Lightweight Intrusion Detection of Rootkit with VMI-Based Driver Separation Mechanism

• Chaoyuan Cui,
• Yun Wu,
• Yonggang Li,
• Bingyu Sun,

Vol. 11, No. 3, March 30, 2017
10.3837/tiis.2017.03.026, Download Paper (Free):

• lightweight intrusion detection
• introspection
• semantic gap
• driver separation mechanism
• Portability

Abstract

Intrusion detection techniques based on virtual machine introspection (VMI) provide high temper-resistance in comparison with traditional in-host anti-virus tools. However, the presence of semantic gap also leads to the performance and compatibility problems. In order to map raw bits of hardware to meaningful information of virtual machine, detailed knowledge of different guest OS is required. In this work, we present VDSM, a lightweight and general approach based on driver separation mechanism: divide semantic view reconstruction into online driver of view generation and offline driver of semantics extraction. We have developed a prototype of VDSM and used it to do intrusion detection on 13 operation systems. The evaluation results show VDSM is effective and practical with a small performance overhead.

Statistics

Cite this article