VNIDA: Building an IDS Architecture Using VMM-Based Non-Intrusive Approach

Intrusion detection system (IDS) has been introduced and broadly applied to prevent unauthorized access to system resource and data for several years. However, many problems are still not well resolved in most of IDS, such as detection evasion, intrusion containment. In order to resolve these problems, we propose a novel flexible architecture VNIDA which is based on virtual machine monitor (VMM) and has no-intrusive behavior to target system after studying popular IDS architectures. In this architecture, a separate intrusion detection domain (IDD) is added to provide intrusion detection services for all virtual machines. Specially, an IDD helper is introduced to take response to the intrusions according to the security policies. Moreover, event sensors and IDS stub, as the core components of IDS, are separately isolated from target systems, so strong reliability is also achieved in this architecture. To show the feasibility of the VNIDA, we implement a prototype based on the proposed architecture. Based on the prototype, we employed some rootkits to evaluate our VNIDA, and the results shows that VNIDA has the ability to detect them efficiently, even some potential intrusions. In addition, system performance evaluation also shows that VNIDA only introduce less than 1.25% extra overhead.