Combined side-channels malware detection for NFV infrastructure

Network Function Virtualization (NFV) is an emerging approach gaining popularity among network providers. Nowadays, NFV infrastructure platforms are, predominantly based on x86 architecture CPUs. However, vulnerabilities of the CPU architecture may allow an attacker to obtain root privileges and to plant malware. Among such malware is crypto mining, which is hardly detectable either by malware scanner or by a firewall. In this paper we investigate the applicability of side-channels Key Performance Indicators (KPIs) for malware detection. We propose detecting the abnormal behavior using Machine Learning tools. Upon analyzing different side-channel technologies, we suggest using a combination of CPU performance KPIs with KPIs for the forwarding latency of NFV applications as an input to a Neural Network model. The model shall be trained in advance using two data sets: one set representing a clean system and the second set a compromised system (containing planted crypto-mining malware). The proposed approach would allow us to detect abnormal behavior caused by activation of the malware.