A Virtual Machine Introspection Based Architecture for Intrusion Detection

Proceedings of the Symposium on Network and Distributed System Security, NDSS 2003

Volumn , Issue , 2003, Pages

  Garfinkel, Tal ^a   Rosenblum, Mendel ^a  

^a Stanford University   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

INTRUSION DETECTION; NETWORK ARCHITECTURE; NETWORK SECURITY; VIRTUAL MACHINE;

HOST BASED IDS; INTRUSION-DETECTION; LIVE WIRE; PROTOTYPE IMPLEMENTATIONS; S STATE; SIMPLE++; VIRTUAL MACHINE INTROSPECTION; VIRTUAL MACHINE MONITORS;

VISIBILITY;

EID: 85080362568     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (54)

1. Anonymous. Runtime process infection. Phrack, 11(59):ar-ticle 8 of 18, December 2002.
2. Apk. Interface promiscuity obscurity. Phrack, 8(53):article 10 of 15, July 1998.
3. K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes. In Proc. IEEE Symposium on Security and Privacy, 2002.
4. T. C. Bressoud and F. B. Schneider. Hypervisor-based fault tolerance. ACM Transactions on Computer Systems, 14(1):80–107, 1996.
5. E. Bugnion, S. Devine, and M. Rosenblum. Disco: running commodity operating systems on scalable multiprocessors. In Proceedings of the Sixteenth ACM Symposium on Operating System Principles, Oct. 1997.
6. P. M. Chen and B. D. Noble. When virtual is better than real. In Proceedings of the 2001 Workshop on Hot Topics in Operating Systems (HotOS-VIII), Schloss Elmau, Germany, May 2001.
7. J. R. Collins. Knark: Linux kernel subversion. Sans Institute IDS FAQ.
8. J. R. Collins. RAMEN, a Linux worm. Sans Institute Article, February 2001.
9. J. Downey. Sniffer detection tools and countermeasures.
10. G. W. Dunlap, S. T. King, S. Cinar, M. Basrai, and P. M. Chen. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proc. of 2002 Symposium on Operating Systems Design and Implementation (OSDI), December 2002.
11. FX. cdoor.c, packet coded backdoor. http://www.phenoelit.de/stuff/cd00rdescr.html.
12. B. Gold, R. Linde, R. J. Peller, M. Schaefer, J. Scheid, and P. D. Ward. A security retrofit for VM/370. In AFIPS National Computer Conference, volume 48, pages 335–344, June 1979.
13. B. Gold, R. R. Linde, and P. F. Cudney. KVM/370 in retrospect. In Proc. of the 1984 IEEE Symposium on Security and Privacy, pages 13–23, April 1984.
14. B. Gold, R. R. Linde, M. Schaefer, and J. F. Scheid. VM/370 security retrofit program. In Proc. ACM Annual Conference, pages 411–418, October 1977.
15. R. Goldberg. Architectural Principles for Virtual Computer Systems. PhD thesis, Harvard University, 1972.
16. R. Goldberg. Survey of virtual machine research. IEEE Computer Magazine, 7:34–45, June 1974.
17. Guido van Rossum. Python Reference Manual. http://www.python.org/doc/current/ref/ref.html.
18. halflife. Bypassing integrity checking systems. Phrack, 7(51):article 9 of 17, September 1997.
19. S. A. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion detection using sequences of system calls. Journal of Computer Security, 6(3):151–180, 1998.
20. S. Ioannidis, A. D. Keromytis, S. M. Bellovin, and J. M. Smith. Implementing a distributed firewall. In ACM Conference on Computer and Communications Security, pages 190–199, 2000.
21. P. Karger, M. Zurko, D. Bonin, A. Mason, and C. Kahn. A retrospective on the VAX VMM security kernel. 17(11), Nov. 1991.
22. G. H. Kim and E. H. Spafford. The design and implementation of tripwire: A file system integrity checker. In ACM Conference on Computer and Communications Security, pages 18–29, 1994.
23. klog. Backdooring binary objects. Phrack, 10(56):article 9 of 16, May 2000.
24. C. Ko, T. Fraser, L. Badger, and D. Kilpatrick. Detecting and countering system intrusions using software wrappers. In Proceedings of the 9th USENIX Security Symposium, August 2000.
25. l. kossack. Building into the linux network layer. Phrack, 9(55):article 12 of 19, July 1999.
26. Y. Liao and V. R. Vemuri. Using text categorization techniques for intrusion detection. In Proceedings of the 11th USENIX Security Symposium, August 2002.
27. Lord Somer. lrk5.src.tar.gz, Linux rootkit V. http://packetstorm.decepticons.org.
28. K. Mandia and K. J. Jones. Carbonite v1.0 - A Linux Kernel Module to aid in RootKit detection. http://www.foundstone.com/knowledge/proddesc/carbonite.html.
29. R. Meushaw and D. Simard. NetTop: Commercial technology in high assurance applications. http://www.vmware.com/pdf/TechTrendNotes.pdf, 2000.
30. Mission Critical Linux. Core Analysis Suite v3.3. http://oss.missioncriticallinux.com/projects/crash/.
31. N. Murilo and K. Steding-Jessen. chkrootkit: locally checks for signs of a rootkit. http://http://www. chkrootkit.org/.
32. palmers. Advances in kernel hacking. Phrack, 11(58):arti-cle 6 of 15, December 2001.
33. V. Paxson. Bro: a system for detecting network intruders in real-time. Computer Networks, 31(23-24):2435–2463, 1999.
34. pragmatic. (nearly) Complete Linux Loadable Kernel Modules. http://www.thehackerschoice.com/papers/LKM_HACKING.html.
35. T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Suite 330, 1201 5th Street S.W, Calgary, Alberta, Canada, T2R-0Y6, 1998.
36. Rainer Wichmann. Samhain: distributed host monitoring system. http://samhain.sourceforge.net.
37. M. J. Ranum. Intrusion detection and network forensics. USENIX Security 2000 Course Notes.
38. M. Rosenblum, E. Bugnion, S. Devine, and S. A. Her-rod. Using the simos machine simulator to study complex computer systems. Modeling and Computer Simulation, 7(1):78–103, 1997.
39. M. Schaefer and B. Gold. Program confinement in KVM/370. pages 404–410, October 1977.
40. sd. Linux on-the-fly kernel patching without lkm. Phrack, 11(58):article 7 of 15, December 2001.
41. K. Seifried. Honeypotting with VMware: basics. http://www.seifried.org/security/ids/20020107-honeypot-vmware-basics.ht%ml.
42. Silvio Cesare. Runtime Kernel Kmem Patching. http://www.big.net.au/~silvio/runtime-kernel-kmem-patching.txt.
43. D. Song. Passwords found on a wireless network. USENIX Technical Conference WIP, June 2000.
44. Stealth. The adore rootkit version 0.42. http://teso.scene.at/releases.php.
45. J. Sugerman, G. Venkitachalam, and B. Lim. Virtualizing I/O devices on VMware workstation’s hosted virtual machine monitor. In Proceedings of the 2001 Annual Usenix Technical Conference, Boston, MA, USA, June 2001.
46. Teso Security Advisory. LIDS Linux Intrusion Detection System vulnerability. http://www.team-teso.net/advisories/teso-advisory-012.txt.
47. Tim Lawless. St Michael: detection of kernel level rootkits. http://sourceforge.net/projects/stjude.
48. Toby Miller. Analysis of the T0rn rootkit. http://www.sans.org/y2k/t0rn.htm.
49. VMware, Inc. VMware virtual machine technology. http://www.vmware.com/.
50. D. Wagner and D. Dean. Intrusion detection via static analysis. In Proc. IEEE Symposium on Security and Privacy, 2001.
51. C. A. Waldspurger. Memory resource management in VMware ESX Server. In Proc. of 2002 Symposium on Operating Systems Design and Implementation (OSDI), 2002.
52. A. Wespi, M. Dacier, and H. Debar. Intrusion detection using variable length audit trail patterns. In RAID 2000, pages 110–129, 2000.
53. A. Whitaker, M. shaw, and S. D. Gribble. Scale and performance in the denali isolation kernel. In Proc. of the 5th USENIX Symposium on Operating Systems Design and Implementation (OSDI’99), 2002.
54. Xie Huangang. Building a secure system with LIDS. http://www.de.lids.org/document/build_lids-0.2.html.