Sciweavers

NDSS
2003
IEEE

A Virtual Machine Introspection Based Architecture for Intrusion Detection

14 years 5 months ago
A Virtual Machine Introspection Based Architecture for Intrusion Detection
Today’s architectures for intrusion detection force the IDS designer to make a difficult choice. If the IDS resides on the host, it has an excellent view of what is happening in that host’s software, but is highly susceptible to attack. On the other hand, if the IDS resides in the network, it is more resistant to attack, but has a poor view of what is happening inside the host, making it more susceptible to evasion. In this paper we present an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance. We achieve this through the use of a virtual machine monitor. Using this approach allows us to isolate the IDS from the monitored host but still retain excellent visibility into the host’s state. The VMM also offers us the unique ability to completely mediate interactions between the host software and the underlying hardware. We present a detailed study of our architecture, including Livewire, a prototype impl...
Tal Garfinkel, Mendel Rosenblum
Added 05 Jul 2010
Updated 05 Jul 2010
Type Conference
Year 2003
Where NDSS
Authors Tal Garfinkel, Mendel Rosenblum
Comments (0)