Protecting host-based intrusion detectors through virtual machines

doi:10.1016/j.comnet.2006.09.007

Computer Networks

Volume 51, Issue 5, 11 April 2007, Pages 1275-1283

https://doi.org/10.1016/j.comnet.2006.09.007 Get rights and content

Abstract

Intrusion detection systems continuously watch the activity on a network or computer, looking for attack and intrusion evidences. However, host-based intrusion detectors are particularly vulnerable, as they can be disabled or tampered by successful intruders. This work proposes and implements an architecture model aimed to protect host-based intrusion detectors, through the application of the virtual machine concept. Virtual machine environments are becoming an interesting alternative for several computing systems due to their advantages in terms of cost and portability. The architecture proposed here makes use of the execution spaces separation provided by a virtual machine monitor, in order to separate the intrusion detection system from the system under monitoring. As a consequence, the intrusion detector becomes invisible and inaccessible to intruders. The prototype implementation and the tests performed show the viability of this solution.

Introduction

Several tools contribute to improve the security of a computing system. Among them, intrusion detection systems (IDS) stand out. Such systems continuously watch the system activity, looking for attacks and intrusion evidences. Network-based intrusion detectors scans data collected from the network to detect malicious activity, and can be installed on dedicated, well-protected machines. On the other hand, host-based intrusion detectors analyze local data collected from computing hosts. Because they run as processes in the monitored system, they are particularly vulnerable to successful intruders. Once an intruder enters the system, it is able to defeat or modify the intrusion detector in order to hide its presence.

Virtual machines can be used to improve the security of a computing system against attacks to its services [6]. The virtual machine concept was defined in the 1960s: in the IBM VM/370 environment, virtual machines were used to create an exclusive environment for each user [12]. The use of virtual machines is becoming interesting also in modern computing systems due to their advantages in terms of cost and portability [5]. Examples of currently used virtual machines environments are VMware [26] and UML – User-Mode Linux [7]. A frequent use of virtual machine-based systems is the so-called server consolidation: instead of using several physical equipments, one uses a single (and more powerful) hardware equipment, in which several distinct, isolated virtual machines host distinct operating systems, applications, and services.

This work proposes and implements an architecture model aimed to protect host-based intrusion detectors, through the application of the virtual machine concept. The architecture proposed here makes use of the execution spaces separation provided by a virtual machine monitor, in order to separate the intrusion detection system from the system under monitoring. This separation protects the intrusion detector, as it becomes invisible and inaccessible to guest processes (and to eventual intruders). Through modifications on the virtual machine monitor, it is possible to transparently collect detailed information about the guest operating system activity. This data is then sent to an external intrusion detector, running on the underlying host operating system. Comparing it against a previously generated behavior database (created from previous executions), the intrusion detector can look for behavior deviations in guest processes. If an intrusion is suspected, a response system can act in order to prevent or defeat it. This feature is easily implemented by intercepting the system calls issued by guest processes.

This article is structured as follows: Section 2 recalls some virtual machine concepts used in this work, Section 3 reviews intrusion detection techniques, Section 4 details the proposal, Section 5 describes the current implementation, Section 6 presents experimental results, and Section 7 discusses related works.

Section snippets

Virtual machines

A virtual machine (VM) is defined in Popek and Goldberg [20] as an efficient and isolated duplicate of a real machine. Typical uses for virtual machine systems include the development and testing of new operating systems, simultaneously running distinct operating systems on the same hardware, and server consolidation [24].

A virtual machine environment is created by a Virtual Machine Monitor (VM Monitor or VMM), also called an “operating system for operating systems” [14]. The monitor creates

Intrusion detection

An Intrusion Detection System (IDS) continuously collects and analyzes data from a computing system, aiming to detect intrusive actions. With respect to the origin of analyzed data, there are two main approaches for intrusion detection [1]: network-based IDS (NIDS), which are based on watching the network traffic flowing through the systems to monitor, and host-based IDS (HIDS), which are based on watching local activity on a host, like processes, network connections, system calls, log files,

Protecting intrusion detectors through virtual machines

As previously shown, host-based IDSs are vulnerable to local attacks, since the intruder can disable or tamper them. The use of virtual machines provides a solution to this problem. The proposal presented here allows building more reliable host-based intrusion detection systems.

The proposal’s main idea is to encapsulate the system to monitor inside a virtual machine, which is monitored from outside (the host system). The intrusion detection and response mechanisms are implemented outside the

Current implementation

A prototype was implemented in a Linux platform, using the User-Mode Linux virtual-machine monitor (UML) [7]. UML implements a type II monitor, which allows running Linux guest systems on top of a Linux host. It should be noticed that UML performance is worse than commercial products like VMWare [26], but it is open source. UML source code was modified to allow extracting detailed data from the guest system, like the system calls issued by each guest process. Communication between the UML

Experimental results

Using the prototype, a time measurement was carried out regarding the execution of basic user commands, in order to evaluate the performance impact of the proposal. The utilities ps, find, ls, and who were selected because they are UNIX tools frequently tampered by intruder rootkits, and because they can generate a large number of system calls during their execution.

The command execution times were measured in five situations: (a) in the host system, (b) in the original guest system, (c) in the

Related works

The paper [6] cited some benefits the use of virtual machines can bring to the security and compatibility of systems, as the capture and processing of log messages, intrusion detection (through the control of the virtual machine’s internal state) or system migration easiness. However, the article does not demonstrate how these proposals should be structured and implemented, nor analyzes their impact on system performance.

The reference [8] describes an experience of use of virtual machines for

Conclusion

This paper describes a proposal to increase the security of computing systems using virtual machines. The basis of the proposal is to monitor guest processes’ actions through an intrusion detection system, external to the virtual machine. The data used in intrusion detection is obtained from the virtual machine monitor and analyzed by an IDS process in the underlying real machine. The detection system is inaccessible to virtual machine processes and cannot be subverted by intruders. Also, the

Marcos Laureano received a M.Sc. degree on Computer Science from the Pontifical Catholic University of Paraná State, Brazil, in 2004. He gives lectures in Operating Systems, Computer Security, and Programming Languages in local universities, and works in the Information Technology field since 1991. He published technical books on virtual machines and C programming.

References (28)

J. Allen, A. Christie, W. Fithen, J. McHugh, J. Pickel, E. Stoner, State of the Practice of Intrusion Detection...
P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, A. Warfield, Xen and the Art of...
M. Bernaschi, E. Grabrielli, L. Mancini, Operating System Enhancements to Prevent the Misuse of System Calls, ACM...
M. Bernaschi et al.
REMUS: a security-enhanced operating system
ACM Transactions on Information and System Security
(2002)
B. Blunden
Virtual Machine Design and Implementation in C/C++
(2002)
P. Chen, B. Noble, When Virtual Is Better Than Real, Workshop on Hot Topics in Operating Systems,...
J. Dike, A User-mode port of the Linux Kernel, 4th Annual Linux Showcase & Conference, Atlanta – USA,...
G. Dunlap, S. King, S. Cinar, M. Basrai, P. Chen, ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging...
R. Embry
FreeVSD enables safe experimentation
Linux Journal
(2001)
S. Forrest et al.
A sense of self for Unix processes
IEEE Symposium on Research in Security and Privacy
(1996)

T. Garfinkel et al.

A virtual machine introspection based architecture for intrusion detection

ISOC Network and Distributed System Security Symposium

(2003)

R. Goldberg, Architecture of virtual machines, AFIPS National Computer Conference, New York, NY, USA,...

S. Hofmeyr et al.

Intrusion detection using sequences of system calls

Journal of Computer Security

(1998)

N. Kelem et al.

A separation model for virtual machine monitors

IEEE Symposium on Security and Privacy

(1991)

Cited by (38)

CloRExPa: Cloud resilience via execution path analysis
2014, Future Generation Computer Systems
Citation Excerpt :
This limits the amount of information available to the IDS and poses a greater challenge. Laureano et al. [25] and VNIDA [26] are based on a hybrid solution while Azmandian [27] uses a pure solution.
Despite the increasing interest around cloud concepts, current cloud technologies and services related to security are not mature enough to enable a more widespread industrial acceptance of cloud systems. Providing an adequate level of resilience to cloud services is a challenging problem due to the complexity of the environment as well as the need for efficient solutions that could preserve cloud benefits over other solutions. In this paper we provide the architectural design, implementation details, and performance results for a customizable resilience service solution for cloud guests. This solution leverages execution path analysis. In particular, we propose an architecture that can trace, analyze and control live virtual machine activity as well as intervened code and data modifications—possibly due to either malicious attacks or software faults. Execution path analysis allows the virtual machine manager (VMM) to trace the VM state and to prevent such a guest from reaching faulty states. We evaluated the effectiveness and performance trade-off of our prototype on a real cloud test bed. Experimental results support the viability of the proposed solution.
A Review of Intrusion Detection Techniques in the SDN Environment
2021, 2021 3rd International Multidisciplinary Information Technology and Engineering Conference, IMITEC 2021
A Design of an Integrated Cloud-based Intrusion Detection System with Third Party Cloud Service
2021, Open Computer Science
Research in Security and Privacy in Brazil
2019, IEEE Security and Privacy
Intrusion Detection in secure network for Cybersecurity systems using Machine Learning and Data Mining
2018, 2018 IEEE 5th International Conference on Engineering Technologies and Applied Sciences, ICETAS 2018
Survey of Randomization Defenses on Cloud Computing
2018, Jisuanji Xuebao/Chinese Journal of Computers

View all citing articles on Scopus

Carlos Maziero is a full professor of Operating Systems at the Graduate Program in Computer Science of the Pontifical Catholic University of Paraná State, Brazil, since 1998. He received a doctorate degree in Computer Science from the Université de Rennes I (IRISA/INRIA) – France, in 1994, and a M.Sc. degree in Electrical Engineering from the Santa Catarina Federal University – Brazil, in 1988. His research interests include security of network operating systems and distributed systems, resource management in multiuser operating systems, and operating systems teaching techniques.

Edgard Jamhour received a Ph.D. degree in Informatics and Automation from L’Université de Franche Comté – France in 1994. He is currently a full professor of the Graduate Program in Computer Science at the Pontifical Catholic University of Paraná State, Brazil. His research interests include network protocols, management and security.

View full text