VMM-BASED INTRUSION DETECTION SYSTEM

US 20110004935A1
Filed: 02/02/2009
Published: 01/06/2011
Est. Priority Date: 02/01/2008
Status: Active Grant

First Claim

Patent Images

1. A method of determining a status of a virtual machine (VM) running in conjunction with a virtual machine monitor (VMM), wherein one or more applications and a guest operating system (OS) are running in the VM, the method comprising:

collecting a stream of events from the VMM, each event in the stream corresponding to an operation of the VMM; and

determining the status of the VM as a function of the collected stream of events.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion detection system collects architectural level events from a Virtual Machine Monitor where the collected events represent operation of a corresponding Virtual Machine. The events are consolidated into features that are compared with features from a known normal operating system. If an amount of any differences between the collected features and the normal features exceeds a threshold value, a compromised Virtual Machine may be indicated. The comparison thresholds are determined by training on normal and abnormal systems and analyzing the collected events with machine learning algorithms to arrive at a model of normal operation.

Citations

31 Claims

1. A method of determining a status of a virtual machine (VM) running in conjunction with a virtual machine monitor (VMM), wherein one or more applications and a guest operating system (OS) are running in the VM, the method comprising:
- collecting a stream of events from the VMM, each event in the stream corresponding to an operation of the VMM; and
  
  determining the status of the VM as a function of the collected stream of events.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein determining the status of the VM comprises:
    - comparing the stream of events to one or more predetermined parameters.
  - 3. The method of claim 1, wherein determining the status of the VM comprises:
    - grouping the stream of events into at least one window of events,wherein the at least one window is of a predetermined window length.
  - 4. The method of claim 3, wherein the predetermined window length is of a predetermined duration of time.
  - 5. The method of claim 3, wherein the at least one window comprises at least one event.
  - 6. The method of claim 3, wherein determining the status of the VM further comprises:
    - determining at least one feature-value for each at least one window,wherein each at least one feature-value represents a number of events of a predetermined event type found in a respective window.
  - 7. The method of claim 6, wherein determining the status of the VM further comprises:
    - comparing the determined at least one feature-values for each at least one window to a predetermined set of one or more threshold values.
  - 8. The method of claim 1, wherein each event is at an architectural level representing a machine state of the VMM.
  - 9. The method of claim 8, wherein the event is chosen from the group consisting of:
    - virtual events related to the guest OS running in the VM;
      
      VMM events related to a state of the VMM; and
      
      runtime metrics.
  - 10. The method of claim 1, wherein each event has a corresponding event-type, and wherein determining the status of the VM further comprises:
    - removing, from the collected stream of events, one or more events corresponding to one or more predetermined event-types; and
      
      determining the state of the VMM as a function of the non-removed events.

11. A method of detecting an unauthorized application executing in a virtual machine (VM) running a guest operating system (OS) in a virtualization system comprising virtualization logic, the virtualization logic comprising a virtual machine monitor (VMM), the method comprising:
- the virtualization logic collecting a stream of events from the VMM, each event in the stream corresponding to an operation of the VMM;
  
  the virtualization logic providing the stream of events to intrusion detection logic; and
  
  ;
  
  the intrusion detection logic determining whether or not an unauthorized application is executing in the virtualization system as a function of the collected stream of events.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, further comprising:
    - the intrusion detection logic;
      
      grouping the stream of events into one or more windows, each window comprising one or more events; and
      
      determining whether a respective window is one of normal or abnormal.
  - 13. The method of claim 12, further comprising:
    - the intrusion detection logic;
      
      establishing, for each window, at least one feature-value representing a number of events of a predetermined event type in the respective window; and
      
      comparing each at least one feature-value to a respective threshold value.
  - 14. The method of claim 12, further comprising:
    - the intrusion detection logic;
      
      determining that an unauthorized application is executing in the VM if at least one of;
      
      a predetermined number of consecutive windows are determined to be abnormal; and
      
      a predetermined percentage of consecutive windows are determined to be abnormal.
  - 15. The method of claim 14, further comprising:
    - the intrusion detection logic;
      
      determining that a window is abnormal if at least one feature-value in the window exceeds its respective threshold value by a predetermined margin.
  - 16. The method of claim 11, wherein each event has a corresponding event-type, the method further comprising:
    - the intrusion detection logic;
      
      removing, from the collected stream of events, one or more events corresponding to one or more predetermined event-types; and
      
      determining the state of the VMM as a function of the non-removed events.
  - 17. The method of claim 11, wherein each event is at an architectural level representing a machine state of the VMM.
  - 18. The method of claim 17, wherein the event is chosen from the group consisting of:
    - virtual events related to the guest OS running in the VM;
      
      VMM events related to a state of the VMM; and
      
      runtime metrics.

19. A method of detecting an unauthorized application executing in a virtual machine (VM) running in conjunction with a virtual machine monitor (VMM), wherein one or more applications and a guest operating system (OS) are running in the VM, the method comprising:
- receiving a stream of events from the VMM, each event in the stream corresponding to an operation of the VMM; and
  
  determining that an unauthorized application is executing in the VM as a function of the received stream of events.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 20. The method of claim 19, wherein determining that an unauthorized application is executing in the VM comprises:
    - comparing the stream of events to one or more predetermined parameters.
  - 21. The method of claim 19, wherein determining that an unauthorized application is executing in the VM comprises:
    - grouping the stream of events into a plurality of windows of events,wherein each window is of a predetermined window length.
  - 22. The method of claim 21, wherein the predetermined window length is of a predetermined duration of time.
  - 23. The method of claim 22, wherein each window comprises at least one event.
  - 24. The method of claim 21, wherein determining that an unauthorized application is executing in the VM further comprises:
    - determining at least one feature-value for each window,wherein each at least one feature-value represents a number of events of a predetermined event type found in a respective window.
  - 25. The method of claim 24, wherein determining that an unauthorized application is executing in the VM further comprises:
    - comparing the determined at least one feature-values for each window to a predetermined set of threshold values.
  - 26. The method of claim 21, further comprising:
    - determining that an unauthorized application is executing in the VM if at least one of;
      
      a predetermined number of consecutive windows are determined to be abnormal; and
      
      a predetermined percentage of consecutive windows are determined to be abnormal.
  - 27. The method of claim 26, wherein determining whether or not a window is abnormal comprises:
    - comparing each at least one feature-value for a respective window to a corresponding threshold value.
  - 28. The method of claim 27, further comprising:
    - determining that a window is abnormal if at least one feature-value in the window exceeds its corresponding threshold value by a predetermined margin.
  - 29. The method of claim 19, wherein each event is at an architectural level representing a machine state of the VMM.
  - 30. The method of claim 29, wherein the event is chosen from the group consisting of:
    - virtual events related to the guest OS running in the VM;
      
      VMM events related to a state of the VMM; and
      
      runtime metrics.
  - 31. The method of claim 19, wherein each event has a corresponding event-type, the method further comprising:
    - removing, from the collected stream of events, one or more events corresponding to one or more predetermined event-types; and
      
      determining that an unauthorized application is executing in the VMM as a function of the non-removed events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Northeastern University
Original Assignee
Northeastern University
Inventors
Azmandian, Fatemeh, Cohen, Aviram, Alshawabkeh, Malak, Dy, Jennifer, Kaeli, David, Aslam, Javed, Moffie, Micha

Granted Patent

US 8,719,936 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/53 by executing in a restricte...

G06F 21/552 involving long-term monitor...

VMM-BASED INTRUSION DETECTION SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

VMM-BASED INTRUSION DETECTION SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links