Open AccessProceedings Article
A Virtual Machine Introspection Based Architecture for Intrusion Detection.
Tal Garfinkel,Mendel Rosenblum +1 more
Reads0
Chats0
TLDR
This paper presents an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance, achieved through the use of a virtual machine monitor.Abstract:
Today’s architectures for intrusion detection force the IDS designer to make a difficult choice If the IDS resides on the host, it has an excellent view of what is happening in that host’s software, but is highly susceptible to attack On the other hand, if the IDS resides in the network, it is more resistant to attack, but has a poor view of what is happening inside the host, making it more susceptible to evasion In this paper we present an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance We achieve this through the use of a virtual machine monitor Using this approach allows us to isolate the IDS from the monitored host but still retain excellent visibility into the host’s state The VMM also offers us the unique ability to completely mediate interactions between the host software and the underlying hardware We present a detailed study of our architecture, including Livewire, a prototype implementation We demonstrate Livewire by implementing a suite of simple intrusion detection policies and using them to detect real attacksread more
Citations
More filters
Journal ArticleDOI
Terra: a virtual machine-based platform for trusted computing
TL;DR: A flexible architecture for trusted computing, called Terra, that allows applications with a wide range of security requirements to run simultaneously on commodity hardware, is presented.
Journal ArticleDOI
Review: Intrusion detection system: A comprehensive review
TL;DR: Through the extensive survey and sophisticated organization, this work proposes the taxonomy to outline modern IDSs and tries to give a more elaborate image for a comprehensive review.
Journal ArticleDOI
A survey on automated dynamic malware-analysis techniques and tools
TL;DR: An overview of techniques based on dynamic analysis that are used to analyze potentially malicious samples and analysis programs that employ these techniques to assist human analysts in assessing whether a given sample deserves closer manual inspection due to its unknown malicious behavior is provided.
Journal ArticleDOI
Review: A survey of intrusion detection techniques in Cloud
TL;DR: This paper surveys different intrusions affecting availability, confidentiality and integrity of Cloud resources and services and recommends IDS/IPS positioning in Cloud environment to achieve desired security in the next generation networks.
Proceedings ArticleDOI
Countering code-injection attacks with instruction-set randomization
TL;DR: A new, general approach for safeguarding systems against any type of code-injection attack, by creating process-specific randomized instruction sets of the system executing potentially vulnerable software that can serve as a low-overhead protection mechanism, and can easily complement other mechanisms.
References
More filters
Proceedings Article
Bro: a system for detecting network intruders in real-time
TL;DR: Bro as mentioned in this paper is a stand-alone system for detecting network intruders in real-time by passively monitoring a network link over which the intruder's traffic transits, which emphasizes high-speed (FDDI-rate) monitoring, realtime notification, clear separation between mechanism and policy and extensibility.
Journal ArticleDOI
Bro: a system for detecting network intruders in real-time
Vern Paxson,Vern Paxson +1 more
TL;DR: An overview of the Bro system's design, which emphasizes high-speed (FDDI-rate) monitoring, real-time notification, clear separation between mechanism and policy, and extensibility, is given.
Journal ArticleDOI
Memory resource management in VMware ESX server
TL;DR: Several novel ESX Server mechanisms and policies for managing memory are introduced, including a ballooning technique that reclaims the pages considered least valuable by the operating system running in a virtual machine, and an idle memory tax that achieves efficient memory utilization.
Journal ArticleDOI
Intrusion detection using sequences of system calls
TL;DR: Evidence is given that short sequences of system calls executed by running processes are a good discriminator between normal and abnormal operating characteristics of several common UNIX programs.
Journal ArticleDOI
ReVirt: enabling intrusion analysis through virtual-machine logging and replay
TL;DR: ReVirt removes the dependency on the target operating system by moving it into a virtual machine and logging below the virtual machine, and enables it to provide arbitrarily detailed observations about what transpired on the system, even in the presence of non-deterministic attacks and executions.