Description
Modern information systems are exposed to many external threats. Intrusion Detection
Systems are one of many available technologies that monitor and increase the security
of vulnerable systems. Using Virtual Machine Introspection, the monitoring system can
gather data while maintaining a degree of isolation between itself and the observed
system. Several available introspection frameworks are evaluated and compared to
determine their current technological status. A testbed is constructed to reveal what
kind of data can be collected and how efficient this data collection is. Another goal is
to discuss whether Machine Learning models can use such data to detect intrusions.
The LibVMI library and the XEN hypervisor are utilized to construct the testbed. A
prototype script to trace system calls using LibVMI has also been implemented and
evaluated.
Testing the script revealed that the performance impact was noticeable and, in isolation,
slowed down system call execution by more than 500 times. The prototype successfully
traced system calls during an attack on a modern web application. Analysis and
discussion of the resulting datasets demonstrated that they are suitable for Machine
Learning and Intrusion Detection. As defined in the TRL scale of the European Union,
our script, being a functional prototype, can be assigned a TRL of 3. The script’s
performance and the information provided can be further improved in the future,
showing that application in real-world scenarios is feasible.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching