A., Levy, J., & Walters, A. (2014). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. John Wiley & Sons.[24] Macine learning (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Machine_learning[25] Moser, A., Kruegel, C., & Kirda, E. (2007, December). Limits of static analysis for malware detection. In Computer security applications conference, 2007. ACSAC 2007. Twenty-third annual (pp. 421-430). IEEE.[26] Mukkamala, S., Janoski, G., & Sung, A. (2002). Intrusion detection using neural networks and support vector machines. In Neural Networks, 2002. IJCNN`02. Proceedings of the 2002 International Joint Conference on (Vol. 2, pp. 1702-1707). IEEE.[27] Nanavati, M., Colp, P., Aiello, B., & Warfield, A. (2014). Cloud security: A gathering storm. Communications of the ACM, 57(5), 70-79.[28] Nasab, M. R. (2012). Security functions for virtual machines via introspection.[29] OpenStack (n.d.). OpenStack Documentation for Havana. Retrieved March 24, 2015, from http://docs.openstack.org/havana/[30] OpenStack (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/OpenStack[31] Option Volatility (n.d.). Retrieved March 24, 2015, from http://www.investopedia.com/university/optionvolatility/[32] Payne, B. D. (2012). Simplifying virtual machine introspection using libvmi. Sandia Report.[33] Payne, B. D., Carbone, M., Sharif, M., & Lee, W. (2008, May). Lares: An architecture for secure active monitoring using virtualization. In Security and Privacy, 2008. SP 2008. IEEE Symposium on (pp. 233-247). IEEE.[34] Payne, B. D., De Carbone, M. D. P., & Lee, W. (2007, December). Secure and flexible monitoring of virtual machines. In Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual (pp. 385-397). IEEE.[35] Pfoh, J., Schneider, C., & Eckert, C. (2009, November). A formal model for virtual machine introspection. In Proceedings of the 1st ACM workshop on Virtual machine security (pp. 1-10). ACM.[36] Pfoh, J., Schneider, C., & Eckert, C. (2011). Nitro: Hardware-based system call tracing for virtual machines. In Advances in Information and Computer Security (pp. 96-112). Springer Berlin Heidelberg.[37] Rieck, K., Holz, T., Willems, C., Düssel, P., & Laskov, P. (2008). Learning and classification of malware behavior. In Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 108-125). Springer Berlin Heidelberg.[38] Rieck, K., Trinius, P., Willems, C., & Holz, T. (2011). Automatic analysis of malware behavior using machine learning. Journal of Computer Security, 19(4), 639-668.[39] Sahs, J., & Khan, L. (2012, August). A machine learning approach to android malware detection. In Intelligence and Security Informatics Conference (EISIC), 2012 European (pp. 141-147). IEEE.[40] Schneider, C., Pfoh, J., & Eckert, C. (2011). A universal semantic bridge for virtual machine introspection. In Information Systems Security (pp. 370-373). Springer Berlin Heidelberg.[41] Sevilla, M. (2012). CMPS223 Final Project Virtual Machine Introspection Techniques.[42] Sharif, M. I., Lee, W., Cui, W., & Lanzi, A. (2009, November). Secure in-vm monitoring using hardware virtualization. In Proceedings of the 16th ACM conference on Computer and communications security (pp. 477-487). ACM.[43] Support vector machine (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Support_vector_machine[44] System call (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/System_call[45] Virtualization (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Virtualization[46] Wu, Y. S., Sun, P. K., Huang, C. C., Lu, S. J., Lai, S. F., & Chen, Y. Y. (2013, June). EagleEye: Towards mandatory security monitoring in virtualized datacenter environment. In Dependable Systems and Networks (DSN), 2013 43rd Annual IEEE/IFIP International Conference on (pp. 1-12). IEEE.[47] Yoo, I. (2004, October). Visualizing windows executable viruses using self-organizing maps. In Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security (pp. 82-89). ACM.[48] Yu, F., Huang, S. Y., Chiou, L. C., & Tsaih, R. H. (2013, August). Clustering iOS executable using self-organizing maps. In Neural Networks (IJCNN), The 2013 International Joint Conference on (pp. 1-8). IEEE. 描述 碩士
國立政治大學
資訊管理研究所
102356044資料來源 http://thesis.lib.nccu.edu.tw/record/#G0102356044 資料類型 thesis dc.contributor.advisor 蔡瑞煌<br>郁方 zh_TW dc.contributor.advisor Tsaih, Rua Huan<br>Yu, Fang en_US dc.contributor.author (作者) 李彥亨 zh_TW dc.contributor.author (作者) Lee, Yen Heng en_US dc.creator (作者) 李彥亨 zh_TW dc.creator (作者) Lee, Yen Heng en_US dc.date (日期) 2015 en_US dc.date.accessioned 3-八月-2015 13:21:02 (UTC+8) - dc.date.available 3-八月-2015 13:21:02 (UTC+8) - dc.date.issued (上傳時間) 3-八月-2015 13:21:02 (UTC+8) - dc.identifier (其他 識別碼) G0102356044 en_US dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/77178 - dc.description (描述) 碩士 zh_TW dc.description (描述) 國立政治大學 zh_TW dc.description (描述) 資訊管理研究所 zh_TW dc.description (描述) 102356044 zh_TW dc.description.abstract (摘要) 如今,我們能夠受益於各式各樣的雲端服務(如Google及Amazon)全歸功於虛擬化技術的成熟。隨著雲端服務使用量的劇增,雲端安全的議題也不容忽視。傳統上使用網路型及主機型的入侵防衛系統來作雲端安全防護,但隨著虛擬化技術的發展,虛擬機內省機制為基底的防禦機制有著絕對於傳統入侵防衛系統優越的獨立性及可見度並逐漸成為主流的防禦機制。我們研究提倡的雲端防禦系統框架(VISO)便是以虛擬機內省機制為基底以及透過行為模式辨識的方式作惡意行為偵測且富有可擴增性,並強調所有的解決方案皆為開源的,也是為何我們以OpenStack作為我們的雲端環境防護系統的實驗環境。關於我們的實驗研究方法,我們採用監督式與非監督式的神經網路來作惡意程式行為分析。而所有惡意程式皆從官方OWL網站取得,並以防毒軟體作標籤的動作。目的是想要確認是否能夠透過同種類且已知的惡意程式行為模式去辨識出未知的同種類惡意程式行為。 zh_TW dc.description.abstract (摘要) Today, we attributes it to virtualization technology that the application of cloud computing is so well-developed that the world-wide famous company can make use of this technique to reap the profits, just likes Google and Amazon etc. While cloud service bringing kinds of benefit to system vendors and cloud tenants, cloud security is exposed to many threats. Traditionally, two main kinds of intrusion detection system (IDS) are host-based IDS (HIDS) and network-based IDS (NIDS). With virtualization technology development, virtual machine monitor (VMM) based IDS is superior to HIDS and NIDS both on isolation and visibility properties as far as cloud security concerned. We address a cloud security protection framework, called Virtualization Introspection System for OpenStack (VISO), to strengthen OpenStack security defensive mechanism. VISO has some following characteristics. (1) VMI based monitoring mechanism (2) behavior-based analysis (3) elastic to expand system functionality and easy to operate (4) all apparatuses in VISO are free on Internet that is why we also choose the most famous private cloud solution, OpenStack, to deploying cloud environment. About our experiment method, we using supervised and unsupervised artificial technology algorithm to analyze behaviors monitored in a sandbox environment. All malwares are downloaded from OWL Taiwan official malware knowledge base and labeled by anti-virus scanner. The purpose is to see how effective the features of behaviors collected by VISO can recognize the same family malwares. Detecting unknown malware variants previously not recognized by commercial anti-virus software by training the same family known malware samples. en_US dc.description.tableofcontents Abstract iContents iiList of Figures iiiList of Tables ivList of Appendixes vChapter 1 Introduction 11.1 Background and Motivation 11.2 Approach: Open Source Cloud Security Solution Based on VMI 21.3 Contribution 41.4 Content Organization 5Chapter 2 Related work 62.1 Hardware Virtualization, Virtual Machine Monitor and OpenStack 62.2 Virtual Machine Introspection 92.3 Artificial Intelligence 102.4 Malware Detection 122.5 Clustering and classifying malwares 132.6 Uniqueness of VISO 14Chapter 3 Methodology 163.1 Architecture and Deployment 163.2 Components and profiles of VISO Framework 193.3 Detail of Operation in Training and Testing phase 213.3.1 Training phase 223.3.2 Testing phase 28Chapter 4 Experiment 35Chapter 5 Conclusion 45Reference 46Appendix 52 zh_TW dc.format.extent 8136659 bytes - dc.format.mimetype application/pdf - dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0102356044 en_US dc.subject (關鍵詞) 虛擬機內省 zh_TW dc.subject (關鍵詞) 雲端安全 zh_TW dc.subject (關鍵詞) 惡意程式行為 zh_TW dc.subject (關鍵詞) VMI en_US dc.subject (關鍵詞) Cloud Security en_US dc.subject (關鍵詞) Malware behavior en_US dc.title (題名) 用虛擬機內省技術強化OpenStack雲端安全機制 zh_TW dc.title (題名) Enhancing OpenStack Cloud Security with Virtual Machine Introspection en_US dc.type (資料類型) thesis en dc.relation.reference (參考文獻) [1] Albayrak, S., Scheel, C., Milosevic, D., & Muller, A. (2005, November). Combining self-organizing map algorithms for robust and scalable intrusion detection. In Computational Intelligence for Modelling, Control and Automation, 2005 and International Conference on Intelligent Agents, Web Technologies and Internet Commerce, International Conference on (Vol. 2, pp. 123-130). IEEE.[2] Bayer, U., Comparetti, P. M., Hlauschek, C., Kruegel, C., & Kirda, E. (2009, February). Scalable, Behavior-Based Malware Clustering. In NDSS (Vol. 9, pp. 8-11).[3] Bayer, U., Moser, A., Kruegel, C., & Kirda, E. (2006). Dynamic analysis of malicious code. Journal in Computer Virology, 2(1), 67-77.[4] Chen, S., & Zhang, Y. Malware Process Detecting Via Hypervisor.[5] Dinaburg, A., Royal, P., Sharif, M., & Lee, W. (2008, October). Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM conference on Computer and communications security (pp. 51-62). ACM.[6] Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., & Lee, W. (2011, May). Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Security and Privacy (SP), 2011 IEEE Symposium on (pp. 297-312). IEEE.[7] Dynamic-link library (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Dynamic-link library[8] Egele, M., Scholte, T., Kirda, E., & Kruegel, C. (2012). A survey on automated dynamic malware-analysis techniques and tools. ACM Computing Surveys (CSUR), 44(2), 6.[9] European Union Agency for Network and Information Security (n.d.). Cloud Computing Security Risk Assessment Retrieved March 24, 2015, from http://www.enisa.europa.eu/activities/riskmanagement/files/deliverables/cloud-computing-risk-assessment[10] Feyereisl, J., & Aickelin, U. (2009). Self-Organising Maps in Computer Security. Computer Security: Intrusion, Detection and Prevention, Ed. Ronald D. Hopkins, Wesley P. Tokere, 1-30.[11] Fu, Y., & Lin, Z. (2012, May). Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In Security and Privacy (SP), 2012 IEEE Symposium on (pp. 586-600). IEEE.[12] Garfinkel, T., & Rosenblum, M. (2003, February). A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS (Vol. 3, pp. 191-206).[13] Growing self-organizing map (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Growing_self-organizing_map[14] Hofmeyr, S. A., Forrest, S., & Somayaji, A. (1998). Intrusion detection using sequences of system calls. Journal of computer security, 6(3), 151-180.[15] Hsiao, S. W., Chen, Y. N., Sun, Y. S., & Chen, M. C. (2013, October). A cooperative botnet profiling and detection in virtualized environment. In Communications and Network Security (CNS), 2013 IEEE Conference on (pp. 154-162). IEEE.[16] Hypervisor (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Hypervisor[17] Inoue, H., Adelstein, F., Donovan, M., & Brueckner, S. (2011, June). Automatically Bridging the Semantic Gap using C Interpreter. In 6th Annual Symposium on Information Assurance (ASIA’11) (p. 51).[18] Jiang, X., Wang, X., & Xu, D. (2007, October). Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM conference on Computer and communications security (pp. 128-138). ACM.[19] Kosoresow, A. P., & Hofmeyr, S. A. (1997). Intrusion detection via system call traces. IEEE software, 14(5), 35-42.[20] Lee, S. W., & Yu, F. (2014, January). Securing KVM-Based Cloud Systems via Virtualization Introspection. In System Sciences (HICSS), 2014 47th Hawaii International Conference on (pp. 5028-5037). IEEE.[21] Lengyel, T. K., Neumann, J., Maresca, S., Payne, B. D., & Kiayias, A. (2012, August). Virtual Machine Introspection in a Hybrid Honeypot Architecture. In CSET.[22] LibVMI (n.d.). LibVMI. Retrieved March 24, 2015, from http://libvmi.com/[23] Ligh, M. H., Case, A., Levy, J., & Walters, A. (2014). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. John Wiley & Sons.[24] Macine learning (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Machine_learning[25] Moser, A., Kruegel, C., & Kirda, E. (2007, December). Limits of static analysis for malware detection. In Computer security applications conference, 2007. ACSAC 2007. Twenty-third annual (pp. 421-430). IEEE.[26] Mukkamala, S., Janoski, G., & Sung, A. (2002). Intrusion detection using neural networks and support vector machines. In Neural Networks, 2002. IJCNN`02. Proceedings of the 2002 International Joint Conference on (Vol. 2, pp. 1702-1707). IEEE.[27] Nanavati, M., Colp, P., Aiello, B., & Warfield, A. (2014). Cloud security: A gathering storm. Communications of the ACM, 57(5), 70-79.[28] Nasab, M. R. (2012). Security functions for virtual machines via introspection.[29] OpenStack (n.d.). OpenStack Documentation for Havana. Retrieved March 24, 2015, from http://docs.openstack.org/havana/[30] OpenStack (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/OpenStack[31] Option Volatility (n.d.). Retrieved March 24, 2015, from http://www.investopedia.com/university/optionvolatility/[32] Payne, B. D. (2012). Simplifying virtual machine introspection using libvmi. Sandia Report.[33] Payne, B. D., Carbone, M., Sharif, M., & Lee, W. (2008, May). Lares: An architecture for secure active monitoring using virtualization. In Security and Privacy, 2008. SP 2008. IEEE Symposium on (pp. 233-247). IEEE.[34] Payne, B. D., De Carbone, M. D. P., & Lee, W. (2007, December). Secure and flexible monitoring of virtual machines. In Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual (pp. 385-397). IEEE.[35] Pfoh, J., Schneider, C., & Eckert, C. (2009, November). A formal model for virtual machine introspection. In Proceedings of the 1st ACM workshop on Virtual machine security (pp. 1-10). ACM.[36] Pfoh, J., Schneider, C., & Eckert, C. (2011). Nitro: Hardware-based system call tracing for virtual machines. In Advances in Information and Computer Security (pp. 96-112). Springer Berlin Heidelberg.[37] Rieck, K., Holz, T., Willems, C., Düssel, P., & Laskov, P. (2008). Learning and classification of malware behavior. In Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 108-125). Springer Berlin Heidelberg.[38] Rieck, K., Trinius, P., Willems, C., & Holz, T. (2011). Automatic analysis of malware behavior using machine learning. Journal of Computer Security, 19(4), 639-668.[39] Sahs, J., & Khan, L. (2012, August). A machine learning approach to android malware detection. In Intelligence and Security Informatics Conference (EISIC), 2012 European (pp. 141-147). IEEE.[40] Schneider, C., Pfoh, J., & Eckert, C. (2011). A universal semantic bridge for virtual machine introspection. In Information Systems Security (pp. 370-373). Springer Berlin Heidelberg.[41] Sevilla, M. (2012). CMPS223 Final Project Virtual Machine Introspection Techniques.[42] Sharif, M. I., Lee, W., Cui, W., & Lanzi, A. (2009, November). Secure in-vm monitoring using hardware virtualization. In Proceedings of the 16th ACM conference on Computer and communications security (pp. 477-487). ACM.[43] Support vector machine (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Support_vector_machine[44] System call (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/System_call[45] Virtualization (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Virtualization[46] Wu, Y. S., Sun, P. K., Huang, C. C., Lu, S. J., Lai, S. F., & Chen, Y. Y. (2013, June). EagleEye: Towards mandatory security monitoring in virtualized datacenter environment. In Dependable Systems and Networks (DSN), 2013 43rd Annual IEEE/IFIP International Conference on (pp. 1-12). IEEE.[47] Yoo, I. (2004, October). Visualizing windows executable viruses using self-organizing maps. In Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security (pp. 82-89). ACM.[48] Yu, F., Huang, S. Y., Chiou, L. C., & Tsaih, R. H. (2013, August). Clustering iOS executable using self-organizing maps. In Neural Networks (IJCNN), The 2013 International Joint Conference on (pp. 1-8). IEEE. zh_TW