Abstract
Cloud platforms often take advantage of virtualization technology and make their actual hosts virtualized. As network attack events occur frequently, providing system security in a virtualized environment is the focus of this study. We have designed and implemented a lightweight network-based intrusion prevention system (IPS) named VMM-IPS for the virtual machine (VM) execution environment. To ensure the system safety of VMs and the host system at the same time, VMM-IPS is operated in the Linux kernel of the host system and co-located with the Kernel-based Virtual Machine that turns Linux kernel into a hypervisor. As packets enter the system, no matter destined to VMs or passing through the host, they are detected by VMM-IPS. Unlike user-level IPS that needs switching protection domain and copying packets to user buffer for inspection, VMM-IPS is more efficient because of the capability to perform in-place packet inspection. It adopts signature-based detection and is implemented with the multiple-pattern search algorithm AC-BM for efficient string matching. Besides, VMM-IPS can protect the system against attacks using packet splitting and reassembly to evade introduction detection system (IDS). The experimental results demonstrate VMM-IPS can achieve system safety effectively and efficiently.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceeding of Network and Distributed Systems Security Symposium, pp. 191–206 (2003)
Azmandian, F., Moffie, M., Alshawabkeh, M.: Virtual machine monitor-based lightweight intrusion detection. ACM SIGOPS Operating Syst. Rev. 45(2), 38–53 (2011)
Tupakula, U.K., Varadharajan, V.: Dynamic state-based security architecture for detecting security attacks in virtual machines. Comput. J. 55(4), 397–409 (2012)
Jin, H., Xiang, G., Zou, D., Wu, S., Zhao, F., Li, M., Zheng, W.: A VMM-based intrusion prevention system in cloud computing environment. J. Supercomputing 66(3), 1133–1151 (2013)
Bharadwaja, S., Weiqing, S., Niamat, M., Fangyang, S.: Collabra: a Xen hypervisor based collaborative intrusion detection system. In: Proceedings of the Eighth International Conference on Information Technology: New Generations, pp. 695–700 (2011)
KVM: http://www.linux-kvm.org/. Accessed 5 Oct 2017
Chierici, A., Veraldi, R.: A quantitative comparison between Xen and KVM. J. Phys. (2010). Conference Series 219, https://doi.org/10.1088/1742-6596/219/4/042005
OpenStack cloud software: https://www.openstack.org/. Accessed 5 Oct 2017
Coit, C.J., Staniford, S., McAlemey, J.: Towards faster string matching for intrusion detection or exceeding the speed of Snort. In: Proceedings of DARPA Information Survivability Conference & Exposition II, vol. 1, pp. 367–373 (2001)
Boyer, R.S., Moore, J.S.: A fast string searching algorithm. Commun. ACM 20(10), 762–772 (1977)
Aho, A.V., Corasick, M.J.: Efficient string matching: an aid to bibliographic search. Commun. ACM 18(6), 333–340 (1975)
Cheng, T.H., Lin, Y.D., Lai, Y.C., Lin, P.C.: Evasion techniques: sneaking through your intrusion detection/prevention systems. IEEE Commun. Surv. Tutorials 14(4), 1011–1020 (2012)
Netfilter: http://www.netfilter.org. Accessed 5 Oct 2017
Snort: http://www.snort.org. Accessed 5 Oct 2017
TCPDump/Libpcap: http://www.tcpdump.org. Accessed 5 Oct 2017
Suricata: http://www.suricata-ids.org. Accessed 5 Oct 2017
Iptables: http://www.netfilter.org/projects/iptables/index.html. Accessed 5 Oct 2017
Bellard, F.: QEMU, a fast and portable dynamic translator. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, pp. 41–46 (2005)
Apache web server: https://httpd.apache.org/. Accessed 5 Oct 2017
Apache Bench: https://httpd.apache.org/docs/2.4/programs/ab.html. Accessed 5 Oct 2017
Acknowledgments
This research was supported in part by grant MOST 105-2221-E-260-015 and MOST 106-2221-E-260-001 from the Ministry of Science and Technology, Taiwan, Republic of China. We would also like to thank M. L. Wang, H. Cheng, C. W. Huang and members in the Computer System laboratory of Chang Gung University for their efforts in this study.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Chiang, ML., Wang, JK., Feng, LC., Chen, YS., Wang, YC., Kao, WY. (2017). Design and Implementation of a Lightweight Kernel-Level Network Intrusion Prevention System for Virtualized Environment (Short Paper). In: Liu, J., Samarati, P. (eds) Information Security Practice and Experience. ISPEC 2017. Lecture Notes in Computer Science(), vol 10701. Springer, Cham. https://doi.org/10.1007/978-3-319-72359-4_36
Download citation
DOI: https://doi.org/10.1007/978-3-319-72359-4_36
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-72358-7
Online ISBN: 978-3-319-72359-4
eBook Packages: Computer ScienceComputer Science (R0)