Qualification: 
Ph.D, M.Tech, BE
ma_ajaykumara@blr.amrita.edu

Dr. Ajay Kumara M. A. currently serves as Assistant Professor (Sr. Gr.) at the Department of Computer Science & Engineering, School of Engineering, Amrita  Vishwa Vidyapeetham, Bengaluru campus. He has obtained his Ph. D. in Virtualization and Cybersecurity from National Institute of Technology Karnataka, Surathkal, Mangalore, Karnataka. He received his B. E. and M. Tech. in Computer Science and Engineering from Vishweshwaraiah Technological University, Karnataka.

His research interest includes Virtualization Security, Cyber Security, Memory Forensic and Machine Learning. He conducted research on detection and categorization of unknown malware using machine learning techniques at Hypervisor in a virtualized cloud computing environment. He worked on open source virtualization projects such as Xen Project and KVM hypervisor. Additionally, during his full-time research term, he has developed novel prototypes by leveraging open source tools in the field of Virtual Machine Introspection, Memory Forensics Analysis, Dynamic Malware Analysis, and Hypervisor based intrusion detection techniques. Currently, his research interest focusing on adapting various popular machine learning and AI techniques such deep learning, recurrent neural network at hypervisor level for effective detection and analyze unknown malware, Zero-day exploits and advanced persistent threats in a cloud computing environment.

Education

  • 2012: M. Tech. in Computer Science Engineering
    Visvesvaraya Technological University, Karnataka 
  • 2009: B. E. in Computer Science Engineering
  • Visvesvaraya Technological University, Karnataka 

Honors & Awards

  1. Best student research paper award at TAFGEN-2015 International Conference hosted by University of Technology Malaysia (UTM) Kuala Lumpur, Malaysia on April 2015.
  2. Research travel grants award from ACM India to present a paper at 21st ICPADS-2015 conference joint hosted by University of Melbourne and RMIT University, Melbourne, Australia.

Professional Memberships

  • IEEE and ACM

Publications

Publication Type: Journal Article

Year of Publication Publication Type Title

2018

Journal Article

Ajay Kumara and C.D., J., “Automated multi-level malware detection system based on reconstructed semantic view of executables using machine learning techniques at VMM”, Future Generation Computer Systems, vol. 79, pp. 431 - 446, 2018.[Abstract]


Abstract In order to fulfill the requirements like stringent timing restraints and demand on resources, Cyber–Physical System (CPS) must deploy on the virtualized environment such as cloud computing. To protect Virtual Machines (VMs) in which CPSs are functioning against malware-based attacks, malware detection and mitigation technique is emerging as a highly crucial concern. The traditional VM-based anti-malware software themselves a potential target for malware-based attack since they are easily subverted by sophisticated malware. Thus, a reliable and robust malware monitoring and detection systems are needed to detect and mitigate rapidly the malware based cyber-attacks in real time particularly for virtualized environment. The Virtual Machine Introspection (VMI) has emerged as a fine-grained out-of-VM security solution to detect malware by introspecting and reconstructing the volatile memory state of the live guest Operating System (OS) by functioning at the Virtual Machine Monitor (VMM) or hypervisor. However, the reconstructed semantic details by the VMI are available in a combination of benign and malicious states at the hypervisor. In order to distinguish between these two states, extensive manual analysis is required by the existing out-of-VM security solutions. To address the foremost issue, in this paper, we propose an advanced VMM-based guest-assisted Automated Multilevel Malware Detection System (AMMDS) that leverages both VMI and Memory Forensic Analysis (MFA) techniques to predict early symptoms of malware execution by detecting stealthy hidden processes on a live guest OS. More specifically, the AMMDS system detects and classifies the actual running malicious executables from the semantically reconstructed process view of the guest OS. The two sub-components of the AMMDS are: Online Malware Detector (OMD) and Offline Malware Classifier (OFMC). The OMD recognizes whether the running processes are benign or malicious using its Local Malware Signature Database (LMSD) and online malware scanner and the OFMC classify unknown malware by adopting machine learning techniques at the hypervisor. The AMMDS has been evaluated by executing large real-world malware and benign executables on to the live guest OSs. The evaluation results achieved 100% of accuracy and zero False Positive Rate (FPR) on the 10-fold cross-validation in classifying unknown malware with maximum performance overhead of 5.8%.

More »»

2017

Journal Article

Ajay Kumara and Jaidhar, C. D., “Leveraging virtual machine introspection with memory forensics to detect and characterize unknown malware using machine learning techniques at hypervisor”, Digital Investigation, 2017.[Abstract]


Abstract The Virtual Machine Introspection (VMI) has emerged as a fine-grained, out-of-VM security solution that detects malware by introspecting and reconstructing the volatile memory state of the live guest Operating System (OS). Specifically, it functions by the Virtual Machine Monitor (VMM), or hypervisor. The reconstructed semantic details obtained by the VMI are available in a combination of benign and malicious states at the hypervisor. In order to distinguish between these two states, the existing out-of-VM security solutions require extensive manual analysis. In this paper, we propose an advanced VMM-based, guest-assisted Automated Internal-and-External (A-IntExt) introspection system by leveraging VMI, Memory Forensics Analysis (MFA), and machine learning techniques at the hypervisor. Further, we use the VMI-based technique to introspect digital artifacts of the live guest OS to obtain a semantic view of the processes details. We implemented an Intelligent Cross View Analyzer (ICVA) and implanted it into our proposed A-IntExt system, which examines the data supplied by the VMI to detect hidden, dead, and dubious processes, while also predicting early symptoms of malware execution on the introspected guest OS in a timely manner. Machine learning techniques are used to analyze the executables that are mined and extracted using MFA-based techniques and ascertain the malicious executables. The practicality of the A-IntExt system is evaluated by executing large real-world malware and benign executables onto the live guest OSs. The evaluation results achieved 99.55% accuracy and 0.004 False Positive Rate (FPR) on the 10-fold cross-validation to detect unknown malware on the generated dataset. Additionally, the proposed system was validated against other benchmarked malware datasets and the A-IntExt system outperforms the detection of real-world malware at the VMM with performance exceeding 6.3%.

More »»

Publication Type: Conference Paper

Year of Publication Publication Type Title

2017

Conference Paper

S. L. S. Darshan, Ajay Kumara, and Jaidhar, C. D., “Information gain score computation for N-grams using multiprocessing model”, in 2017 ISEA Asia Security and Privacy (ISEASP), 2017.[Abstract]


Currently, the Internet faces serious threat from malwares, and its propagation may cause great havoc on computers and network security solutions. Several existing anti-malware defensive solutions detect known malware accurately. However, they fail to recognize unseen malware, since most of them rely on signature-based techniques, which are easily evadable using obfuscation or polymorphism technique. Therefore, there is immediate requirement of new techniques that can detect and classify the new malwares. In this context, heuristic analysis is found to be promising, since it is capable of detecting unknown malwares and new variants of current malwares. The N-Gram extraction technique is one such heuristic method commonly used in malware detection. Previous works have witnessed that shorter length N-Grams are easier to extract. In order to identify and remove noisy N-Grams, a popular Feature Selection Technique (FST), namely, Information Gain (IG), which computes score for each N-Gram (feature) in the dataset has been used in this work. N-Grams with the highest IG score are considered as best features, while the remaining N-Grams are neglected. The IG-FST (Information Gain-Feature Selection Technique) is computational resource demanding and takes time to generate IG scores for larger N-Gram datasets, if the processing is to be accomplished in the sequential mode. To address this issue, the present work presents a multiprocessing model that computes IG scores rapidly for larger N-Gram datasets. The proposed model has been designed, implemented, and compared with the sequential mode of IG score computation. The experimental results demonstrate that the proposed multiprocessing model performance is 80% faster than the sequential model of IG score computation.

More »»

2016

Conference Paper

Ajay Kumara and Jaidhar, C. D., “VMI Based Automated Real-Time Malware Detector for Virtualized Cloud Environment”, in Security, Privacy, and Applied Cryptography Engineering: 6th International Conference, SPACE 2016, Hyderabad, India, December 14-18, 2016, Proceedings, Cham, 2016.[Abstract]


The Virtual Machine Introspection (VMI) has evolved as a promising future security solution to performs an indirect investigation of the untrustworthy Guest Virtual Machine (GVM) in real-time by operating at the hypervisor in a virtualized cloud environment. The existing VMI techniques are not intelligent enough to read precisely the manipulated semantic information on their reconstructed high-level semantic view of the live GVM. In this paper, a VMI-based Automated-Internal-External (A-IntExt) system is presented that seamlessly introspects the untrustworthy Windows GVM internal semantic view (i.e. Processes) to detect the hidden, dead, and malicious processes. Further, it checks the detected, hidden as well as running processes (not hidden) as benign or malicious. The prime component of the A-IntExt is the Intelligent Cross-View Analyzer (ICVA), which is responsible for detecting hidden-state information from internally and externally gathered state information of the Monitored Virtual Machine ( {\$}{\$}M{\_}{\{}ed-VM{\}}{\$}{\$} ). The A-IntExt is designed, implemented, and evaluated by using publicly available malware and Windows real-world rootkits to measure detection proficiency as well as execution speed. The experimental results demonstrate that A-IntExt is effective in detecting malicious and hidden-state information rapidly with maximum performance overhead of 7.2 {%}.

More »»

2016

Conference Paper

Ajay Kumara, S.L, S. Darshan, and , “Windows Malware Detection Based on Cuckoo Sandbox Generated Report Using Machine Learning Algorithm”, in 11th International Conference on Industrial and Information Systems (ICIIS), , , IIT Roorkee, India, 2016.

2015

Conference Paper

Ajay Kumara and D., J. C., “Execution Time Measurement of Virtual Machine Volatile Artifacts Analyzers”, in 2015 IEEE 21st International Conference on Parallel and Distributed Systems (ICPADS), 2015.[Abstract]


Due to a rapid revaluation in a virtualization environment, Virtual Machines (VMs) are target point for an attacker to gain privileged access of the virtual infrastructure. The Advanced Persistent Threats (APTs) such as malware, rootkit, spyware, etc. are more potent to bypass the existing defense mechanisms designed for VM. To address this issue, Virtual Machine Introspection (VMI) emerged as a promising approach that monitors run state of the VM externally from hypervisor. However, limitation of VMI lies with semantic gap. An open source tool called LibVMI address the semantic gap. Memory Forensic Analysis (MFA) tool such as Volatility can also be used to address the semantic gap. But, it needs to capture a memory dump (RAM) as input. Memory dump acquires time and its analysis time is highly crucial if Intrusion Detection System IDS (IDS) depends on the data supplied by FAM or VMI tool. In this work, live virtual machine RAM dump acquire time of LibVMI is measured. In addition, captured memory dump analysis time consumed by Volatility is measured and compared with other memory analyzer such as Rekall. It is observed through experimental results that, Rekall takes more execution time as compared to Volatility for most of the plugins. Further, Volatility and Rekall are compared with LibVMI. It is noticed that examining the volatile data through LibVMI is faster as it eliminates memory dump acquire time.

More »»

2015

Conference Paper

Ajay Kumara and D, J. C., “Hypervisor and Virtual Machine Dependent Intrusion Detection and Prevention System for Virtualized Cloud Environment”, in 2015 1st International Conference on Telematics and Future Generation Networks (TAFGEN), 2015.[Abstract]


Cloud Computing enabled by virtualization technology exhibits revolutionary change in IT Infrastructure. Hypervisor is a pillar of virtualization and it allows sharing of resources to virtual machines. Vulnerabilities present in virtual machine leveraged by an attacker to launch the advanced persistent attacks such as stealthy rootkit, Trojan, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attack etc. Virtual Machines are prime target for malignant cloud user or an attacker to launch attacks as they are easily available for rent from Cloud Service Provider (CSP). Attacks on virtual machine can disrupt the normal operation of cloud infrastructure. In order to secure the virtual environment, defence mechanism is highly imperative at each virtual machine to identify the attacks occurring at virtual machine in timely manner. This work proposes In-and-Out-of-the-Box Virtual Machine and Hypervisor based Intrusion Detection and Prevention System for virtualized environment to ensure robust state of the virtual machine by detecting followed by eradicating rootkits as well as other attacks. We conducted experiments using popular open source Host based Intrusion Detection System (HIDS) called Open Source SECurity Event Correlator (OSSEC). Both Linux and windows based rootkits, DoS attack, Files integrity verification test are conducted and they are successfully detected by OSSEC

More »»

2015

Conference Paper

Ajay Kumara and Jaidhar, C. D., “Virtual machine introspection based spurious process detection in virtualized cloud computing environment”, in 2015 International Conference on Futuristic Trends on Computational Analysis and Knowledge Management (ABLAZE), 2015.[Abstract]


Virtual Machines are prime target for adversary to take control by exploiting the identified vulnerability present in it. Due to increasing number of Advanced Persistent Attacks such as malware, rootkit, spyware etc., virtual machine protection is highly challenging task. The key element of Advanced Persistent Threat is rootkit that provides stealthy control of underlining Operating System (kernel). Protecting individual guest operating system by using antivirus and commercial security defense mechanism is cost effective and ineffective for virtualized environment. To solve this problem, Virtual Machine Introspection has emerged as one of the promising approaches to secure the state of the virtual machine. Virtual Machine Introspection inspects the state of multiple virtual machines by operating outside the virtual machine i.e. at hypervisor level. In this work, Virtual Machine Introspection based malicious process detection approach is proposed. It extracts the high level information such as system call details, opened known backdoor ports from introspected memory to identify the spurious process. It triggers an alert in response to detected intrusion.

More »»

2015

Conference Paper

K. J. Chabathula, Jaidhar, C. D., and Ajay Kumara, “Comparative study of Principal Component Analysis based Intrusion Detection approach using machine learning algorithms”, in 2015 3rd International Conference on Signal Processing, Communication and Networking (ICSCN), 2015.[Abstract]


This paper induces the prominence of variegated machine learning techniques adapted so far for the identifying different network attacks and suggests a preferable Intrusion Detection System (IDS) with the available system resources while optimizing the speed and accuracy. With booming number of intruders and hackers in todays vast and sophisticated computerized world, it is unceasingly challenging to identify unknown attacks in promising time with no false positive and no false negative. Principal Component Analysis (PCA) curtails the amount of data to be compared by reducing their dimensions prior to classification that results in reduction of detection time. In this paper, PCA is adopted to reduce higher dimension dataset to lower dimension dataset. It is accomplished by converting network packet header fields into a vector then PCA applied over high dimensional dataset to reduce the dimension. The reduced dimension dataset is tested with Support Vector Machines (SVM), K-Nearest Neighbors (KNN), J48 Tree algorithm, Random Forest Tree classification algorithm, Adaboost algorihm, Nearest Neighbors generalized Exemplars algorithm, Navebayes probabilistic classifier and Voting Features Interval classification algorithm. Obtained results demonstrates detection accuracy, computational efficiency with minimal false alarms, less system resources utilization. Experimental results are compared with respect to detection rate and detection time and found that TREE classification algorithms achieved superior results over other algorithms. The whole experiment is conducted by using KDD99 data set.

More »»
207
PROGRAMS
OFFERED
6
AMRITA
CAMPUSES
15
CONSTITUENT
SCHOOLS
A
GRADE BY
NAAC, MHRD
8th
RANK(INDIA):
NIRF 2018
150+
INTERNATIONAL
PARTNERS