Odinn: An In-Vivo Hypervisor-based Intrusion Detection System for the Cloud

Abstract

Cloud computing has emerged as the de facto service model for modern enterprises; however, security concerns remain a major impediment to full-scale adoption. Concurrent to this paradigm shift looms another concern that dominates the landscape of the security industry - malware proliferation. Leveraging the isolation property of virtualization, Virtual Machine Introspection (VMI) has yielded promising research for cloud security yet adoption of these approaches in production environments remains minimal due to a semantic gap: the extraction of high-level knowledge of the guest operating system’s state from low-level artifacts collected out-of-VM. Within the field of Forensic Memory Analysis (FMA), a similar semantic gap existed (low level artifacts found in the reconstruction of physical memory dumps) and was rectified via a number of tools, notably Volatility. Other properties of virtualization have largely been unexplored for the use of Cloud-based Intrusion Detection Systems (IDSs) for use in malware mitigation techniques and post-infection analysis. By merging the these properties of virtualization with the semantic gap solution in FMA, we construct a prototype IDS, ODinn, at the hypervisor level for detecting, mitigating, and analyzing malicious activity. Using ODinn, we successfully detect malware in real-time and the accuracy increases when malware attempts to obfuscate itself using standard obfuscation methods. Once detected, ODinn undoes the effects of the infection for the end user with only a few seconds of downtime and minimizing data loss to five minutes or less. Finally, we use our analysis suite in a novel manner to reduce the search space by at least 95% for the modules, drivers and processes altered or inserted during the malware.