EvIDencE: Testing Intrusion Detection Systems in Virtualized Environments

证据：在虚拟化环境中测试入侵检测系统

• 批准号: 289129390
• 负责人: Professor Dr.-Ing. Samuel Kounev
• 金额: --
• 依托单位: Lehrstuhl für Informatik II (Software Engineering)
• 依托单位国家: 德国
• 项目类别: Research Grants
• 财政年份: 2016
• 资助国家: 德国
• 起止时间: 2015-12-31 至 2019-12-31
• 项目状态: 已结题
• 来源: https://gepris.dfg.de/gepris/projekt/289129390?language=en
• 关键词: EvIDencE; Testing; Intrusion; Detection; Systems

In recent years, virtualization has received increasing interest, both from industry and academia, as a way to reduce costs through server consolidation and to enhance the flexibility of physical infrastructures. While virtualization provides many benefits, it also introduces new challenges, such as the potential threats and vulnerabilities that come with the introduction of Virtual Machine Monitors (VMMs) and the allocation of potentially multiple Virtual Machines (VMs) on the same physical server. Security has often been named as one of the major concerns for users of modern virtualized service infrastructures, given that with the introduction of a virtualization layer, a new target - the virtualization platform - is introduced that may be exploited by attackers. Intrusion detection systems (IDSes) are a common defensive instrument against security threats and the increasing adoption of virtualization has lead to the emergence of a novel class of IDSes specifically designed to operate in virtualized environments.However, no methods and techniques have been proposed so far for testing in a realistic and reliable manner how well a given IDS for a virtualized environment performs. To minimize the risk of security breaches, such methods and techniques are crucially important. The proposed project EvIDencE provides a detailed research agenda to address this issue by developing an approach for generating virtualization-specific malicious workloads, as well as metrics and measurement methodologies, enabling the testing of modern IDSes in a rigorous and representative manner. To achieve these goals, novel methods are needed for generating malicious workloads containing attacks targeted at VMMs and exploiting virtualization-specific vulnerabilities that are representative of modern virtualization platforms. Furthermore, novel metrics for quantifying the attack detection accuracy are needed that explicitly take into account the dynamic resource provisioning behavior of modern VMMs, which can normally significantly influence the behavior of the IDS under test. The proposed project will enable the representative testing of IDSes in virtualized environments by contributing: i) a framework for executing representative malicious workloads based on hypercall attacks, ii) a set of novel IDS testing metrics, and iii) a scientifically rigorous IDS testing methodology. The developed techniques can be used by researchers to test novel IDS algorithms and architectures with respect to specific IDS properties that are subject of research. Further, they can be used by industrial software architects and IT security officers to compare different IDSes in terms of their attack detection accuracy in order to deploy an IDS that operates optimally in a given environment. Finally, the techniques can be used to tune and optimize the configuration of an already deployed IDS, thus reducing the risks of a security breach.

近年来，虚拟化作为通过服务器整合降低成本和增强物理基础设施灵活性的一种方式，越来越受到业界和学术界的关注。虽然虚拟化提供了许多好处，但它也带来了新的挑战，例如引入虚拟机监视器 (VMM) 以及在同一物理服务器上分配潜在的多个虚拟机 (VM) 所带来的潜在威胁和漏洞。安全性常常被认为是现代虚拟化服务基础设施用户最关心的问题之一，因为随着虚拟化层的引入，引入了一个可能被攻击者利用的新目标——虚拟化平台。入侵检测系统 (IDS) 是针对安全威胁的常见防御工具，虚拟化的日益普及导致了专门设计用于在虚拟化环境中运行的一类新型 IDS 的出现。但是，到目前为止，还没有提出任何方法和技术来以现实且可靠的方式测试给定 IDS 在虚拟化环境中的性能。为了最大限度地降低安全漏洞的风险，这些方法和技术至关重要。拟议的项目 EvIDencE 提供了详细的研究议程，通过开发一种生成虚拟化特定恶意工作负载的方法以及指标和测量方法来解决这个问题，从而能够以严格且具有代表性的方式测试现代 IDS。为了实现这些目标，需要新的方法来生成包含针对 VMM 的攻击的恶意工作负载，并利用代表现代虚拟化平台的虚拟化特定漏洞。此外，需要用于量化攻击检测准确性的新指标，明确考虑现代 VMM 的动态资源配置行为，这通常会显着影响被测 IDS 的行为。拟议的项目将通过贡献以下内容，在虚拟化环境中实现 IDS 的代表性测试：i）用于执行基于超级调用攻击的代表性恶意工作负载的框架，ii）一组新颖的 IDS 测试指标，以及 iii）科学严谨的 IDS 测试方法。研究人员可以使用所开发的技术来测试新颖的 IDS 算法和架构，以了解作为研究主题的特定 IDS 属性。此外，工业软件架构师和 IT 安全人员还可以使用它们来比较不同 IDS 的攻击检测准确性，以便部署在给定环境中以最佳方式运行的 IDS。最后，这些技术可用于调整和优化已部署的 IDS 的配置，从而降低安全漏洞的风险。

项目成果

Benchmarking Intrusion Detection Systems with Adaptive Provisioning of Virtualized Resources

通过虚拟化资源的自适应配置对入侵检测系统进行基准测试

• DOI: 10.1007/978-3-319-47474-8_22
• 发表时间: 2017
• 作者: Aleksandar Milenkoski;K. R. Jayaram;Samuel Kounev
• 通讯作者: Samuel Kounev

The Vision of Self-aware Reordering of Security Network Function Chains

安全网络功能链自我意识重新排序的愿景

• DOI: 10.1145/3185768.3186309
• 发表时间: 2018
• 期刊: Companion of the 2018 ACM/SPEC International Conference on Performance Engineering
• 作者: Lukas Iffländer;Jürgen Walter;Simon Eismann;Samuel Kounev
• 通讯作者: Samuel Kounev

CUP: A Formalism for Expressing Cloud Usage Patterns for Experts and Non-Experts

CUP：为专家和非专家表达云使用模式的形式主义

• DOI: 10.1109/mcc.2018.032591618
• 发表时间: 2018
• 期刊: IEEE Cloud Computing
• 作者: Aleksandar Milenkoski;Alexandru Iosup;Samuel Kounev;Kai Sachs;Diane E. Mularz;Jonathan A. Curtiss;Jason J. Ding;Florian Rosenberg;Piotr Rygielski
• 通讯作者: Piotr Rygielski

Software Architectures for Self-protection in IaaS Clouds

IaaS 云中自我保护的软件架构

• DOI: 10.1007/978-3-319-47474-8_21
• 发表时间: 2017
• 作者: K. R. Jayaram;Aleksandar Milenkoski;Samuel Kounev
• 通讯作者: Samuel Kounev

Performance Influence of Security Function Chain Ordering

安全功能链排序对性能的影响

• DOI: 10.1145/3302541.3311965
• 发表时间: 2019
• 期刊: Companion of the 2019 ACM/SPEC International Conference on Performance Engineering
• 作者: Lukas Iffländer;Nicolas Fella
• 通讯作者: Nicolas Fella