Research On Strong Intrusion Detection Technology With Virtual Machine

As people's dependence on computer network becomes stronger, network security is getting more important today. The unauthorized access to a computer by an intruder is commonly referred to as an intrusion. Intrusions can result in broken and lost of system data and can cause system DoSs. Intrusion is a pervasive and seemingly worsening problem. Because intrusion detection can effectively solve the limitations of the traditional defense technologies, intrusion detection technologies have got much focus in academic and industry in recent years. Widespread study and deployment of IDS has led to the development of increasingly sophisticated approaches to defeating them.Today's architectures for intrusion detection force the IDS designer to make a difficult choice. If the IDS resides on the host, it has an excellent view of what is happening in that host's software, but is highly susceptible to attack. On the other hand, if the IDS resides in the network, it is more resistant to attack, but has a poor view of what is happening inside the host, making it more susceptible to evasion.Recently, Virtual Machine Monitor, which be silent for a long time, is again a hot topic in academic and research area. At the same time, with the development of the application of VMM in the security area, considering the above problems, this research explores the implementation of a Virtual machine monitor based intrusion detection system in which the virtual machine monitor virtualized the hardware interface, and can be used to run multiple operating system instances on a single instance of hardware. Because the VMM interposes between the operating system and the hardware, the intrusion detection system is in the perfect position to monitor all operating system events for intrusions and also is being placed in a separate protection domain. Using this approach allows us to isolate the IDS from the monitored host but still retain excellent visibility into the host's state. The VMM also offers us the unique ability to completely mediate interactions between the host software and the underlying hardware. We present a detailed study of our architecture. Therefore, the isolation and the detection abilities of the intrusion detection system are strengthened. The new architecture provides good visibility into the state of the monitored host, while still providing strong isolation and robustness for the IDS, thus lending significant resistance to both evasion and attack; it is a perfect combination of the two traditional intrusion detection systems.1. After technique principle of virtual machine monitor is analyzed in detail, the definition, characteristics and configuration of User-Mode Linux are introduced. Then a design scheme of a virtual machine monitor based intrusion detection system is proposed, all the system modules and their function implementation are introduced. 2. Based on the analysis of the implementation principle of system call sequence-based IDS and the introduction of current methods of the sequences of system call gathering, this paper adopts the method of a function named "ptrace()" to implement the gathering of the sequences of system call numbers made by processes in virtual machine, which are used as intrusion detection's data source3. The architecture's validity is proved through system testing. Moreover, compared to normal computing system in system resources occupancy rate, it is proved that the VMM based intrusion detection system is feasible although running the VMM must use a slice of system source and the average execution time of the process is far superior to those in the normal environment.In a word, this paper describes a proposal to increase the security of computing systems using virtual machine monitor. The basis of the proposal is to monitor virtual processes' actions through an intrusion detection system, external to the virtual machine. The data used in intrusion detection is obtained from the virtual machine monitor and analyzed by an IDS process in the underlying real machine. The detection system is inaccessible to virtual machine processes and cannot be subverted by intruders. It is proved that this proposal is reasonable and it will contribute to the improvement of IDS's security.