Virtual-Machine-based Intrusion Detection on File-aware Block Level Storage

  • Youhui Zhang Tsinghua University
  • Yu Gu Tsinghua University
  • Hongyi Wang Tsinghua University
  • Dongsheng Wang Tsinghua University

Abstract


In this paper we present a storage-based intrusion detection system (IDS) that makes use of advantages of virtual machine (VM) and smart disk technologies. The virtual machine monitor (VMM) can prevent the IDS itself from potential attacks while the smart disk technology provides IDS with a whole view of the file system of the monitored VM. We show how to use a tool and some file system knowledge to enable the virtual disk to maintain a sector-to-file mapping table (called file-aware block level storage) as well as how to detect the changes to file content on-line. Based on these features, normal file-level intrusion detection (ID) rules can be converted to sector-level ones in order to integrate ID functions to the virtual storage. We implement such a prototype based on QEMU VMM and the OS of VM is Windows XP. Moreover the time overhead introduced by this solution is tested
Keywords: Intrusion detection, File systems, Virtual manufacturing, Virtual machine monitors, Virtual machining, Prototypes, Condition monitoring, Laboratories, Information science, Testing
Published
2006-10-18
How to Cite

Select a Format
ZHANG, Youhui; GU, Yu; WANG, Hongyi; WANG, Dongsheng. Virtual-Machine-based Intrusion Detection on File-aware Block Level Storage. In: INTERNATIONAL SYMPOSIUM ON COMPUTER ARCHITECTURE AND HIGH PERFORMANCE COMPUTING (SBAC-PAD), 18. , 2006, Ouro Preto/MG. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2006 . p. 185-192.