Virtual machine monitor-based lightweight intrusion detection

Abstract

As virtualization technology gains in popularity, so do attempts to compromise the security and integrity of virtualized computing resources. Anti-virus software and firewall programs are typically deployed in the guest virtual machine to detect malicious software. These security measures are effective in detecting known malware, but do little to protect against new variants of intrusions. Intrusion detection systems (IDSs) can be used to detect malicious behavior. Most intrusion detection systems for virtual execution environments track behavior at the application or operating system level, using virtualization as a means to isolate themselves from a compromised virtual machine. In this paper, we present a novel approach to intrusion detection of virtual server environments which utilizes only information available from the perspective of the virtual machine monitor (VMM). Such an IDS can harness the ability of the VMM to isolate and manage several virtual machines (VMs), making it possible to provide monitoring of intrusions at a common level across VMs. It also offers unique advantages over recent advances in intrusion detection for virtual machine environments. By working purely at the VMM-level, the IDS does not depend on structures or abstractions visible to the OS (e.g., file systems), which are susceptible to attacks and can be modified by malware to contain corrupted information (e.g., the Windows registry). In addition, being situated within the VMM provides ease of deployment as the IDS is not tied to a specific OS and can be deployed transparently below different operating systems. Due to the semantic gap between the information available to the VMM and the actual application behavior, we employ the power of data mining techniques to extract useful nuggets of knowledge from the raw, low-level architectural data. We show in this paper that by working entirely at the VMM-level, we are able to capture enough information to characterize normal executions and identify the presence of abnormal malicious behavior. Our experiments on over 300 real-world malware and exploits illustrate that there is sufficient information embedded within the VMM-level data to allow accurate detection of malicious attacks, with an acceptable false alarm rate.