In recent years, virtualization has received increasing interest, both from industry and academia, as a way to reduce costs through server consolidation and to enhance the flexibility of physical infrastructures. While virtualization provides many benefits, it also introduces new challenges, such as the potential threats and vulnerabilities that come with the introduction of Virtual Machine Monitors (VMMs) and the allocation of potentially multiple Virtual Machines (VMs) on the same physical server. Security has often been named as one of the major concerns for users of modern virtualized service infrastructures, given that with the introduction of a virtualization layer, a new target - the virtualization platform - is introduced that may be exploited by attackers. Intrusion detection systems (IDSes) are a common defensive instrument against security threats and the increasing adoption of virtualization has lead to the emergence of a novel class of IDSes specifically designed to operate in virtualized environments.However, no methods and techniques have been proposed so far for testing in a realistic and reliable manner how well a given IDS for a virtualized environment performs. To minimize the risk of security breaches, such methods and techniques are crucially important. The proposed project EvIDencE provides a detailed research agenda to address this issue by developing an approach for generating virtualization-specific malicious workloads, as well as metrics and measurement methodologies, enabling the testing of modern IDSes in a rigorous and representative manner. To achieve these goals, novel methods are needed for generating malicious workloads containing attacks targeted at VMMs and exploiting virtualization-specific vulnerabilities that are representative of modern virtualization platforms. Furthermore, novel metrics for quantifying the attack detection accuracy are needed that explicitly take into account the dynamic resource provisioning behavior of modern VMMs, which can normally significantly influence the behavior of the IDS under test. The proposed project will enable the representative testing of IDSes in virtualized environments by contributing: i) a framework for executing representative malicious workloads based on hypercall attacks, ii) a set of novel IDS testing metrics, and iii) a scientifically rigorous IDS testing methodology. The developed techniques can be used by researchers to test novel IDS algorithms and architectures with respect to specific IDS properties that are subject of research. Further, they can be used by industrial software architects and IT security officers to compare different IDSes in terms of their attack detection accuracy in order to deploy an IDS that operates optimally in a given environment. Finally, the techniques can be used to tune and optimize the configuration of an already deployed IDS, thus reducing the risks of a security breach.

DFG Programme Research Grants