Automated Approach to Intrusion Detection in VM-based Dynamic Execution Environment

keywords: Intrusion detection, virtual machine, hidden Markov model (HMM), sequential data mining, dynamic graph
Because virtual computing platforms are dynamically changing, it is difficult to build high-quality intrusion detection system. In this paper, we present an automated approach to intrusions detection in order to maintain sufficient performance and reduce dependence on execution environment. We discuss a hidden Markov model strategy for abnormality detection using frequent system call sequences, letting us identify attacks and intrusions automatically and efficiently. We also propose an automated mining algorithm, named AGAS, to generate frequent system call sequences. In our approach, the detection performance is adaptively tuned according to the execution state every period. To improve performance, the period value is also under self-adjustment.
reference: Vol. 31, 2012, No. 2, pp. 271–297