UNOBSERVABLE INTRUSION DETECTION BASED ON CALL TRACES IN PARAVIRTUALIZED SYSTEMS

Carlo Maiero, Marino Miculan

2011

Abstract

We present a non-invasive system for intrusion and anomaly detection, based on system call tracing in paravirtualized machines over Xen. System calls from guest user programs and operating systems are intercepted stealthy within Xen hypervisor, and passed to a detection system running in Dom0 via a suitable communication channel. Guest applications and machines are left unchanged, and an intruder on the virtual machine cannot tell whether the system is under inspection or not. As for the detection algorithm, we present and study a variant of Stide, which we verify experimentally to have a good performance on intrusion detection with an acceptable overhead—in fact, online real-time intrusion detection feasible. However, since the interception mechanism is kept separated from the detection system, the latter can be replaced according to further needs.

References

  1. Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., and Xu, D. (2010). DKSM: Subverting virtual machine introspection for fun and profit. Symp. Reliable Distributed Systems, 82-91.
  2. Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., and Xu, D. (2010). DKSM: Subverting virtual machine introspection for fun and profit. Symp. Reliable Distributed Systems, 82-91.
  3. Baiardi, F., Maggiari, D., Sgandurra, D., and Tamberi, F. (2009). Transparent process monitoring in a virtual environment. ENTCS, 85-100.
  4. Baiardi, F., Maggiari, D., Sgandurra, D., and Tamberi, F. (2009). Transparent process monitoring in a virtual environment. ENTCS, 85-100.
  5. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T. L., Ho, A., Neugebauer, R., Pratt, I., and Warfield, A. (2003). Xen and the art of virtualization. In Proc. SOSP, 164-177.
  6. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T. L., Ho, A., Neugebauer, R., Pratt, I., and Warfield, A. (2003). Xen and the art of virtualization. In Proc. SOSP, 164-177.
  7. Cohen, W. W. (1995). Fast effective rule induction. In Machine Learning: the 12th International Conference.
  8. Cohen, W. W. (1995). Fast effective rule induction. In Machine Learning: the 12th International Conference.
  9. Forrest, S., Hofmeyr, S., and Somayaji, A. (1997). Computer immunology. Comm. ACM, 40(10), 88-96.
  10. Forrest, S., Hofmeyr, S., and Somayaji, A. (1997). Computer immunology. Comm. ACM, 40(10), 88-96.
  11. Forrest, S., Hofmeyr, S., Somayaji, A., and Longstaff, T. (1996). A sense of self for UNIX process. Proc. IEEE Symp. on Security and Privacy, 120-128.
  12. Forrest, S., Hofmeyr, S., Somayaji, A., and Longstaff, T. (1996). A sense of self for UNIX process. Proc. IEEE Symp. on Security and Privacy, 120-128.
  13. Garfinkel, T. and Rosenblum, M. (2003). A virtual machine introspection based architecture for intrusion detection. In Proc. NDSS. The Internet Society.
  14. Garfinkel, T. and Rosenblum, M. (2003). A virtual machine introspection based architecture for intrusion detection. In Proc. NDSS. The Internet Society.
  15. Helman, P. and Bangoo, J. (1997). A statistically based system for prioritizing information exploration under uncertainty. IEEE Transaction on System, Man and Cybernetics, 27(4), 449-466.
  16. Helman, P. and Bangoo, J. (1997). A statistically based system for prioritizing information exploration under uncertainty. IEEE Transaction on System, Man and Cybernetics, 27(4), 449-466.
  17. Hofmeyr, S., Somayaji, A., and Forrest, S. (1998). Intrusion detection using sequences of system calls. Journal of computer security 6(3), 151-180.
  18. Hofmeyr, S., Somayaji, A., and Forrest, S. (1998). Intrusion detection using sequences of system calls. Journal of computer security 6(3), 151-180.
  19. Hofmeyr, S., Somayaji, A., and Forrest, S. (1999). Computer immune systems.
  20. Hofmeyr, S., Somayaji, A., and Forrest, S. (1999). Computer immune systems.
  21. Jiang, X. and Wang, X. (2007). Out-of-the-box monitoring of VM-based high-interaction honeypots. Proc. RAID'07, 198-218.
  22. Jiang, X. and Wang, X. (2007). Out-of-the-box monitoring of VM-based high-interaction honeypots. Proc. RAID'07, 198-218.
  23. Laureano, M., Maziero, C., and Jamhour, E. (2007). Protecting host-based intrusion detectors through virtual machines. Computer Networks 51, 1275-1283.
  24. Laureano, M., Maziero, C., and Jamhour, E. (2007). Protecting host-based intrusion detectors through virtual machines. Computer Networks 51, 1275-1283.
  25. Lee, W. and Stolfo, J. (1998). Data mining approaches for intrusion detection. Proc. 7th USENIX Security Symp.
  26. Lee, W. and Stolfo, J. (1998). Data mining approaches for intrusion detection. Proc. 7th USENIX Security Symp.
  27. Lee, W., Stolfo, J., and Chan, P. (1997). Learning patterns from UNIX process execution traces for intrusion detection. AAAI Workshop on AI Approaches to Fraud Detection and Risk Management, 50-56.
  28. Lee, W., Stolfo, J., and Chan, P. (1997). Learning patterns from UNIX process execution traces for intrusion detection. AAAI Workshop on AI Approaches to Fraud Detection and Risk Management, 50-56.
  29. Payne, B. D., Carbone, M., Sharif, M., and Lee, W. (2008). Lares: An architecture for secure active monitoring using virtualization. Proc. IEEE Symp. on Security and Privacy, 233-247.
  30. Payne, B. D., Carbone, M., Sharif, M., and Lee, W. (2008). Lares: An architecture for secure active monitoring using virtualization. Proc. IEEE Symp. on Security and Privacy, 233-247.
  31. Warrender, C., Forrest, S., and Pearlmutter, B. (1999). Detecting intrusions using system calls: Alternative data models. Proc. IEEE Symposium on Security and Privacy, 133-145.
  32. Warrender, C., Forrest, S., and Pearlmutter, B. (1999). Detecting intrusions using system calls: Alternative data models. Proc. IEEE Symposium on Security and Privacy, 133-145.
  33. Zhang, X., J. Li, Z. J., and Feng, H. (2007). Black-box extraction of funtional structures from system call traces for intrusion detection. Advanced Intelligent Computing Theories and Application, 135-144.
  34. Zhang, X., J. Li, Z. J., and Feng, H. (2007). Black-box extraction of funtional structures from system call traces for intrusion detection. Advanced Intelligent Computing Theories and Application, 135-144.
Download


Paper Citation


in Harvard Style

Maiero C. and Miculan M. (2011). UNOBSERVABLE INTRUSION DETECTION BASED ON CALL TRACES IN PARAVIRTUALIZED SYSTEMS . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011) ISBN 978-989-8425-71-3, pages 300-306. DOI: 10.5220/0003521003000306


in Harvard Style

Maiero C. and Miculan M. (2011). UNOBSERVABLE INTRUSION DETECTION BASED ON CALL TRACES IN PARAVIRTUALIZED SYSTEMS . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011) ISBN 978-989-8425-71-3, pages 300-306. DOI: 10.5220/0003521003000306


in Bibtex Style

@conference{secrypt11,
author={Carlo Maiero and Marino Miculan},
title={UNOBSERVABLE INTRUSION DETECTION BASED ON CALL TRACES IN PARAVIRTUALIZED SYSTEMS},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)},
year={2011},
pages={300-306},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003521003000306},
isbn={978-989-8425-71-3},
}


in Bibtex Style

@conference{secrypt11,
author={Carlo Maiero and Marino Miculan},
title={UNOBSERVABLE INTRUSION DETECTION BASED ON CALL TRACES IN PARAVIRTUALIZED SYSTEMS},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)},
year={2011},
pages={300-306},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003521003000306},
isbn={978-989-8425-71-3},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)
TI - UNOBSERVABLE INTRUSION DETECTION BASED ON CALL TRACES IN PARAVIRTUALIZED SYSTEMS
SN - 978-989-8425-71-3
AU - Maiero C.
AU - Miculan M.
PY - 2011
SP - 300
EP - 306
DO - 10.5220/0003521003000306


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)
TI - UNOBSERVABLE INTRUSION DETECTION BASED ON CALL TRACES IN PARAVIRTUALIZED SYSTEMS
SN - 978-989-8425-71-3
AU - Maiero C.
AU - Miculan M.
PY - 2011
SP - 300
EP - 306
DO - 10.5220/0003521003000306