Abstract
For the lack of detailed semantic in prior works, a transparent fine-grained monitoring technique (cMonitor) is proposed. Deployed outside the virtual machines, the cMonitor utilizes the elevated privileges of the virtual machine monitor to monitor the network connection, the processes and the relationship between them in protected systems by reconstructing fine-grained system semantics. These semantics contain process states and corresponding network connection. Experimental results show that cMonitor not only can be rapidly deployed in realistic cloud, but also can effectively and universally obtain these fine-grained semantics to assist detection of some advanced network attack. Meanwhile, the network performance overhead is about 3%, which is acceptable.
Similar content being viewed by others
References
Modi C, Patel D, Borisaniya B, et al. A survey of intrusion detection techniques in cloud[J]. Journal of Network and Computer Applications, 2013, 36(1): 42–57.
Manavi S, Mohammadalian S, Udzir N I, et al. Secure model for virtualization layer in cloud infrastructure[J]. International Journal of Cyber-Security and Digital Forensics (IJCSDF), 2012, 1(1): 32–40.
Chen G, Jin H, Zou D, et al. SafeStack: Automatically patching stack-based buffer overflow vulnerabilities[J]. IEEE Trans Dependable Secur Comput, 2013, 6(10): 368–379.
Garfinkel T, Rosenblum M. A Virtual Machine introspection based architecture for intrusion detection[C]//Proc 10th Annual Network and Distributed System Security Symposium(NDSS 2003). Reston: ISOC Press, 2003: 191–206.
Joshi A, King S T, Dunlap G W, et al. Detecting past and present intrusions through vulnerability-specific predicates[C] //Proc 20th ACM Symposium on Operating Systems Principles. New York: ACM Press, 2005: 91–104.
Perkins J H, Kim S, Larsen S, et al. Automatically patching errors in deployed software[C]//Proc 22nd ACM Symposium on Operating systems principles. New York: ACM Press, 2009: 87–102.
Rhee J, Riley R, Xu D, et al. Defeating dynamic data kernel rootkit attacks via VMM-based guest-transparent monitoring [C]// Proc 4th International Conf on Availability, Reliability and Security. San Jose: IEEE Press, 2009: 74–81.
Dinaburg A, Royal P, Sharif M, et al. Ether: malware analysis via hardware virtualization extensions[C]//Proc 15th ACM Conf on Computer and Communications Security. New York: ACM Press, 2008: 51–62.
Hay B, Nance K. Forensics examination of volatile system data using virtual introspection[J]. ACM SIGOPS Operating Systems Review, 2008, 42(3): 74–82.
Riley R, Jiang X, Xu D. Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing[C]// Proc 11 th International Symposium on Recent Advances in Intrusion Detection. Oxford: Springer-Verlag, 2008: 1–20.
Payne B D, Carbone M, Sharif M, et al. Lares: An architecture for secure active monitoring using virtualization [C]//Proc IEEE Symposium on Security and Privacy. San Jose: IEEE Press, 2008: 233–247.
Author information
Authors and Affiliations
Corresponding author
Additional information
Foundation item: Supported by the National Natural Science Foundation of China (61373169, 61103219, 61303213), the Program of National Development and Reform Commission ([2013] 1309), the Ph.D. Programs Foundation of Ministry of Education of China (20110141130006)
Biography: ZHANG Hao, male, Ph.D. candidate, research direction: security of virtualization.
Rights and permissions
About this article
Cite this article
Zhang, H., Zhao, L., Xu, L. et al. cMonitor: VMI-based fine-grained monitoring mechanism in cloud. Wuhan Univ. J. Nat. Sci. 19, 393–397 (2014). https://doi.org/10.1007/s11859-014-1030-4
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11859-014-1030-4