Abstract
Most existing virtual machine introspection (VMI) technologies analyze the status of a target virtual machine under the assumption that the operating system (OS) version and kernel structure information are known at the hypervisor level. In this paper, we propose a model of virtual machine (VM) security monitoring based on memory introspection. Using a hardware-based approach to acquire the physical memory of the host machine in real time, the security of the host machine and VM can be diagnosed. Furthermore, a novel approach for VM memory forensics based on the virtual machine control structure (VMCS) is put forward. By analyzing the memory of the host machine, the running VMs can be detected and their high-level semantic information can be reconstructed. Then, malicious activity in the VMs can be identified in a timely manner. Moreover, by mutually analyzing the memory content of the host machine and VMs, VM escape may be detected. Compared with previous memory introspection technologies, our solution can automatically reconstruct the comprehensive running state of a target VM without any prior knowledge and is strongly resistant to attacks with high reliability. We developed a prototype system called the VEDefender. Experimental results indicate that our system can handle the VMs of mainstream Linux and Windows OS versions with high efficiency and does not influence the performance of the host machine and VMs.
Highlights
Cloud computing has become a dominant computing paradigm over the past several years
This paper addresses the problem of securely monitoring virtual machine (VM) in a server consolidation scenario where multiple VMs run on a host machine
Based on the techniques described above, we developed a VM defense system called VEDefender that includes a PCI device and a terminal program
Summary
Cloud computing has become a dominant computing paradigm over the past several years. Protecting individual guest OSs using a host-based intrusion detection system (IDS) or antimalware solution is ineffective To overcome this problem, VMI has emerged as a fine-grained technique that uses the underlying hypervisor to provide complete visibility of the running state of the VMs [11,12,13,14,15]. (iv) Using the above techniques, we developed a VM defense system called VEDefender which presents the following features: it is transparent to guest machines; it is hard to access, even from a compromised VM; it can collect data, analyze them, and find malicious activities within the host machine and VM; and, at present, it supports Windows and Linux guest machines These features are leveraged to examine the state of the monitored VMs periodically and detect running malicious processes. The final section presents the conclusions and indicates opportunities for future research in this area
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
