Reference:
In Proceedings of the Internet Society's 2003 Symposium on Network and Distributed System Security.
Abstract:
Today's architectures for intrusion detection force the IDS designer to
make a difficult choice. If the IDS resides on the host, it has an
excellent view of what is happening in that host's software, but is highly
susceptible to attack. On the other hand, if the IDS resides in the network, it is more
resistant to attack, but has a poor view of what is happening inside the
host, making it more susceptible to evasion. In this paper we present an
architecture that retains the visibility of a host-based IDS, but pulls
the IDS outside of the host for greater attack resistance. We achieve
this through the use of a virtual machine monitor. Using this approach
allows us to isolate the IDS from the monitored host but still
retain excellent visibility into the host's state. The VMM
also offers us the unique ability to completely mediate interactions
between the host software and the underlying hardware. We present a
detailed study of our architecture, including Livewire, a prototype
implementation. We demonstrate Livewire by implementing a suite of
simple intrusion detection policies and using them to detect real
attacks.
Full paper: [ps] [pdf] [Bibtex Entry]