A novel covert channel detection method in cloud based on XSRM and improved event association algorithm

Covert channel is a major threat to the information system security and commonly found in operating systems, especially in cloud computing environment. Owing to the characteristics in cloud computing environment such as resources sharing and logic boundaries, covert channels become more varied and difficult to find. Focusing on those problems, this paper presents a universal method for detecting covert channel automatically. To achieve a global detection, we leveraged a VM event record mechanism in Hypervisor to gather necessary metadata. Combining the shared resources matrix methodology with events association mechanism, we proposed a distinctive algorithm which can accurately locate and analyze malicious covert channels from the respect of behaviors. Compared to the popular statistical test methods focusing on the single covert channel, our method is capable of recognizing and detecting more covert channels in real time. Experimental results show that this method is not only able to detect multi-level and multiform covert channels in cloud environment effectively, but also facilitates the implementation and deployment in practical scenarios without modifying the existing system.