Design and Implementation of a Virtual Machine Introspection based Intrusion Detection System

I assure the single handed composition of this diploma thesis only supported by declared resources. Ich versichere, dass ich diese Diplomarbeit selbständig verfasst und nur die angegebe-nen Quellen und Hilfsmittel verwendet habe. Datum, Unterschrift 2 Intrusion Detection is a widespread topic in current security research. Common intrusion detection systems (IDSs) today are either host-based or network-based. Designers of both host-based and network-based IDSs have to trade a complete view over the monitored machine, the advantage of host-based IDSs, o against the system's tamper resistance, the advantage of network-based IDSs. The term virtual machine introspection (VMI) describes an approach of monitoring the state of a machine using virtualization techniques and analysing the state of the introspected machine from the hy-pervisor's point of view. VMI-based intrusion detection systems combine the advantages of both, host-based and network-based intrusion detection systems. This thesis describes the requirements, advantages and disadvantages of a VMI-based IDS. Further a proof-of-concept implementation of a VMI-based intrusion detection framework will be presented. The contribution of this thesis is a dynamic and modular framework, usable to detect malware. This framework integrates dierent VMI-based approaches discussed in this thesis. Furthermore, some example modules are implemented, used to accumulate, process and visualize the monitored machine's view. To verify the frameworks suitability for daily rootkit analysis, it will be shown that the framework and the proof-of-concept modules successfully detect real world rootkits using specialized detection modules. Finally, performance evaluation and further framework development will be discussed.