Combining Virtual Machine Introspection with Network-Based Intrusion Detection Systems

Examensarbete för masterexamen

Please use this identifier to cite or link to this item:
Download file(s):
File Description SizeFormat 
245361.pdfFulltext4.2 MBAdobe PDFView/Open
Type: Examensarbete för masterexamen
Master Thesis
Title: Combining Virtual Machine Introspection with Network-Based Intrusion Detection Systems
Authors: Gustafsson, Julia
Daftari, Mahboobeh
Abstract: An increasing number of systems are running as guest systems in virtual machines, for example, applications are moving to be running in the cloud. As the number of cyber attacks is rising, there is a need for a more secure environment. Virtual machines have the advantage that it is possible to inspect the content of the guest systems, called virtual machine introspection. This thesis aims to investigate a new way of securing systems - by combining virtual machine introspection and networkbased intrusion detection systems. Network-based intrusion detection system can inspect the content of the network packets going to all the systems in a network in real-time, they quickly can detect potential attacks. However, network-based intrusion detection systems have problems with false-positive alarms and to discover zero-day exploits. However, by combing virtual machine introspection with a network-based intrusion detection system the data from the virtual machine introspection could be used to provide more information about potential attacks and improve the network-based intrusion detection system at the same time. The goal of this thesis is to investigate how virtual machine introspection could be combined with network-based intrusion detection systems to produce a more secure system. By selecting an application and attacks to test, test cases were performed and data could be gathered from the two systems. The result showed that several of the attacks was fully detectable by virtual machine introspection. However, the data gathered from the network-based intrusions detection system showed that even if the network-based intrusion detection system could, in this case, detect the chosen attacks, it could not provide any details about the result of the attack. Hence, virtual machine introspection is a great extension to the network-based intrusion detection system. However, a performance analysis of the virtual machine introspection platform was performed, which showed the it has several performance issues. Due to the performance of the platform, we recommend that a combined system should only be used during certain circumstances, such as when the network-based intrusions detection system raises an alert.
Keywords: Informations- och kommunikationsteknik;Data- och informationsvetenskap;Information & Communication Technology;Computer and Information Science
Issue Date: 2016
Publisher: Chalmers tekniska högskola / Institutionen för data- och informationsteknik (Chalmers)
Chalmers University of Technology / Department of Computer Science and Engineering (Chalmers)
Collection:Examensarbeten för masterexamen // Master Theses

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.