Forensic virtual machines: Dynamic defence in the cloud via introspection

Adrian L. Shaw; Behzad Bordbar; John Saxon; Keith Harrison; Chris I. Dalton

doi:10.1109/IC2E.2014.59

Forensic virtual machines: Dynamic defence in the cloud via introspection

Adrian L. Shaw^*, Behzad Bordbar, John Saxon, Keith Harrison, Chris I. Dalton

^*Corresponding author for this work

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

14 Citations (Scopus)

Abstract

The Cloud attempts to provide its users with automatically scalable platforms to host many applications and operating systems. To allow for quick deployment, they are often homogenised to a few images, restricting the variations used within the Cloud. An exploitable vulnerability stored within an image means that each instance will suffer from it and as a result, an attacker can be sure of a high pay-off for their time. This makes the Cloud a prime target for malicious activities. There is a clear requirement to develop an automated and computationally-inexpensive method of discovering malicious behaviour as soon as it starts, such that remedial action can be adopted before substantial damage is caused. In this paper we propose the use of Mini-OS, a virtualised operating system that uses minimal resources on the Xen virtualisation platform, for analysing the memory space of other guest virtual machines. These detectors, which we call Forensic Virtual Machines (FVMs), are lightweight such that they are inherently computationally cheap to run. Such a small footprint allows the physical host to run numerous instances to find symptoms of malicious behaviour whilst potentially limiting attack vectors. We describe our experience of developing FVMs and how they can be used to complement existing methods to combat malware. We also evaluate them in terms of performance and the resources that they require.

Original language	English
Title of host publication	Proceedings - 2014 IEEE International Conference on Cloud Engineering, IC2E 2014
Publisher	Institute of Electrical and Electronics Engineers (IEEE)
Pages	303-310
Number of pages	8
ISBN (Print)	9781479937660
DOIs	https://doi.org/10.1109/IC2E.2014.59
Publication status	Published - 18 Sept 2014
Event	2nd IEEE International Conference on Cloud Engineering, IC2E 2014 - Boston, United States Duration: 10 Mar 2014 → 14 Mar 2014

Conference

Conference	2nd IEEE International Conference on Cloud Engineering, IC2E 2014
Country/Territory	United States
City	Boston
Period	10/03/14 → 14/03/14

Keywords

cloud computing
forensics
introspection
intrusion detection
monitoring
security
virtual machine
virtualization
Xen

ASJC Scopus subject areas

Software

Access to Document

10.1109/IC2E.2014.59

Cite this

@inproceedings{2bed7297071d4c0887ded5114f314f74,

title = "Forensic virtual machines: Dynamic defence in the cloud via introspection",

abstract = "The Cloud attempts to provide its users with automatically scalable platforms to host many applications and operating systems. To allow for quick deployment, they are often homogenised to a few images, restricting the variations used within the Cloud. An exploitable vulnerability stored within an image means that each instance will suffer from it and as a result, an attacker can be sure of a high pay-off for their time. This makes the Cloud a prime target for malicious activities. There is a clear requirement to develop an automated and computationally-inexpensive method of discovering malicious behaviour as soon as it starts, such that remedial action can be adopted before substantial damage is caused. In this paper we propose the use of Mini-OS, a virtualised operating system that uses minimal resources on the Xen virtualisation platform, for analysing the memory space of other guest virtual machines. These detectors, which we call Forensic Virtual Machines (FVMs), are lightweight such that they are inherently computationally cheap to run. Such a small footprint allows the physical host to run numerous instances to find symptoms of malicious behaviour whilst potentially limiting attack vectors. We describe our experience of developing FVMs and how they can be used to complement existing methods to combat malware. We also evaluate them in terms of performance and the resources that they require.",

keywords = "cloud computing, forensics, introspection, intrusion detection, monitoring, security, virtual machine, virtualization, Xen",

author = "Shaw, {Adrian L.} and Behzad Bordbar and John Saxon and Keith Harrison and Dalton, {Chris I.}",

year = "2014",

month = sep,

day = "18",

doi = "10.1109/IC2E.2014.59",

language = "English",

isbn = "9781479937660",

pages = "303--310",

booktitle = "Proceedings - 2014 IEEE International Conference on Cloud Engineering, IC2E 2014",

publisher = "Institute of Electrical and Electronics Engineers (IEEE)",

note = "2nd IEEE International Conference on Cloud Engineering, IC2E 2014 ; Conference date: 10-03-2014 Through 14-03-2014",

}

Shaw, AL, Bordbar, B, Saxon, J, Harrison, K & Dalton, CI 2014, Forensic virtual machines: Dynamic defence in the cloud via introspection. in Proceedings - 2014 IEEE International Conference on Cloud Engineering, IC2E 2014., 6903487, Institute of Electrical and Electronics Engineers (IEEE), pp. 303-310, 2nd IEEE International Conference on Cloud Engineering, IC2E 2014, Boston, United States, 10/03/14. https://doi.org/10.1109/IC2E.2014.59

Forensic virtual machines: Dynamic defence in the cloud via introspection. / Shaw, Adrian L.; Bordbar, Behzad; Saxon, John et al.
Proceedings - 2014 IEEE International Conference on Cloud Engineering, IC2E 2014. Institute of Electrical and Electronics Engineers (IEEE), 2014. p. 303-310 6903487.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Forensic virtual machines

T2 - 2nd IEEE International Conference on Cloud Engineering, IC2E 2014

AU - Shaw, Adrian L.

AU - Bordbar, Behzad

AU - Saxon, John

AU - Harrison, Keith

AU - Dalton, Chris I.

PY - 2014/9/18

Y1 - 2014/9/18

N2 - The Cloud attempts to provide its users with automatically scalable platforms to host many applications and operating systems. To allow for quick deployment, they are often homogenised to a few images, restricting the variations used within the Cloud. An exploitable vulnerability stored within an image means that each instance will suffer from it and as a result, an attacker can be sure of a high pay-off for their time. This makes the Cloud a prime target for malicious activities. There is a clear requirement to develop an automated and computationally-inexpensive method of discovering malicious behaviour as soon as it starts, such that remedial action can be adopted before substantial damage is caused. In this paper we propose the use of Mini-OS, a virtualised operating system that uses minimal resources on the Xen virtualisation platform, for analysing the memory space of other guest virtual machines. These detectors, which we call Forensic Virtual Machines (FVMs), are lightweight such that they are inherently computationally cheap to run. Such a small footprint allows the physical host to run numerous instances to find symptoms of malicious behaviour whilst potentially limiting attack vectors. We describe our experience of developing FVMs and how they can be used to complement existing methods to combat malware. We also evaluate them in terms of performance and the resources that they require.

AB - The Cloud attempts to provide its users with automatically scalable platforms to host many applications and operating systems. To allow for quick deployment, they are often homogenised to a few images, restricting the variations used within the Cloud. An exploitable vulnerability stored within an image means that each instance will suffer from it and as a result, an attacker can be sure of a high pay-off for their time. This makes the Cloud a prime target for malicious activities. There is a clear requirement to develop an automated and computationally-inexpensive method of discovering malicious behaviour as soon as it starts, such that remedial action can be adopted before substantial damage is caused. In this paper we propose the use of Mini-OS, a virtualised operating system that uses minimal resources on the Xen virtualisation platform, for analysing the memory space of other guest virtual machines. These detectors, which we call Forensic Virtual Machines (FVMs), are lightweight such that they are inherently computationally cheap to run. Such a small footprint allows the physical host to run numerous instances to find symptoms of malicious behaviour whilst potentially limiting attack vectors. We describe our experience of developing FVMs and how they can be used to complement existing methods to combat malware. We also evaluate them in terms of performance and the resources that they require.

KW - cloud computing

KW - forensics

KW - introspection

KW - intrusion detection

KW - monitoring

KW - security

KW - virtual machine

KW - virtualization

KW - Xen

UR - http://www.scopus.com/inward/record.url?scp=84908565987&partnerID=8YFLogxK

U2 - 10.1109/IC2E.2014.59

DO - 10.1109/IC2E.2014.59

M3 - Conference contribution

AN - SCOPUS:84908565987

SN - 9781479937660

SP - 303

EP - 310

BT - Proceedings - 2014 IEEE International Conference on Cloud Engineering, IC2E 2014

PB - Institute of Electrical and Electronics Engineers (IEEE)

Y2 - 10 March 2014 through 14 March 2014

ER -

Forensic virtual machines: Dynamic defence in the cloud via introspection

Abstract

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this