A guest-transparent file integrity monitoring method in virtualization environment

Authors:
Hai Jin;Guofu Xiang;Deqing Zou;Feng Zhao;Min Li;Chen Yu
Affiliations:
Services Computing Technology and System Lab, Cluster and Grid Computing Lab, School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan, China;Services Computing Technology and System Lab, Cluster and Grid Computing Lab, School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan, China;Services Computing Technology and System Lab, Cluster and Grid Computing Lab, School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan, China;Services Computing Technology and System Lab, Cluster and Grid Computing Lab, School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan, China;Services Computing Technology and System Lab, Cluster and Grid Computing Lab, School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan, China;Services Computing Technology and System Lab, Cluster and Grid Computing Lab, School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan, China
Venue:
Computers & Mathematics with Applications
Year:
2010

Citing 22
Cited 0

The design and implementation of tripwire: a file system integrity checker

CCS '94 Proceedings of the 2nd ACM Conference on Computer and communications security
Xen and the art of virtualization

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
FS: An In-Kernel Integrity Checker and Intrusion Detection File System

LISA '04 Proceedings of the 18th USENIX conference on System administration
The Architecture of Virtual Machines

Computer
Virtual Machine Monitors: Current Technology and Future Trends

Computer
Understanding The Linux Kernel

Understanding The Linux Kernel
A comparison of software and hardware techniques for x86 virtualization

Proceedings of the 12th international conference on Architectural support for programming languages and operating systems
A novel approach for a file-system integrity monitor tool of Xen virtual machine

ASIACCS '07 Proceedings of the 2nd ACM symposium on Information, computer and communications security
QEMU, a fast and portable dynamic translator

ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Xen and the art of repeated research

ATEC '04 Proceedings of the annual conference on USENIX Annual Technical Conference
When virtual is harder than real: security challenges in virtual machine based computing environments

HOTOS'05 Proceedings of the 10th conference on Hot Topics in Operating Systems - Volume 10
Storage-based intrusion detection: watching storage activity for suspicious behavior

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Collapsar: a VM-based architecture for network attack detention center

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Antfarm: tracking processes in a virtual machine environment

ATEC '06 Proceedings of the annual conference on USENIX '06 Annual Technical Conference
Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction

Proceedings of the 14th ACM conference on Computer and communications security
VMM-based hidden process detection and identification using Lycosid

Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Lares: An Architecture for Secure Active Monitoring Using Virtualization

SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Ether: malware analysis via hardware virtualization extensions

Proceedings of the 15th ACM conference on Computer and communications security
Virtualization and Hardware-Based Security

IEEE Security and Privacy
Virtual Machine Introspection: Observation or Interference?

IEEE Security and Privacy
VMFence: a customized intrusion prevention system in distributed virtual computing environment

Proceedings of the 3rd International Conference on Ubiquitous Information Management and Communication
"Out-of-the-Box" monitoring of VM-based high-interaction honeypots

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection

Quantified Score

Hi-index	0.10

Visualization

Abstract

The file system becomes the usual target of malicious attacks because it contains lots of sensitive data, such as executable programs, configuration and authorization information. File integrity monitoring is an effective approach to discover aggressive behavior by detecting modification actions on these sensitive files. Traditional real-time integrity monitoring tools, which insert hooks into the OS kernel, are easily controlled and disabled by malicious software. Such existing methods, which insert kernel module into OS, are hard to be compatible because of the diversity of OS. In this paper, we present a non-intrusive real-time file integrity monitoring method in virtual machine-based computing environment, which is transparent to the monitored system. The monitor is isolated from the monitored system, since it observes the state of the monitored system from the outside. This method brings two benefits: detecting file operations in real time and being invisible to malicious attackers in the monitored system. Furthermore, a kind of file classification algorithm based on file security level is proposed to improve efficiency in this paper. The proposed file integrity monitoring method is implemented in the full-virtualization mode supported by the Xen platform. The experimental results show that the method is effective with acceptable overhead.