VMM-BASED INTRUSION DETECTION SYSTEM
First Claim
1. A method of determining a status of a virtual machine (VM) running in conjunction with a virtual machine monitor (VMM), wherein one or more applications and a guest operating system (OS) are running in the VM, the method comprising:
- collecting a stream of events from the VMM, each event in the stream corresponding to an operation of the VMM; and
determining the status of the VM as a function of the collected stream of events.
1 Assignment
0 Petitions
Accused Products
Abstract
An intrusion detection system collects architectural level events from a Virtual Machine Monitor where the collected events represent operation of a corresponding Virtual Machine. The events are consolidated into features that are compared with features from a known normal operating system. If an amount of any differences between the collected features and the normal features exceeds a threshold value, a compromised Virtual Machine may be indicated. The comparison thresholds are determined by training on normal and abnormal systems and analyzing the collected events with machine learning algorithms to arrive at a model of normal operation.
-
Citations
31 Claims
-
1. A method of determining a status of a virtual machine (VM) running in conjunction with a virtual machine monitor (VMM), wherein one or more applications and a guest operating system (OS) are running in the VM, the method comprising:
-
collecting a stream of events from the VMM, each event in the stream corresponding to an operation of the VMM; and determining the status of the VM as a function of the collected stream of events. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of detecting an unauthorized application executing in a virtual machine (VM) running a guest operating system (OS) in a virtualization system comprising virtualization logic, the virtualization logic comprising a virtual machine monitor (VMM), the method comprising:
-
the virtualization logic collecting a stream of events from the VMM, each event in the stream corresponding to an operation of the VMM; the virtualization logic providing the stream of events to intrusion detection logic; and
;the intrusion detection logic determining whether or not an unauthorized application is executing in the virtualization system as a function of the collected stream of events. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A method of detecting an unauthorized application executing in a virtual machine (VM) running in conjunction with a virtual machine monitor (VMM), wherein one or more applications and a guest operating system (OS) are running in the VM, the method comprising:
-
receiving a stream of events from the VMM, each event in the stream corresponding to an operation of the VMM; and determining that an unauthorized application is executing in the VM as a function of the received stream of events. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
-
Specification