Protecting host-based intrusion detectors through virtual machines

Intrusion detection systems continuously watch the activity on a network or computer, looking for attack and intrusion evidences. However, host-based intrusion detectors are particularly vulnerable, as they can be disabled or tampered by successful intruders. This work proposes and implements an architecture model aimed to protect host-based intrusion detectors, through the application of the virtual machine concept. Virtual machine environments are becoming an interesting alternative for several computing systems due to their advantages in terms of cost and portability. The architecture proposed here makes use of the execution spaces separation provided by a virtual machine monitor, in order to separate the intrusion detection system from the system under monitoring. As a consequence, the intrusion detector becomes invisible and inaccessible to intruders. The prototype implementation and the tests performed show the viability of this solution.

[1]  Samuel T. King,et al.  Operating System Extensions to Support Host Based Virtual Machines , 2000 .

[2]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[3]  Brian D. Noble,et al.  When Virtual Is Better Than Real , 2001 .

[4]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[5]  Jeff Dike,et al.  A user-mode port of the Linux kernel , 2000, Annual Linux Showcase & Conference.

[6]  Massimo Bernaschi,et al.  Operating system enhancements to prevent the misuse of system calls , 2000, CCS.

[7]  Samuel T. King,et al.  Operating System Support for Virtual Machines , 2003, USENIX Annual Technical Conference, General Track.

[8]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[9]  Bill Blunden Virtual Machine Design and Implementation in C/C++ with Cdrom , 2002 .

[10]  Cynthia E. Irvine,et al.  Analysis of the Intel Pentium's Ability to Support a Secure Virtual Machine Monitor , 2000, USENIX Security Symposium.

[11]  Marianne Shaw,et al.  Denali: a scalable isolation kernel , 2002, EW 10.

[12]  Marianne Shaw,et al.  Rethinking the design of virtual machine monitors , 2005, Computer.

[13]  James E. Smith,et al.  The architecture of virtual machines , 2005, Computer.

[14]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[15]  Randall P. Embry freeVSD enables safe experiments , 2001 .

[16]  Richard J. Feiertag,et al.  A separation model for virtual machine monitors , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[17]  Tal Garfinkel,et al.  Virtual machine monitors: current technology and future trends , 2005, Computer.

[18]  Beng-Hong Lim,et al.  Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor , 2001, USENIX Annual Technical Conference, General Track.

[19]  Gerald J. Popek,et al.  Formal requirements for virtualizable third generation architectures , 1974, SOSP '73.

[20]  Birgit Pfitzmann,et al.  The PERSEUS System Architecture , 2001 .

[21]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[22]  Massimo Bernaschi,et al.  Remus: a security-enhanced operating system , 2002, TSEC.

[23]  William L. Fithen,et al.  State of the Practice of Intrusion Detection Technologies , 2000 .

[24]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[25]  Andrew Tucker,et al.  Solaris Zones: Operating System Support for Server Consolidation , 2004, Virtual Machine Research and Technology Symposium.