Virtualization technologies have driven rapid growth in virtual or “cloud-based” systems, which may provide various public (or private) functions and services. Provider networks offer customers the opportunity to utilize virtualized computing resources on demand. Consumers of virtualized computing resources and storage, such as those offered by provider networks, can flexibly structure their computing and storage costs in response to immediately perceived computing and storage needs. For instance, virtualization allows customers of a provider network to purchase processor cycles and storage at the time of demand, rather than buying or leasing fixed hardware in provisioning cycles that are dictated by the delays and costs of manufacture and deployment of hardware. This lessens the need to accurately predict future demand as customers are able to purchase the use of computing and storage resources on a relatively instantaneous as-needed basis.
Virtualized computing resources allow customers of a provider network to implement custom or off-the-shelf software running on virtualization hosts, giving customers both the control of and responsibility for the behavior of virtual computing resources. As with other types of systems, virtual computing resources may become compromised with malicious software. Whether deployed due to ill intentions or as a victim of compromise, malicious software operating in a virtual computing resource of a provider network can be detrimental to the operation of the provider network and the experience of customers utilizing the provider network. For example, malicious network traffic may be generated, sent, and/or received by virtual computing resources compromised with malicious software, impacting network communications amongst other systems or resources within a provider network, or other systems external to the provider network (e.g., systems available over a public network, such as the Internet). Efforts to identify malicious behavior amongst virtual computing resources are challenging as large provider networks host thousands of different resources for thousands of different customers. Moreover, provider networks may provide confidentiality guarantees to customers for data utilized by virtualized computing resources, which may limit the effectiveness of malicious software detection techniques.
While embodiments are described herein by way of example for several embodiments and illustrative drawings, those skilled in the art will recognize that the embodiments are not limited to the embodiments or drawings described. It should be understood, that the drawings and detailed description thereto are not intended to limit embodiments to the particular form disclosed, but on the contrary, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope as defined by the appended claims. The headings used herein are for organizational purposes only and are not meant to be used to limit the scope of the description or the claims. As used throughout this application, the word “may” is used in a permissive sense (i.e., meaning having the potential to), rather than the mandatory sense (i.e., meaning must). Similarly, the words “include”, “including”, and “includes” mean including, but not limited to.