UNOBSERVABLE INTRUSION DETECTION BASED ON CALL TRACES IN PARAVIRTUALIZED SYSTEMS
Carlo Maiero, Marino Miculan
2011
Abstract
We present a non-invasive system for intrusion and anomaly detection, based on system call tracing in paravirtualized machines over Xen. System calls from guest user programs and operating systems are intercepted stealthy within Xen hypervisor, and passed to a detection system running in Dom0 via a suitable communication channel. Guest applications and machines are left unchanged, and an intruder on the virtual machine cannot tell whether the system is under inspection or not. As for the detection algorithm, we present and study a variant of Stide, which we verify experimentally to have a good performance on intrusion detection with an acceptable overhead—in fact, online real-time intrusion detection feasible. However, since the interception mechanism is kept separated from the detection system, the latter can be replaced according to further needs.
DownloadPaper Citation
in Harvard Style
Maiero C. and Miculan M. (2011). UNOBSERVABLE INTRUSION DETECTION BASED ON CALL TRACES IN PARAVIRTUALIZED SYSTEMS . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011) ISBN 978-989-8425-71-3, pages 300-306. DOI: 10.5220/0003521003000306
in Bibtex Style
@conference{secrypt11,
author={Carlo Maiero and Marino Miculan},
title={UNOBSERVABLE INTRUSION DETECTION BASED ON CALL TRACES IN PARAVIRTUALIZED SYSTEMS},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)},
year={2011},
pages={300-306},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003521003000306},
isbn={978-989-8425-71-3},
}
in EndNote Style
TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)
TI - UNOBSERVABLE INTRUSION DETECTION BASED ON CALL TRACES IN PARAVIRTUALIZED SYSTEMS
SN - 978-989-8425-71-3
AU - Maiero C.
AU - Miculan M.
PY - 2011
SP - 300
EP - 306
DO - 10.5220/0003521003000306