A behavioral anomaly detection strategy based on time series process portraits for desktop virtualization systems

As the application of desktop virtualization systems (DVSs) continues to gain momentums, the security issue of DVSs becomes increasingly critical and is extensively studied. Unfortunately, the majority of current researches on DVSs only focuses on the virtual machines (VMs) on the servers, and overlooks to a large extent the security issue of the clients. In addition, traditional security techniques are not completely suitable for the DVSs’ particularly thin client environment. Towards finding a solution to these problems, we propose a novel behavioral anomaly detection method for DVS clients by creating and using process portraits. Based on the correlations between users, virtualized desktop processes (VDPs), and VMs in DVSs, this proposed method describes the process behaviors of clients by the CPU utilization rates of VMs located on the server, constructs process portraits for VDPs by hidden Markov models and by considering the user profiles, and detects anomalies of VDPs by contrasting VDPs’ behaviors against the constructed process portraits. Our experimental results show that the proposed method is effective and successful.