Title :
Virtual-Machine-based Intrusion Detection on File-aware Block Level Storage
Author :
Zhang, Youhui ; Gu, Yu ; Wang, Hongyi ; Wang, Dongsheng
Author_Institution :
Tsinghua Nat. Lab. for Inf. Sci. & Technol., Tsinghua Univ., Beijing
Abstract :
In this paper we present a storage-based intrusion detection system (IDS) that makes use of advantages of virtual machine (VM) and smart disk technologies. The virtual machine monitor (VMM) can prevent the IDS itself from potential attacks while the smart disk technology provides IDS with a whole view of the file system of the monitored VM. We show how to use a tool and some file system knowledge to enable the virtual disk to maintain a sector-to-file mapping table (called file-aware block level storage) as well as how to detect the changes to file content on-line. Based on these features, normal file-level intrusion detection (ID) rules can be converted to sector-level ones in order to integrate ID functions to the virtual storage. We implement such a prototype based on QEMU VMM and the OS of VM is Windows XP. Moreover the time overhead introduced by this solution is tested
Keywords :
security of data; system monitoring; virtual machines; virtual storage; file system monitoring; file-aware block level storage; sector-to-file mapping table; smart disk; storage-based intrusion detection system; virtual machine monitor; virtual storage; virtual-machine-based intrusion detection; Condition monitoring; File systems; Information science; Intrusion detection; Laboratories; Prototypes; Testing; Virtual machine monitors; Virtual machining; Virtual manufacturing;
Conference_Titel :
Computer Architecture and High Performance Computing, 2006. SBAC-PAD '06. 18TH International Symposium on
Conference_Location :
Ouro Preto
Print_ISBN :
0-7695-2704-3
DOI :
10.1109/SBAC-PAD.2006.32
