Lightweight Intrusion Detection of Rootkit with VMI-Based Driver Separation Mechanism

Lightweight Intrusion Detection of Rootkit with VMI-Based Driver Separation Mechanism

Intrusion detection techniques based on virtual machine introspection (VMI) provide high temper-resistance in comparison with traditional in-host anti-virus tools. However, the presence of semantic gap also leads to the performance and compatibility problems. In order to map raw bits of hardware to...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:KSII transactions on Internet and information systems 2017-03, Vol.11 (3), p.1722-1741
Hauptverfasser: Cui, Chaoyuan, Wu, Yun, Li, Yonggang, Sun, Bingyu
Format: Artikel
Sprache:kor
Schlagworte:
driver separation mechanism
introspection
lightweight intrusion detection
portability
semantic gap
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Intrusion detection techniques based on virtual machine introspection (VMI) provide high temper-resistance in comparison with traditional in-host anti-virus tools. However, the presence of semantic gap also leads to the performance and compatibility problems. In order to map raw bits of hardware to meaningful information of virtual machine, detailed knowledge of different guest OS is required. In this work, we present VDSM, a lightweight and general approach based on driver separation mechanism: divide semantic view reconstruction into online driver of view generation and offline driver of semantics extraction. We have developed a prototype of VDSM and used it to do intrusion detection on 13 operation systems. The evaluation results show VDSM is effective and practical with a small performance overhead.
ISSN:1976-7277
1976-7277