Building Trustworthy Intrusion Detection through VM Introspection

Psyco-Virt is a high assurance intrusion detection tool that merges host and network intrusion detection technologies with virtual machine introspection. Psyco-Virt architecture includes a cluster of virtual machines, the monitored VMs, which run the OS and applications of interest, and a further VM, the introspection one. Several agents distributed across the monitored VMs execute network and host IDS tools to discover attempted intrusions/attacks on the monitored VMs. The introspection VM makes the detection tools trustworthy by running an introspector and a director to discover any attempt to maliciously modify the kernel, the agents and the IDSes hosted on a monitored VM. On each monitored VM a collector gathers the alerts generated by the agents and forwards them to the director through a control network dedicated to data exchange among the agents and the introspection VM. The director on the introspection VM filters all the alerts and delegates the execution of a proper action to a notifier whenever an intrusion or an attempt to modify the IDSes is detected. In such cases, a monitored VM can either be stopped or frozen and its current state saved in a file for a later, deeper inspection. After describing Psyco-Virt, we discuss some examples of agents and functions using introspection and present preliminary results and performance figures of a first prototype.