Integrity Based Intrusion Detection System for Enterprise and Cloud Environments

Virtualization enables the disconnect between software and hardware allowing multiple operating systems to safely execute simultaneously on a single machine. This creates many benefits including server consolidation, fault tolerance, and intrusion isolation. Although each virtual machine (VM) is isolated, an intrusion may give attackers access to sensitive information located on shared storage. A kernel-level root kit may be used to obtain continuous privileged access to the compromised VM due to its escalated privilege level and the detection difficulty. This paper presents the design and evaluation of the virtual system-level lightweight integrity monitor (vSLIM). vSLIM is an intrusion detection system (IDS) capable of detecting kernel-level root kits and adapting to updating kernels. Our evaluation shows that vSLIM detects many known root kits with minimal overhead.