A novel covert channel detection method in cloud based on XSRM and improved event association algorithm

Covert channel is a major threat to the information system security and commonly found in operating systems, especially in cloud computing environment. Owing to the characteristics in cloud computing environment such as resources sharing and logic boundaries, covert channels become more varied and difficult to find. Focusing on those problems, this paper presents a universal method for detecting covert channel automatically. To achieve a global detection, we leveraged a virtual machine event record mechanism in hypervisor to gather necessary metadata. Combining the shared resources matrix methodology with events association mechanism, we proposed a distinctive algorithm that can accurately locate and analyze malicious covert channels from the respect of behaviors. Compared with the popular statistical test methods focusing on the single covert channel, our method is capable of recognizing and detecting more covert channels in real time. Experimental results show that this method is not only able to detect multilevel and multiform covert channels in cloud environment effectively but also facilitates the implementation and deployment in practical scenarios without modifying the existing system. Copyright (C) 2016 John Wiley & Sons, Ltd.