Detection of Co-resident Virtual Machines Using Network Traffic Patterns

James A Savage, Tennessee State University


Virtual machines provide an economical solution to the problem of underutilized computer hardware by abstracting and leveraging the resources of a physical host, enabling the host to efficiently run multiple virtual machine instances simultaneously. Such virtualization is the basis for cloud computing, in which many different types of computing machines can run economically in a highly virtualized environment. Two or more virtual machines are “co-resident” when they reside on the same physical host. Because cloud computing is becoming ubiquitous, co-residency represents a major security threat and a potential target for malicious attackers. A malicious agent that is able to discover a co-resident virtual machine may then be able to gain unauthorized access to the virtual machine and pilfer data.^ Only a few techniques are known to detect co-residency. This thesis will focus on one of these techniques, network traffic analysis, because it embodies a very simple principle that can potentially be exploited to detect co-residency. However, while common network protocols are generally invariant, network traffic is dynamic, varying in both time and packet volume, which makes analysis challenging. Further, capturing and parsing network traffic presents an additional challenge. This thesis seeks to address these challenges and develop a tool that models cloud network traffic and employs statistical analysis of network packet data to detect co-residency.^

Subject Area

Computer engineering|Information technology|Computer science

Recommended Citation

James A Savage, "Detection of Co-resident Virtual Machines Using Network Traffic Patterns" (2016). ETD Collection for Tennessee State University. Paper AAI10119068.