Unobservable intrusion detection based on call traces in paravirtualized systems


We present a non-invasive system for intrusion and anomaly detection, based on system call tracing in par-avirtualized machines over Xen. System calls from guest user programs and operating systems are intercepted stealthy within Xen hypervisor, and passed to a detection system running in Dom0 via a suitable communication channel. Guest applications and machines are left unchanged, and an intruder on the virtual machine cannot tell whether the system is under inspection or not. As for the detection algorithm, we present and study a variant of Stide, which we verify experimentally to have a good performance on intrusion detection with an acceptable overhead-in fact, online real-time intrusion detection feasible. However, since the interception mechanism is kept separated from the detection system, the latter can be replaced according to further needs.

SECRYPT 2011 - Proceedings of the International Conference on Security and Cryptography