Skip to main content

Evaluation of Intrusion Detection Systems in Virtualized Environments Using Attack Injection

Part of the Lecture Notes in Computer Science book series (LNSC,volume 9404)


The evaluation of intrusion detection systems (IDSes) is an active research area with many open challenges, one of which is the generation of representative workloads that contain attacks. In this paper, we propose a novel approach for the rigorous evaluation of IDSes in virtualized environments, with a focus on IDSes designed to detect attacks leveraging or targeting the hypervisor via its hypercall interface. We present hInjector, a tool for generating IDS evaluation workloads by injecting such attacks during regular operation of a virtualized environment. We demonstrate the application of our approach and show its practical usefulness by evaluating a representative IDS designed to operate in virtualized environments. The virtualized environment of the industry-standard benchmark SPECvirt_sc2013 is used as a testbed, whose drivers generate workloads representative of workloads seen in production environments. This work enables for the first time the injection of attacks in virtualized environments for the purpose of generating representative IDS evaluation workloads.


  • Intrusion detection systems
  • Virtualization
  • Evaluation
  • Attack injection

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-26362-5_22
  • Chapter length: 22 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   84.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-26362-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   109.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.
Fig. 9.


  1. 1.; OSSEC can be configured to analyze in real-time log files that contain information on executed hypercalls.

  2. 2.

  3. 3.

    This raises the question whether hypercall activities are repeatable. We discuss this topic in Sect. 3.2.

  4. 4.

    We developed proof-of-concept code based on reverse-engineering the released patches fixing the considered vulnerabilities.

  5. 5.

  6. 6.

    We did not use any other virtualization mode because of a technical limitation; that is, the xentrace tool, which we use to capture benign hypercall activities in files for processing off-line, currently supports only full paravirtualization. However, support for other virtualization modes is currently being implemented.

  7. 7.

    An overview of the software and hardware requirements for deploying and running SPECvirt_sc2013 is available at

  8. 8.

    In addition, we repeated the testing phase over 30 times observing that the obtained metric values negligibly differ from those we present here. This is primarily because of the high repeatability of hypercall activities and it indicates that only a small number of repetitions is needed to calculate statistically accurate metric values.


  1. Rutkowska, J., Wojtczuk, R.: Xen Owning Trilogy: Part Two.

  2. Wilhelm, F., Luft, M., Rey, E.: Compromise-as-a-Service.

  3. Maiero, C., Miculan, M.: Unobservable intrusion detection based on call traces in paravirtualized systems. In: Proceedings of the International Conference on Security and Cryptography (2011)

    Google Scholar 

  4. Wu, J.Z., Ding, L., Wu, Y., Min-Allah, N., Khan, S.U., Wang, Y.: \({\rm C}^{\text{2 }}\)Detector: a covert channel detection framework in cloud computing. Secur. Commun. Netw. 7(3), 544–557 (2014)

    CrossRef  Google Scholar 

  5. Milenkoski, A., Payne, B.D., Antunes, N., Vieira, M., Kounev, S.: Experience report: an analysis of hypercall handler vulnerabilities. In: Proceedings of the 25th IEEE International Symposium on Software Reliability Engineering. IEEE (2014)

    Google Scholar 

  6. Le, C.H.: Protecting Xen Hypercalls. Master’s thesis, UBC (2009)

    Google Scholar 

  7. Bharadwaja, S., Sun, W., Niamat, M., Shen, F.: A Xen hypervisor based collaborative intrusion detection system. In: Proceedings of the 8th International Conference on Information Technology, pp. 695–700. IEEE (2011)

    Google Scholar 

  8. Srivastava, A., Singh, K., Giffin, J.: Secure observation of kernel behavior (2008).

  9. Wang, F., Chen, P., Mao, B., Xie, L.: RandHyp: preventing attacks via Xen hypercall interface. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 138–149. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  10. Pham, C., Chen, D., Kalbarczyk, Z., Iyer, R.: CloudVal: a framework for validation of virtualization environment in cloud infrastructure. In: Proceedings of DSN 2011, pp. 189–196 (2011)

    Google Scholar 

  11. Le, M., Gallagher, A., Tamir, Y.: Challenges and opportunities with fault injection in virtualized systems. In: VPACT (2008)

    Google Scholar 

  12. Fonseca, J., Vieira, M., Madeira, H.: Evaluation of web security mechanisms using vulnerability and attack injection. IEEE Trans. Dependable Secure Comput. 11(5), 440–453 (2014)

    CrossRef  Google Scholar 

  13. Axelsson, S.: The base-rate fallacy and its implications for the difficulty of intrusion detection. ACM Trans. Inf. Syst. Secur. 3(3), 186–205 (2000)

    CrossRef  MathSciNet  Google Scholar 

  14. Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 255–264 (2002)

    Google Scholar 

  15. Burtsev, A.: Deterministic systems analysis. Ph.D. thesis, University of Utah (2013)

    Google Scholar 

  16. Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A sense of self for Unix processes. In: IEEE Symposium on Security and Privacy, pp. 120–128, May 1996

    Google Scholar 

  17. Gaffney, J.E., Ulvila, J.W.: Evaluation of intrusion detectors: a decision theory approach. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp. 50–61 (2001)

    Google Scholar 

Download references


This research has been supported by the Research Group of the Standard Performance Evaluation Corporation (SPEC;,

Author information

Authors and Affiliations


Corresponding author

Correspondence to Aleksandar Milenkoski .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Milenkoski, A. et al. (2015). Evaluation of Intrusion Detection Systems in Virtualized Environments Using Attack Injection. In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26361-8

  • Online ISBN: 978-3-319-26362-5

  • eBook Packages: Computer ScienceComputer Science (R0)