This Is AuburnElectronic Theses and Dissertations

Show simple item record

Odinn: An In-Vivo Hypervisor-based Intrusion Detection System for the Cloud


Metadata FieldValueLanguage
dc.contributor.advisorHamilton, John A., Jr.
dc.contributor.advisorUmphress, David A.
dc.contributor.advisorOverbey, Jeffrey
dc.contributor.advisorHendrix, T. Dean
dc.contributor.authorHarrison, Christopher
dc.date.accessioned2014-06-18T14:03:09Z
dc.date.available2014-06-18T14:03:09Z
dc.date.issued2014-06-18
dc.identifier.urihttp://hdl.handle.net/10415/4190
dc.description.abstractCloud computing has emerged as the de facto service model for modern enterprises; however, security concerns remain a major impediment to full-scale adoption. Concurrent to this paradigm shift looms another concern that dominates the landscape of the security industry - malware proliferation. Leveraging the isolation property of virtualization, Virtual Machine Introspection (VMI) has yielded promising research for cloud security yet adoption of these approaches in production environments remains minimal due to a semantic gap: the extraction of high-level knowledge of the guest operating system’s state from low-level artifacts collected out-of-VM. Within the field of Forensic Memory Analysis (FMA), a similar semantic gap existed (low level artifacts found in the reconstruction of physical memory dumps) and was rectified via a number of tools, notably Volatility. Other properties of virtualization have largely been unexplored for the use of Cloud-based Intrusion Detection Systems (IDSs) for use in malware mitigation techniques and post-infection analysis. By merging the these properties of virtualization with the semantic gap solution in FMA, we construct a prototype IDS, ODinn, at the hypervisor level for detecting, mitigating, and analyzing malicious activity. Using ODinn, we successfully detect malware in real-time and the accuracy increases when malware attempts to obfuscate itself using standard obfuscation methods. Once detected, ODinn undoes the effects of the infection for the end user with only a few seconds of downtime and minimizing data loss to five minutes or less. Finally, we use our analysis suite in a novel manner to reduce the search space by at least 95% for the modules, drivers and processes altered or inserted during the malware.en_US
dc.rightsEMBARGO_GLOBALen_US
dc.subjectComputer Scienceen_US
dc.titleOdinn: An In-Vivo Hypervisor-based Intrusion Detection System for the Clouden_US
dc.typedissertationen_US
dc.embargo.lengthMONTHS_WITHHELD:6en_US
dc.embargo.statusEMBARGOEDen_US
dc.embargo.enddate2014-12-18en_US

Files in this item

Show simple item record