{"id":2762,"date":"2017-09-08T04:45:07","date_gmt":"2017-09-08T04:45:07","guid":{"rendered":"https:\/\/www.ndss-symposium.org\/?page_id=2762"},"modified":"2024-03-07T09:48:11","modified_gmt":"2024-03-07T09:48:11","slug":"virtual-machine-introspection-based-architecture-intrusion-detection","status":"publish","type":"page","link":"https:\/\/www.ndss-symposium.org\/ndss2003\/virtual-machine-introspection-based-architecture-intrusion-detection\/","title":{"rendered":"A Virtual Machine Introspection Based Architecture for Intrusion Detection"},"content":{"rendered":"\n

Tal Garfinkel and Mendel Rosenblum (Stanford University)<\/strong><\/p>\n\n\n\n

Today\u2019s architectures for intrusion detection force the IDS designer to make a difficult choice. If the IDS resides on the host, it has an excellent view of what is happening in that host\u2019s software, but is highly susceptible to attack. On the other hand, if the IDS resides in the network, it is more resistant to attack, but has a poor view of what is happening inside the host, making it more susceptible to evasion. In this paper we present an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance. We achieve this through the use of a virtual machine monitor. Using this approach allows us to isolate the IDS from the monitored host but still retain excellent visibility into the host\u2019s state. The VMM also offers us the unique ability to completely mediate interactions between the host software and the underlying hardware. We present a detailed study of our architecture, including Livewire, a prototype implementation. We demonstrate Livewire by implementing a suite of simple intrusion detection policies and using them to detect real attacks.<\/p>\n\n\n\n

\n
Paper<\/a><\/div>\n<\/div>\n\n\n\n
<\/div>\n\n\n\n

Date: <\/strong>6 Feb 2003<\/p>\n\n\n\n

Associated Event: <\/strong>NDSS Symposium 2003<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Tal Garfinkel and Mendel Rosenblum (Stanford University) Today\u2019s architectures for intrusion detection force the IDS designer to make a difficult choice. If the IDS resides on the host, it has an excellent view of what is happening in that host\u2019s software, but is highly susceptible to attack. On the other hand, if the IDS resides … Continued<\/a><\/p>\n","protected":false},"author":237,"featured_media":0,"parent":1252,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"advgb_blocks_editor_width":"","advgb_blocks_columns_visual_guide":"","footnotes":""},"categories":[],"tags":[97],"class_list":["post-2762","page","type-page","status-publish","hentry","tag-ndss-2003-papers"],"acf":[],"yoast_head":"\nA Virtual Machine Introspection Based Architecture for Intrusion Detection - NDSS Symposium<\/title>\n<meta name=\"description\" content=\"This paper introduces the use of VMI for cybersecurity and opens the floodgates on a tremendous amount of research and derivative tools.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.ndss-symposium.org\/ndss2003\/virtual-machine-introspection-based-architecture-intrusion-detection\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A Virtual Machine Introspection Based Architecture for Intrusion Detection - NDSS Symposium\" \/>\n<meta property=\"og:description\" content=\"This paper introduces the use of VMI for cybersecurity and opens the floodgates on a tremendous amount of research and derivative tools.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.ndss-symposium.org\/ndss2003\/virtual-machine-introspection-based-architecture-intrusion-detection\/\" \/>\n<meta property=\"og:site_name\" content=\"NDSS Symposium\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/NDSSSymposium\/\" \/>\n<meta property=\"article:modified_time\" content=\"2024-03-07T09:48:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/NDSS_Logo_RGB.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"815\" \/>\n\t<meta property=\"og:image:height\" content=\"345\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@NDSSSymposium\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.ndss-symposium.org\/ndss2003\/virtual-machine-introspection-based-architecture-intrusion-detection\/\",\"url\":\"https:\/\/www.ndss-symposium.org\/ndss2003\/virtual-machine-introspection-based-architecture-intrusion-detection\/\",\"name\":\"A Virtual Machine Introspection Based Architecture for Intrusion Detection - NDSS Symposium\",\"isPartOf\":{\"@id\":\"https:\/\/www.ndss-symposium.org\/#website\"},\"datePublished\":\"2017-09-08T04:45:07+00:00\",\"dateModified\":\"2024-03-07T09:48:11+00:00\",\"description\":\"This paper introduces the use of VMI for cybersecurity and opens the floodgates on a tremendous amount of research and derivative tools.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.ndss-symposium.org\/ndss2003\/virtual-machine-introspection-based-architecture-intrusion-detection\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.ndss-symposium.org\/ndss2003\/virtual-machine-introspection-based-architecture-intrusion-detection\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.ndss-symposium.org\/ndss2003\/virtual-machine-introspection-based-architecture-intrusion-detection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.ndss-symposium.org\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"NDSS Symposium 2003\",\"item\":\"https:\/\/www.ndss-symposium.org\/ndss2003\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"A Virtual Machine Introspection Based Architecture for Intrusion Detection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.ndss-symposium.org\/#website\",\"url\":\"https:\/\/www.ndss-symposium.org\/\",\"name\":\"NDSS Symposium\",\"description\":\"The Network and Distributed System Security (NDSS) Symposium\",\"publisher\":{\"@id\":\"https:\/\/www.ndss-symposium.org\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.ndss-symposium.org\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.ndss-symposium.org\/#organization\",\"name\":\"NDSS Symposium\",\"url\":\"https:\/\/www.ndss-symposium.org\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ndss-symposium.org\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/NDSS_Logo_RGB.jpg\",\"contentUrl\":\"https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/NDSS_Logo_RGB.jpg\",\"width\":815,\"height\":345,\"caption\":\"NDSS Symposium\"},\"image\":{\"@id\":\"https:\/\/www.ndss-symposium.org\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/NDSSSymposium\/\",\"https:\/\/x.com\/NDSSSymposium\",\"https:\/\/www.linkedin.com\/company\/network-and-distributed-system-symposium-ndss-\/\",\"https:\/\/www.youtube.com\/ndsssymposium\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A Virtual Machine Introspection Based Architecture for Intrusion Detection - NDSS Symposium","description":"This paper introduces the use of VMI for cybersecurity and opens the floodgates on a tremendous amount of research and derivative tools.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.ndss-symposium.org\/ndss2003\/virtual-machine-introspection-based-architecture-intrusion-detection\/","og_locale":"en_US","og_type":"article","og_title":"A Virtual Machine Introspection Based Architecture for Intrusion Detection - NDSS Symposium","og_description":"This paper introduces the use of VMI for cybersecurity and opens the floodgates on a tremendous amount of research and derivative tools.","og_url":"https:\/\/www.ndss-symposium.org\/ndss2003\/virtual-machine-introspection-based-architecture-intrusion-detection\/","og_site_name":"NDSS Symposium","article_publisher":"https:\/\/www.facebook.com\/NDSSSymposium\/","article_modified_time":"2024-03-07T09:48:11+00:00","og_image":[{"width":815,"height":345,"url":"https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/NDSS_Logo_RGB.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_site":"@NDSSSymposium","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.ndss-symposium.org\/ndss2003\/virtual-machine-introspection-based-architecture-intrusion-detection\/","url":"https:\/\/www.ndss-symposium.org\/ndss2003\/virtual-machine-introspection-based-architecture-intrusion-detection\/","name":"A Virtual Machine Introspection Based Architecture for Intrusion Detection - NDSS Symposium","isPartOf":{"@id":"https:\/\/www.ndss-symposium.org\/#website"},"datePublished":"2017-09-08T04:45:07+00:00","dateModified":"2024-03-07T09:48:11+00:00","description":"This paper introduces the use of VMI for cybersecurity and opens the floodgates on a tremendous amount of research and derivative tools.","breadcrumb":{"@id":"https:\/\/www.ndss-symposium.org\/ndss2003\/virtual-machine-introspection-based-architecture-intrusion-detection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.ndss-symposium.org\/ndss2003\/virtual-machine-introspection-based-architecture-intrusion-detection\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.ndss-symposium.org\/ndss2003\/virtual-machine-introspection-based-architecture-intrusion-detection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.ndss-symposium.org\/"},{"@type":"ListItem","position":2,"name":"NDSS Symposium 2003","item":"https:\/\/www.ndss-symposium.org\/ndss2003\/"},{"@type":"ListItem","position":3,"name":"A Virtual Machine Introspection Based Architecture for Intrusion Detection"}]},{"@type":"WebSite","@id":"https:\/\/www.ndss-symposium.org\/#website","url":"https:\/\/www.ndss-symposium.org\/","name":"NDSS Symposium","description":"The Network and Distributed System Security (NDSS) Symposium","publisher":{"@id":"https:\/\/www.ndss-symposium.org\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.ndss-symposium.org\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.ndss-symposium.org\/#organization","name":"NDSS Symposium","url":"https:\/\/www.ndss-symposium.org\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ndss-symposium.org\/#\/schema\/logo\/image\/","url":"https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/NDSS_Logo_RGB.jpg","contentUrl":"https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/NDSS_Logo_RGB.jpg","width":815,"height":345,"caption":"NDSS Symposium"},"image":{"@id":"https:\/\/www.ndss-symposium.org\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/NDSSSymposium\/","https:\/\/x.com\/NDSSSymposium","https:\/\/www.linkedin.com\/company\/network-and-distributed-system-symposium-ndss-\/","https:\/\/www.youtube.com\/ndsssymposium"]}]}},"coauthors":[],"author_meta":{"author_link":"https:\/\/www.ndss-symposium.org\/author\/strinekatrbovic\/","display_name":"Ivana Trbovic"},"relative_dates":{"created":"Posted 8 years ago","modified":"Updated 2 years ago"},"absolute_dates":{"created":"Posted on 8 September 2017","modified":"Updated on 7 March 2024"},"absolute_dates_time":{"created":"Posted on 8 September 2017 4:45 am","modified":"Updated on 7 March 2024 9:48 am"},"featured_img_caption":"","featured_img":false,"series_order":"","_links":{"self":[{"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/pages\/2762","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/users\/237"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/comments?post=2762"}],"version-history":[{"count":0,"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/pages\/2762\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/pages\/1252"}],"wp:attachment":[{"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/media?parent=2762"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/categories?post=2762"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ndss-symposium.org\/wp-json\/wp\/v2\/tags?post=2762"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}