Micha Moffie

Virtual machine monitor-based lightweight intrusion detection

As virtualization technology gains in popularity, so do attempts to compromise the security and integrity of virtualized computing resources. Anti-virus software and firewall programs are typically deployed in the guest virtual machine to detect malicious software. These security measures are effective in detecting known malware, but do little to protect against new variants of intrusions. Intrusion detection systems (IDSs) can be used to detect malicious behavior. Most intrusion detection systems for virtual execution environments track behavior at the application or operating system level, using virtualization as a means to isolate themselves from a compromised virtual machine.n In this paper, we present a novel approach to intrusion detection of virtual server environments which utilizes only information available from the perspective of the virtual machine monitor (VMM). Such an IDS can harness the ability of the VMM to isolate and manage several virtual machines (VMs), making it possible to provide monitoring of intrusions at a common level across VMs. It also offers unique advantages over recent advances in intrusion detection for virtual machine environments. By working purely at the VMM-level, the IDS does not depend on structures or abstractions visible to the OS (e.g., file systems), which are susceptible to attacks and can be modified by malware to contain corrupted information (e.g., the Windows registry). In addition, being situated within the VMM provides ease of deployment as the IDS is not tied to a specific OS and can be deployed transparently below different operating systems.n Due to the semantic gap between the information available to the VMM and the actual application behavior, we employ the power of data mining techniques to extract useful nuggets of knowledge from the raw, low-level architectural data. We show in this paper that by working entirely at the VMM-level, we are able to capture enough information to characterize normal executions and identify the presence of abnormal malicious behavior. Our experiments on over 300 real-world malware and exploits illustrate that there is sufficient information embedded within the VMM-level data to allow accurate detection of malicious attacks, with an acceptable false alarm rate.

Characterizing antivirus workload execution

Despite the pervasive use of anti-virus (AV) software, there has not been a systematic study of the characteristics of the execution of this workload. In this paper we present a characterization of four commonly used anti-virus software packages. Using the Virtutech Simics toolset, we profile the behavior of four popular anti-virus packages as run on an Intel PentiumIV platform running Microsoft Windows-XP.In our study, we focus on the overhead introduced by the anti-virus software during on-access execution. The overhead associated with anti-virus execution can dominate overall performance. The AV-Test group has already reported that this overhead can range from 23-129% on live systems running on-access experiments [3]. 1 The performance impact of the anti-virus execution is clearly an important issue, and we present the first quantitative study of the characteristics of this workload. Our study includes the impact of both operating system execution and system call execution.

Hunting Trojan Horses

HTH (Hunting Trojan Horses) is a security framework developed for detecting difficult types of intrusions. HTH is intended as a complement to anti-virus software in that it targets unknown and zero-day Trojan Horses and Backdoors. In order to accurately identify these types of attacks HTH utilizes runtime information available during execution. The information collected includes fine-grained information flow, program execution flow and resources used.In this paper we present Harrier, an Application Security Monitor at the heart of our HTH framework. Harrier is an efficient run-time monitor that dynamically collects execution-related data. Harrier is capable of collecting information across different abstraction levels including architectural, system and library APIs. To date, Harrier is 3-4 times faster than comparable information flow tracking systems.Using the collected information, Harrier allows for accurate identification of abnormal program behavior. Preliminary results show a good detection rate with a low rate of false positives.

Workload Characterization at the Virtualization Layer

Virtualization technology has many attractive qualities including improved security, reliability, scalability, and resource sharing/management. As a result, virtualization has been deployed on an array of platforms, from mobile devices to high end enterprise servers. In this paper, we present a novel approach to working at a virtualization interface, performing workload characterization equipped with the information available at the virtual machine monitor (VMM) interface. Due to the semantic gap between the raw VMM-level data available and the true application behavior, we employ the power of regression techniques to extract meaningful information about a workloads behavior. We also demonstrate that the information available at the VMM level still retains rich workload characteristics that can be used to identify application behavior. We show that we are able to capture enough information about a workload to characterize and decompose it into a combination of CPU, memory, disk I/O, and network I/O-intensive components. Dissecting the behavior of a workload in terms of these components, we can develop significant insight into the behavior of any application. Workload characterization can be used for online performance monitoring, workload scheduling, workload trending, virtual machine (VM)health monitoring, and security analysis. We can also consider how VMM-based workload profiles can be used to detect anomalous behavior in virtualized environments by comparing a model of potentially malicious execution to that of normal execution.

Exploring Novel Parallelization Technologies for 3-D Imaging Applications

In this paper, we propose two low-cost and novel branch history buffer handling schemes aiming at skewing the branch prediction accuracy in favor of a real-time thread for a soft real-time embedded multithreaded processor. The processor core accommodates two running threads, one with the highest priority and the other thread is a background thread, and both threads share the branch predictor. The first scheme uses a 3-bit branch history buffer in which the highest priority thread uses the most significant 2 bits to change the prediction state while the background thread uses only the least significant 2 bits. The second scheme uses the shared 2-bit branch history buffer that implements integer updates for the highest priority thread but fractional updates for the background thread in order to achieve relatively higher prediction accuracy in the highest priority thread. The low cost nature of these two schemes, particularly in the second scheme, makes them attractive with moderate improvement in the performance of the highest priority thread.Multi-dimensional imaging techniques involve the processing of high resolution images commonly used in medical, civil and remote-sensing applications. A barrier commonly encountered in this class of applications is the time required to carry out repetitive operations on large matrices. Partitioning these large datasets can help improve performance, and lends the data to more efficient parallel execution. In this paper we describe our experience exploring two novel parallelization technologies: 1) a graphical processor unit (GPU)-based approach which utilizes 128 cores on a single GPU accelerator card, and 2) a middleware approach for semi-automatic parallelization on a cluster of multiple multi-core processors. We investigate these two platforms and describe their strengths and limitations. In addition, we provide some guidance to the programmer on which platform to use when porting multi-dimensional imaging applications. Using a 3-D application taken from a clinical image reconstruction algorithm, we demonstrate the degree of speedup we can obtain from these two approaches.

Effective Virtual Machine Monitor Intrusion Detection Using Feature Selection on Highly Imbalanced Data

Virtualization is becoming an increasingly popular service hosting platform. Recently, intrusion detection systems (IDSs) which utilize virtualization have been introduced. One particular challenge present in current virtualization-based IDS systems is considered in this paper. IDS systems are commonly faced with high-dimensionality imbalanced data. Improved feature selection methods are needed to achieve more accurate detection when presented with imbalanced data. These methods must select the right set of features which will lead to a lower number of false alarms and higher correct detection rates. In this paper we propose a new Boosting-based feature selection that evaluates the relative importance of individual features using the fractional absolute confidence that Boosting produces. Our approach accounts for the sample distributions by optimizing for the area under the Receive Operating Characteristic (ROC) curve (i.e., Area Under the Curve(AUC)). Empirical results on different commercial virtual appliances and malwares indicate that proper input feature selection is key if we want an effective virtualization-based IDS that is lightweight, efficient and effective.

On the complexity of Jensen's algorithm for counting fixed polyominoes

Recently I. Jensen published a novel transfer-matrix algorithm for computing the number of polyominoes in a rectangular lattice. However, his estimation of the computational complexity of the algorithm (O((2)^n), where n is the size of the polyominoes), was based only on empirical evidence. In contrast, our research provides some solid proof. Our result is based primarily on an analysis of the number of some class of strings that plays a significant role in the algorithm. It turns out that this number is closely related to Motzkin numbers. We provide a rigorous computation that roughly confirms Jensens estimation. We obtain the bound O(n^5^/^2(3)^n) on the running time of the algorithm, while the actual number of polyominoes is about C4.06^n/n, for some constant C>0.

ASM: application security monitor

Our Application Security Monitor (ASM) is a run-time monitor that dynamically collects execution-related data. ASM is part of a security framework that will allow us to explore different security policies aimed at identifying malicious behavior such as Trojan horses and backdoors.In this paper, we show what type of data ASM can collect and illustrate how this data can be used to enforce a security policy. Using ASM we are able to explore different tradeoffs between security and performance.