About | Contact Us | Register | Login
ProceedingsSeriesJournalsSearchEAI
3rd International ICST Symposium on Information Assurance and Security

Research Article

Building Trustworthy Intrusion Detection through VM Introspection

Cite
BibTeX Plain Text
  • @INPROCEEDINGS{10.1109/IAS.2007.36,
        author={Fabrizio Baiardi and Daniele  Sgandurra},
        title={Building Trustworthy Intrusion Detection through VM Introspection},
        proceedings={3rd International ICST Symposium on  Information Assurance and Security},
        publisher={IEEE},
        proceedings_a={IAS},
        year={2007},
        month={9},
        keywords={integrity  introspection  intrusion detection  network security  system  virtual machines},
        doi={10.1109/IAS.2007.36}
    }
    
  • Fabrizio Baiardi
    Daniele Sgandurra
    Year: 2007
    Building Trustworthy Intrusion Detection through VM Introspection
    IAS
    IEEE
    DOI: 10.1109/IAS.2007.36
Fabrizio Baiardi1,*, Daniele Sgandurra2,*
  • 1: Polo G. Marconi La Spezia, Universita di Pisa
  • 2: Dipartimento di Informatica, Universita di Pisa
*Contact email: baiardi@di.unipi.it, daniele@di.unipi.it

Abstract

Psyco-Virt is a high assurance intrusion detection tool that merges host and network intrusion detection technologies with virtual machine introspection. Psyco-Virt architecture includes a cluster of virtual machines, the monitored VMs, which run the OS and applications of interest, and a further VM, the introspection one. Several agents distributed across the monitored VMs execute network and host IDS tools to discover attempted intrusions/attacks on the monitored VMs. The introspection VM makes the detection tools trustworthy by running an introspector and a director to discover any attempt to maliciously modify the kernel, the agents and the IDSes hosted on a monitored VM. On each monitored VM a collector gathers the alerts generated by the agents and forwards them to the director through a control network dedicated to data exchange among the agents and the introspection VM. The director on the introspection VM filters all the alerts and delegates the execution of a proper action to a notifier whenever an intrusion or an attempt to modify the IDSes is detected. In such cases, a monitored VM can either be stopped or frozen and its current state saved in a file for a later, deeper inspection. After describing Psyco-Virt, we discuss some examples of agents and functions using introspection and present preliminary results and performance figures of a first prototype.

Keywords
integrity introspection intrusion detection network security system virtual machines
Published
2007-09-10
Publisher
IEEE
Modified
2011-08-02
http://dx.doi.org/10.1109/IAS.2007.36
Copyright © 2007–2025 IEEE
EBSCOProQuestDBLPDOAJPortico
EAI Logo

About EAI

  • Who We Are
  • Leadership
  • Research Areas
  • Partners
  • Media Center

Community

  • Membership
  • Conference
  • Recognition
  • Sponsor Us

Publish with EAI

  • Publishing
  • Journals
  • Proceedings
  • Books
  • EUDL