Name
Abstract | ||
|---|---|---|
Today's architectures for intrusion detection force the IDS designer to make a difficult choice. If the IDS re- sides on the host, it has an excellent view of what is hap- pening in that host's software, but is highly susceptible to attack. On the other hand, if the IDS resides in the net- work, it is more resistant to attack, but has a poor view of what is happening inside the host, making it more suscep- tible to evasion. In this paper we present an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance. We achieve this through the use of a virtual machine monitor. Using this approach allows us to isolate the IDS from the monitored host but still retain excellent visibility into the host's state. The VMM also offers us the unique ability to completely mediate interactions between the host soft- ware and the underlying hardware. We present a detailed study of our architecture, including Livewire, a prototype implementation. We demonstrate Livewire by implement- ing a suite of simple intrusion detection policies and using them to detect real attacks. |
Year | Venue | Keywords |
|---|---|---|
2003 | NDSS | intrusion detection,virtual machine monitor,virtual machine |
Field | DocType | Citations |
Architecture,Host-based intrusion detection system,Memory forensics,Suite,Computer security,Computer science,Rootkit,Hypervisor,Software,Intrusion detection system,Embedded system | Conference | 638 |
PageRank | References | Authors |
37.33 | 21 | 2 |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Tal Garfinkel | 1 | 2008 | 171.66 |
| Mendel Rosenblum | 2 | 4129 | 572.54 |