research-article

Virtual Machine Introspection based Cloud Monitoring Platform

Authors:

Samuel Laurén,

Ville LeppänenAuthors Info & Claims

CompSysTech '18: Proceedings of the 19th International Conference on Computer Systems and Technologies

Pages 104 - 109

https://doi.org/10.1145/3274005.3274030

Published: 13 September 2018 Publication History

Abstract

Virtual Machine Introspection (VMI) is an emerging family of techniques for extracting data from virtual machines without the use of active monitoring probes within the target machines themselves. In VMI based systems, the data is collected at the hypervisor-level by analyzing the state of virtual machines. This has the benefit of making collection harder to detect and block by malware as there is nothing in the machine indicating that monitoring is taking place.

In this paper we present Nitro Web, a web-based monitoring system for virtual machines that uses virtual machine introspection for data collection. The platform is capable of detecting and visualizing system call activity taking place within virtual machines in real-time.

The secondary purpose of this paper is to offer an introduction to Nitro virtual machine introspection framework that we have been involved in developing. In this paper, we reflect on how Nitro Framework can be used for building applications making use of VMI data.

References

[1]

2015. LibVMI: Virtual Machine Introspection. (2015). http://libvmi.com

[2]

2017. SECure COMPuting with filters. (2017). https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt

[3]

2018. Chart.js | Open source HTML5 Charts for your website. (2018). http://www.chartjs.org

[4]

2018. KVM-VMI/qemu: Fork of QEMU with Virtual Machine Introspection patches. (2018). https://github.com/KVM-VMI/qemu

[5]

2018. Lodash. (2018). https://lodash.com

[6]

2018. Socket.IO. (2018). https://socket.io

[7]

2018. webpack. (2018). https://webpack.js.org

[8]

Peter M Chen and Brian D Noble. 2001. When virtual is better than real {operating system relocation to virtual machines}. In Hot Topics in Operating Systems, 2001. Proceedings of the Eighth Workshop on. IEEE, 133--138.

Digital Library

[9]

Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. 2011. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Security and Privacy (SP), 2011 IEEE Symposium on. IEEE, 297--312.

Digital Library

[10]

Tal Garfinkel, Mendel Rosenblum, et al. 2003. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Ndss, Vol. 3. 191--206.

[11]

T Garfinkel and D Wagner. {n. d.}. Janus: A practical tool for application sandboxing. ({n. d.}).

[12]

Ian Goldberg, David Wagner, Randi Thomas, Eric A Brewer, et al. 1996. A secure environment for untrusted helper applications: Confining the wily hacker. In Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, Vol. 6.

Digital Library

[13]

Aaron Grattafiori. 2016. Understanding and Hardening Linux Containers. Whitepaper. NCC Group.

[14]

Steven A Hofmeyr, Stephanie Forrest, and Anil Somayaji. 1998. Intrusion detection using sequences of system calls. Journal of computer security 6, 3 (1998), 151--180. 108 CompSysTech'18, September 2018, Ruse, Bulgaria Samuel Laurén and Ville Leppänen

Digital Library

[15]

Intel. 2016. Intel® 64 and IA-32 architectures software developer's manual combined volumes 3A, 3B, 3C, and 3D: System programming guide.

[16]

Taesoo Kim and Nickolai Zeldovich. 2013. Practical and Effective Sandboxing for Non-root Users. In USENIX Annual Technical Conference. 139--144.

Digital Library

[17]

Samuel Laurén and Sampsa Rauti. 2017. A Survey on Application Sandboxing Techniques (The ACM International Conference Proceedings Series). 8 pages.

Digital Library

[18]

Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti. 2011. Detecting environment-sensitive malware. In International Workshop on Recent Advances in Intrusion Detection. Springer, 338--357.

Digital Library

[19]

Bryan D Payne, Martim Carbone, Monirul Sharif, and Wenke Lee. 2008. Lares: An architecture for secure active monitoring using virtualization. In Security and Privacy, 2008. SP 2008. IEEE Symposium on. IEEE, 233--247.

Digital Library

[20]

Jonas Pfoh, Christian Schneider, and Claudia Eckert. 2011. Nitro: Hardware-based system call tracing for virtual machines. In International Workshop on Security. Springer, 96--112.

Digital Library

[21]

Armin Ronacher. 2018. Flask (A Python Microframework). (2018). http://flask.pocoo.org

[22]

R. Wu, P. Chen, P. Liu, and B. Mao. 2014. System Call Redirection: A Practical Approach to Meeting Real-World Virtual Machine Introspection Needs. In 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 574--585.

Digital Library

[23]

Haiquan Xiong, Zhiyong Liu, Weizhi Xu, and Shuai Jiao. 2012. Libvmi: a library for bridging the semantic gap between guest OS and VMM. In Computer and Information Technology (CIT), 2012 IEEE 12th International Conference on. IEEE, 549--556.

Digital Library

Cited By

Jha DLenton GAsker JBlundell DHiggins MWallom D(2025)A Run-Time Framework for Ensuring Zero-Trust State of Client’s Machines in Cloud EnvironmentIEEE Transactions on Cloud Computing10.1109/TCC.2024.350335813:1(61-74)Online publication date: Jan-2025
https://doi.org/10.1109/TCC.2024.3503358
Jha DLenton GAsker JBlundell DWallom D(2022)Holistic Runtime Performance and Security-aware Monitoring in Public Cloud Environment2022 22nd IEEE International Symposium on Cluster, Cloud and Internet Computing (CCGrid)10.1109/CCGrid54584.2022.00128(1052-1059)Online publication date: May-2022
https://doi.org/10.1109/CCGrid54584.2022.00128
Lata SSingh D(2022)Intrusion detection system in cloud environment: Literature survey & future research directionsInternational Journal of Information Management Data Insights10.1016/j.jjimei.2022.1001342:2(100134)Online publication date: Nov-2022
https://doi.org/10.1016/j.jjimei.2022.100134
Show More Cited By

Index Terms

Virtual Machine Introspection based Cloud Monitoring Platform
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation

Recommendations

RapidVMI: Fast and multi-core aware active virtual machine introspection
ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Virtual machine introspection (VMI) is a technique for the external monitoring of virtual machines. Through previous work, it became apparent that VMI can contribute to the security of distributed systems and cloud architectures by facilitating stealthy ...
Real-time deep virtual machine introspection and its applications
VEE '14: Proceedings of the 10th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments

Virtual Machine Introspection (VMI) provides the ability to monitor virtual machines (VM) in an agentless fashion by gathering VM execution states from the hypervisor and analyzing those states to extract information about a running operating system (OS)...
Virtual Machine Introspection
SIN '14: Proceedings of the 7th International Conference on Security of Information and Networks

Due to exposure to the Internet, virtual machines (VMs) as forms of delivering virtualized infrastructures and resources represent a first point-of-target for security attackers who want to gain access into the virtualization environment. In-VM ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

CompSysTech '18: Proceedings of the 19th International Conference on Computer Systems and Technologies

September 2018

206 pages

ISBN:9781450364256

DOI:10.1145/3274005

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

ERSVB: EURORISC SYSTEMS - Varna, Bulgaria
FOSEUB: FEDERATION OF THE SCIENTIFIC ENGINEERING UNIONS - Bulgaria
UORB: University of Ruse, Bulgaria
TECHUVB: Technical University of Varna, Bulgaria

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 September 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Business Finland

Conference

CompSysTech'18

CompSysTech'18: 19th International Conference on Computer Systems and Technologies

September 13 - 14, 2018

Ruse, Bulgaria

Acceptance Rates

Overall Acceptance Rate 241 of 492 submissions, 49%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
126
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)0

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Jha DLenton GAsker JBlundell DHiggins MWallom D(2025)A Run-Time Framework for Ensuring Zero-Trust State of Client’s Machines in Cloud EnvironmentIEEE Transactions on Cloud Computing10.1109/TCC.2024.350335813:1(61-74)Online publication date: Jan-2025
https://doi.org/10.1109/TCC.2024.3503358
Jha DLenton GAsker JBlundell DWallom D(2022)Holistic Runtime Performance and Security-aware Monitoring in Public Cloud Environment2022 22nd IEEE International Symposium on Cluster, Cloud and Internet Computing (CCGrid)10.1109/CCGrid54584.2022.00128(1052-1059)Online publication date: May-2022
https://doi.org/10.1109/CCGrid54584.2022.00128
Lata SSingh D(2022)Intrusion detection system in cloud environment: Literature survey & future research directionsInternational Journal of Information Management Data Insights10.1016/j.jjimei.2022.1001342:2(100134)Online publication date: Nov-2022
https://doi.org/10.1016/j.jjimei.2022.100134
ZHOU HBA HWANG YHONG T(2020)On the Detection of Malicious Behaviors against Introspection Using Hardware Architectural EventsIEICE Transactions on Information and Systems10.1587/transinf.2019EDL8148E103.D:1(177-180)Online publication date: 1-Jan-2020
https://doi.org/10.1587/transinf.2019EDL8148
Zhou HBa HWang YWang ZMa JLi YQiao H(2019)Tenant-Oriented Monitoring for Customized Security Services in the CloudSymmetry10.3390/sym1102025211:2(252)Online publication date: 18-Feb-2019
https://doi.org/10.3390/sym11020252

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten