Authors:
Carlo Maiero
and
Marino Miculan
Affiliation:
University of Udine, Italy
Keyword(s):
Intrusion detection systems, Paravirtualization, System call trace analysis.
Related
Ontology
Subjects/Areas/Topics:
Information and Systems Security
;
Intrusion Detection & Prevention
;
Security in Distributed Systems
;
Software Security
Abstract:
We present a non-invasive system for intrusion and anomaly detection, based on system call tracing in paravirtualized machines over Xen. System calls from guest user programs and operating systems are intercepted stealthy within Xen hypervisor, and passed to a detection system running in Dom0 via a suitable communication channel. Guest applications and machines are left unchanged, and an intruder on the virtual machine cannot tell whether the system is under inspection or not. As for the detection algorithm, we present and study a variant of Stide, which we verify experimentally to have a good performance on intrusion detection with an acceptable overhead—in fact, online real-time intrusion detection feasible. However, since the interception mechanism is kept separated from the detection system, the latter can be replaced according to further needs.