A real-time integrity monitor for xen virtual machine

Nguyen Anh Quynh, Yoshiyasu Takefuji

Research output: Chapter in Book/Report/Conference proceedingConference contribution

16 Citations (Scopus)

Abstract

File-system integrity tools (FIT) are commonly deployed to assist forensic investigation after security incidents and as host-based intrusion detections (HIDS) tool to detect unauthorized file-system changes. Basically all the current solutions employ the same tactic: the administrator specifies a list of critical files and directories that needs to be monitored, then uses the FIT to create a base-line database that tracks general parameters about these files. The FIT is then re-run periodically, and if it detects the modifies of the file-system against the information stored in the database, the report on the changed file is generated. However, this strategy is far from perfect: the intrusion detection cannot be done in real-time, which might render the whole scheme useless if the attacker can somehow take over the system with privileged access in the time between. The administrator also has a lot of problems to keep the database updating. Besides, he must do everything he can to protect the database and the FIT itself from compromising by the attacker, which is not an easy task especially if the attacker gains local access. This paper presents a novel approach to address the outstanding problems of the current FIT. We propose a design and implementation of a tool named XenRIM for Xen virtual machines. XenRIM can monitor and fires alarms on intrusion in real-time manner, and our approach does not require to create and update the database like in the legacy methods. As a result, XenRIM is almost effortless to deploy and maintain. Thanks to the advantage introduced by Xen, the detection polices are centralized in a secure virtual machine and resistant to tampering. Even better, if deploying strictly this tool is able to function very stealthily to avoid the suspect of the attacker. Our experimental result demonstrates that XenRIM incurs very low performance overhead (less than 4%), which makes the solution attractive and practical for production systems.

Original languageEnglish
Title of host publicationInternational Conference on Networking and Services 2006, ICNS'06
DOIs
Publication statusPublished - 2006
EventInternational Conference on Networking and Services 2006, ICNS'06 - Silicon Valley, CA, United States
Duration: 2006 Jul 162006 Jul 18

Other

OtherInternational Conference on Networking and Services 2006, ICNS'06
CountryUnited States
CitySilicon Valley, CA
Period06/7/1606/7/18

Fingerprint

Intrusion detection
Virtual machine
Law enforcement
Fires

ASJC Scopus subject areas

  • Computer Science Applications
  • Electrical and Electronic Engineering

Cite this

Quynh, N. A., & Takefuji, Y. (2006). A real-time integrity monitor for xen virtual machine. In International Conference on Networking and Services 2006, ICNS'06 [1690560] https://doi.org/10.1109/ICNS.2006.13

A real-time integrity monitor for xen virtual machine. / Quynh, Nguyen Anh; Takefuji, Yoshiyasu.

International Conference on Networking and Services 2006, ICNS'06. 2006. 1690560.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Quynh, NA & Takefuji, Y 2006, A real-time integrity monitor for xen virtual machine. in International Conference on Networking and Services 2006, ICNS'06., 1690560, International Conference on Networking and Services 2006, ICNS'06, Silicon Valley, CA, United States, 06/7/16. https://doi.org/10.1109/ICNS.2006.13
Quynh NA, Takefuji Y. A real-time integrity monitor for xen virtual machine. In International Conference on Networking and Services 2006, ICNS'06. 2006. 1690560 https://doi.org/10.1109/ICNS.2006.13
Quynh, Nguyen Anh ; Takefuji, Yoshiyasu. / A real-time integrity monitor for xen virtual machine. International Conference on Networking and Services 2006, ICNS'06. 2006.
@inproceedings{fe9afb61451e4ef2b7cff827ebcf1693,
title = "A real-time integrity monitor for xen virtual machine",
abstract = "File-system integrity tools (FIT) are commonly deployed to assist forensic investigation after security incidents and as host-based intrusion detections (HIDS) tool to detect unauthorized file-system changes. Basically all the current solutions employ the same tactic: the administrator specifies a list of critical files and directories that needs to be monitored, then uses the FIT to create a base-line database that tracks general parameters about these files. The FIT is then re-run periodically, and if it detects the modifies of the file-system against the information stored in the database, the report on the changed file is generated. However, this strategy is far from perfect: the intrusion detection cannot be done in real-time, which might render the whole scheme useless if the attacker can somehow take over the system with privileged access in the time between. The administrator also has a lot of problems to keep the database updating. Besides, he must do everything he can to protect the database and the FIT itself from compromising by the attacker, which is not an easy task especially if the attacker gains local access. This paper presents a novel approach to address the outstanding problems of the current FIT. We propose a design and implementation of a tool named XenRIM for Xen virtual machines. XenRIM can monitor and fires alarms on intrusion in real-time manner, and our approach does not require to create and update the database like in the legacy methods. As a result, XenRIM is almost effortless to deploy and maintain. Thanks to the advantage introduced by Xen, the detection polices are centralized in a secure virtual machine and resistant to tampering. Even better, if deploying strictly this tool is able to function very stealthily to avoid the suspect of the attacker. Our experimental result demonstrates that XenRIM incurs very low performance overhead (less than 4{\%}), which makes the solution attractive and practical for production systems.",
author = "Quynh, {Nguyen Anh} and Yoshiyasu Takefuji",
year = "2006",
doi = "10.1109/ICNS.2006.13",
language = "English",
isbn = "0769526225",
booktitle = "International Conference on Networking and Services 2006, ICNS'06",

}

TY - GEN

T1 - A real-time integrity monitor for xen virtual machine

AU - Quynh, Nguyen Anh

AU - Takefuji, Yoshiyasu

PY - 2006

Y1 - 2006

N2 - File-system integrity tools (FIT) are commonly deployed to assist forensic investigation after security incidents and as host-based intrusion detections (HIDS) tool to detect unauthorized file-system changes. Basically all the current solutions employ the same tactic: the administrator specifies a list of critical files and directories that needs to be monitored, then uses the FIT to create a base-line database that tracks general parameters about these files. The FIT is then re-run periodically, and if it detects the modifies of the file-system against the information stored in the database, the report on the changed file is generated. However, this strategy is far from perfect: the intrusion detection cannot be done in real-time, which might render the whole scheme useless if the attacker can somehow take over the system with privileged access in the time between. The administrator also has a lot of problems to keep the database updating. Besides, he must do everything he can to protect the database and the FIT itself from compromising by the attacker, which is not an easy task especially if the attacker gains local access. This paper presents a novel approach to address the outstanding problems of the current FIT. We propose a design and implementation of a tool named XenRIM for Xen virtual machines. XenRIM can monitor and fires alarms on intrusion in real-time manner, and our approach does not require to create and update the database like in the legacy methods. As a result, XenRIM is almost effortless to deploy and maintain. Thanks to the advantage introduced by Xen, the detection polices are centralized in a secure virtual machine and resistant to tampering. Even better, if deploying strictly this tool is able to function very stealthily to avoid the suspect of the attacker. Our experimental result demonstrates that XenRIM incurs very low performance overhead (less than 4%), which makes the solution attractive and practical for production systems.

AB - File-system integrity tools (FIT) are commonly deployed to assist forensic investigation after security incidents and as host-based intrusion detections (HIDS) tool to detect unauthorized file-system changes. Basically all the current solutions employ the same tactic: the administrator specifies a list of critical files and directories that needs to be monitored, then uses the FIT to create a base-line database that tracks general parameters about these files. The FIT is then re-run periodically, and if it detects the modifies of the file-system against the information stored in the database, the report on the changed file is generated. However, this strategy is far from perfect: the intrusion detection cannot be done in real-time, which might render the whole scheme useless if the attacker can somehow take over the system with privileged access in the time between. The administrator also has a lot of problems to keep the database updating. Besides, he must do everything he can to protect the database and the FIT itself from compromising by the attacker, which is not an easy task especially if the attacker gains local access. This paper presents a novel approach to address the outstanding problems of the current FIT. We propose a design and implementation of a tool named XenRIM for Xen virtual machines. XenRIM can monitor and fires alarms on intrusion in real-time manner, and our approach does not require to create and update the database like in the legacy methods. As a result, XenRIM is almost effortless to deploy and maintain. Thanks to the advantage introduced by Xen, the detection polices are centralized in a secure virtual machine and resistant to tampering. Even better, if deploying strictly this tool is able to function very stealthily to avoid the suspect of the attacker. Our experimental result demonstrates that XenRIM incurs very low performance overhead (less than 4%), which makes the solution attractive and practical for production systems.

UR - http://www.scopus.com/inward/record.url?scp=43449086692&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=43449086692&partnerID=8YFLogxK

U2 - 10.1109/ICNS.2006.13

DO - 10.1109/ICNS.2006.13

M3 - Conference contribution

SN - 0769526225

SN - 9780769526225

BT - International Conference on Networking and Services 2006, ICNS'06

ER -