In terms of the problem that a safety-critical system will be paused, detected and resumed when security tools alert, and the delay between the occurrence and discovery of the false alarms (false positive or false negative) results in an effect on the availability of the guest Operating System (OS), a scheme based on virtualization was proposed. When a false alarm occurred, the operations of the suspicious application were quarantined correctly to avoid substantial system-wide damages. Then the operations of the suspicious application were logged and application inter-dependency information was generated according to its interactions with other applications. When the false alarm was determined, measures such as resuming the application's operations and killing the relevant applications according to the operation logs and inter-dependency information were taken so that the guest OS could reach the correct operating status quickly. The experimental results show that the scheme can reduce the overhead caused by rollback and recovery when a false alarm occurs. Compared to the situation without the proposed scheme, the overhead of handling the false alarm is reduced by 20%-50%. The proposed scheme can effectively reduce the effect of false alarm on the availability of clients, and can be applied in the cloud platform which provides services to safety-critical clients.

In recent years, physical and virtual machines are heavily threatened by malwares. Deploying traditional detection tools such as anti-virus softwares and firewalls on Infrastructure as a Service (IaaS) cloud faces the following problems:1) detection tools may be damaged or shut down by malwares; 2) the detection rate of a single tool is insufficient; 3) detection tools are easily bypassed; 4) it's difficult to deploy additional softwares in each virtual machine. A diversified malware detection framework was proposed to overcome these shortcomings. The framework leveraged virtualization technology to intercept some specific behavior of virtual machines at first. Then codes from virtual machines' memory were extracted dynamically. Finally, several anti-virus softwares were used to codetermine whether the extracted codes were malicious or not. The extraction and judgment processes were totally transparent to virtual machines. A prototype was implemented based on the Xen hypervisor and some experiments were done. The prototype has a malware detection rate of 85.7%, which is 14.3 percentage points higher than static anti-virus softwares. The experimental results show that the diversified malware detection framework on cloud platform can provide more effective protection to the security of virtual machines.

Due to the threats of Cross-Site Scripting (XSS) attack in Online Social Network (OSN), a approach combined classifiers and improved n-gram model was proposed to detect the malicious OSN webpages infected with XSS code. Firstly, similarity-based features and difference-based features were extracted to build classifiers and the improved n-gram model. After that, the classifiers and model were combined to detect malicious webpages in OSN. The experimental results show that compared with the traditional classifier detection methods, the proposed approach is more effective and the false positive rate is about 5%.