Evaluation of Intrusion Detection Systems in Virtualized Environments Using Attack Injection

  • Aleksandar MilenkoskiEmail author
  • Bryan D. Payne
  • Nuno Antunes
  • Marco Vieira
  • Samuel Kounev
  • Alberto Avritzer
  • Matthias Luft
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9404)


The evaluation of intrusion detection systems (IDSes) is an active research area with many open challenges, one of which is the generation of representative workloads that contain attacks. In this paper, we propose a novel approach for the rigorous evaluation of IDSes in virtualized environments, with a focus on IDSes designed to detect attacks leveraging or targeting the hypervisor via its hypercall interface. We present hInjector, a tool for generating IDS evaluation workloads by injecting such attacks during regular operation of a virtualized environment. We demonstrate the application of our approach and show its practical usefulness by evaluating a representative IDS designed to operate in virtualized environments. The virtualized environment of the industry-standard benchmark SPECvirt_sc2013 is used as a testbed, whose drivers generate workloads representative of workloads seen in production environments. This work enables for the first time the injection of attacks in virtualized environments for the purpose of generating representative IDS evaluation workloads.


Intrusion detection systems Virtualization Evaluation Attack injection 



This research has been supported by the Research Group of the Standard Performance Evaluation Corporation (SPEC;,


  1. 1.
    Rutkowska, J., Wojtczuk, R.: Xen Owning Trilogy: Part Two.
  2. 2.
    Wilhelm, F., Luft, M., Rey, E.: Compromise-as-a-Service.
  3. 3.
    Maiero, C., Miculan, M.: Unobservable intrusion detection based on call traces in paravirtualized systems. In: Proceedings of the International Conference on Security and Cryptography (2011)Google Scholar
  4. 4.
    Wu, J.Z., Ding, L., Wu, Y., Min-Allah, N., Khan, S.U., Wang, Y.: \({\rm C}^{\text{2 }}\)Detector: a covert channel detection framework in cloud computing. Secur. Commun. Netw. 7(3), 544–557 (2014)CrossRefGoogle Scholar
  5. 5.
    Milenkoski, A., Payne, B.D., Antunes, N., Vieira, M., Kounev, S.: Experience report: an analysis of hypercall handler vulnerabilities. In: Proceedings of the 25th IEEE International Symposium on Software Reliability Engineering. IEEE (2014)Google Scholar
  6. 6.
    Le, C.H.: Protecting Xen Hypercalls. Master’s thesis, UBC (2009)Google Scholar
  7. 7.
    Bharadwaja, S., Sun, W., Niamat, M., Shen, F.: A Xen hypervisor based collaborative intrusion detection system. In: Proceedings of the 8th International Conference on Information Technology, pp. 695–700. IEEE (2011)Google Scholar
  8. 8.
    Srivastava, A., Singh, K., Giffin, J.: Secure observation of kernel behavior (2008).
  9. 9.
    Wang, F., Chen, P., Mao, B., Xie, L.: RandHyp: preventing attacks via Xen hypercall interface. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 138–149. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  10. 10.
    Pham, C., Chen, D., Kalbarczyk, Z., Iyer, R.: CloudVal: a framework for validation of virtualization environment in cloud infrastructure. In: Proceedings of DSN 2011, pp. 189–196 (2011)Google Scholar
  11. 11.
    Le, M., Gallagher, A., Tamir, Y.: Challenges and opportunities with fault injection in virtualized systems. In: VPACT (2008)Google Scholar
  12. 12.
    Fonseca, J., Vieira, M., Madeira, H.: Evaluation of web security mechanisms using vulnerability and attack injection. IEEE Trans. Dependable Secure Comput. 11(5), 440–453 (2014)CrossRefGoogle Scholar
  13. 13.
    Axelsson, S.: The base-rate fallacy and its implications for the difficulty of intrusion detection. ACM Trans. Inf. Syst. Secur. 3(3), 186–205 (2000)CrossRefMathSciNetGoogle Scholar
  14. 14.
    Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 255–264 (2002)Google Scholar
  15. 15.
    Burtsev, A.: Deterministic systems analysis. Ph.D. thesis, University of Utah (2013)Google Scholar
  16. 16.
    Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A sense of self for Unix processes. In: IEEE Symposium on Security and Privacy, pp. 120–128, May 1996Google Scholar
  17. 17.
    Gaffney, J.E., Ulvila, J.W.: Evaluation of intrusion detectors: a decision theory approach. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp. 50–61 (2001)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Aleksandar Milenkoski
    • 1
    Email author
  • Bryan D. Payne
    • 2
  • Nuno Antunes
    • 3
  • Marco Vieira
    • 3
  • Samuel Kounev
    • 1
  • Alberto Avritzer
    • 4
  • Matthias Luft
    • 5
  1. 1.University of WürzburgWürzburgGermany
  2. 2.Netflix Inc.Los GatosUSA
  3. 3.University of CoimbraCoimbraPortugal
  4. 4.Siemens Corporation, Corporate TechnologyPrincetonUSA
  5. 5.Enno Rey Netzwerke GmbHHeidelbergGermany

Personalised recommendations