In English

Combining Virtual Machine Introspection with Network-Based Intrusion Detection Systems

Julia Gustafsson ; Mahboobeh Daftari
Göteborg : Chalmers tekniska högskola, 2016. 108 s.
[Examensarbete på avancerad nivå]

An increasing number of systems are running as guest systems in virtual machines, for example, applications are moving to be running in the cloud. As the number of cyber attacks is rising, there is a need for a more secure environment. Virtual machines have the advantage that it is possible to inspect the content of the guest systems, called virtual machine introspection. This thesis aims to investigate a new way of securing systems - by combining virtual machine introspection and networkbased intrusion detection systems.

Network-based intrusion detection system can inspect the content of the network packets going to all the systems in a network in real-time, they quickly can detect potential attacks. However, network-based intrusion detection systems have problems with false-positive alarms and to discover zero-day exploits. However, by combing virtual machine introspection with a network-based intrusion detection system the data from the virtual machine introspection could be used to provide more information about potential attacks and improve the network-based intrusion detection system at the same time. The goal of this thesis is to investigate how virtual machine introspection could be combined with network-based intrusion detection systems to produce a more secure system. By selecting an application and attacks to test, test cases were performed and data could be gathered from the two systems.

The result showed that several of the attacks was fully detectable by virtual machine introspection. However, the data gathered from the network-based intrusions detection system showed that even if the network-based intrusion detection system could, in this case, detect the chosen attacks, it could not provide any details about the result of the attack. Hence, virtual machine introspection is a great extension to the network-based intrusion detection system. However, a performance analysis of the virtual machine introspection platform was performed, which showed the it has several performance issues. Due to the performance of the platform, we recommend that a combined system should only be used during certain circumstances, such as when the network-based intrusions detection system raises an alert.

Nyckelord: Network-based intrusion, detection systems, virtual machine introspection, virtual machine, cloud security, cyber attacks, cloud computing

Publikationen registrerades 2016-11-18. Den ändrades senast 2016-11-18

CPL ID: 245361

Detta är en tjänst från Chalmers bibliotek