With the development of cloud computing, more and more enterprises and institutes have deployed important computing tasks and data into virtualization environments. Virtualization security has become very important for cloud computing. When an attacker controls a victim’s virtual machine, he (or she) may launch malware for malicious purpose in that virtual machine. To defend against malware attacks in the cloud, many virtualization-based approaches are proposed. However, the existing methods suffer from limitations in terms of transparency and performance cost. To address these issues, we propose MDCHD, a novel malware detection solution for virtualization environments. This method first utilizes the Intel Processor Trace (IPT) mechanism to collect the run-time control flow information of the target program. Then, it converts the control flow information into color images. By doing so, we can utilize a CNN-based deep learning method to identify malware from the images. To improve the performance of our detection mechanism, we leverage Lamport’s ring buffer algorithm. In this way, the control flow information collector and security checker can work concurrently. The evaluation shows that our approach can achieve acceptable detection accuracy with a minimal performance cost.

随着云计算的发展，越来越多的企业和机构将重要的计算任务和数据部署到虚拟化环境中。虚拟化安全对于云计算变得非常重要。当攻击者控制受害者的虚拟机时，他（或她）可能会在该虚拟机中出于恶意目的启动恶意软件。为了防御云中的恶意软件攻击，提出了许多基于虚拟化的方法。然而，现有方法在透明度和性能成本方面受到限制。为了解决这些问题，我们提出了 MDCHD，一种用于虚拟化环境的新型恶意软件检测解决方案。该方法首先利用英特尔处理器跟踪 (IPT) 机制来收集目标程序的运行时控制流信息。然后，它将控制流信息转换为彩色图像。通过这样做，我们可以利用基于 CNN 的深度学习方法从图像中识别恶意软件。为了提高我们检测机制的性能，我们利用了 Lamport 的环形缓冲区算法。这样，控制流信息收集器和安全检查器可以同时工作。评估表明，我们的方法可以以最小的性能成本实现可接受的检测精度。