%0 Report %1 MiKoAvAnVi2013-TechReport-OnBenchmarkingIDSes %A Milenkoski, Aleksandar %A Kounev, Samuel %A Avritzer, Alberto %A Antunes, Nuno %A Vieira, Marco %C 7001 Heritage Village Plaza Suite 225, Gainesville, VA 20155, USA %D 2013 %K Cloud Elasticity Instrumentation_profiling_and_workload_characterization Metrics_and_benchmarking_methodologies Performance Reliability SPEC Security Survey Virtualization descartes t_techreport %T On Benchmarking Intrusion Detection Systems in Virtualized Environments %X Modern intrusion detection systems (IDSes) for virtualized environments are deployed in the virtualization layer with components inside the virtual machine monitor (VMM) and the trusted host virtual machine (VM). Such IDSes can monitor at the same time the network and host activities of all guest VMs running on top of a VMM being isolated from malicious users of these VMs. We refer to IDSes for virtualized environments as VMM-based IDSes. In this work, we analyze state-of-the-art intrusion detection techniques applied in virtualized environments and architectures of VMM-based IDSes. Further, we identify challenges that apply specifically to benchmarking VMM-based IDSes focussing on workloads and metrics. For example, we discuss the challenge of defining representative baseline benign workload profiles as well as the challenge of defining malicious workloads containing attacks targeted at the VMM. We also discuss the impact of on-demand resource provisioning features of virtualized environments (e.g., CPU and memory hotplugging, memory ballooning) on IDS benchmarking measures such as capacity and attack detection accuracy. Finally, we outline future research directions in the area of benchmarking VMM-based IDSes and of intrusion detection in virtualized environments in general.

@techreport{MiKoAvAnVi2013-TechReport-OnBenchmarkingIDSes, abstract = {{Modern intrusion detection systems (IDSes) for virtualized environments are deployed in the virtualization layer with components inside the virtual machine monitor (VMM) and the trusted host virtual machine (VM). Such IDSes can monitor at the same time the network and host activities of all guest VMs running on top of a VMM being isolated from malicious users of these VMs. We refer to IDSes for virtualized environments as VMM-based IDSes. In this work, we analyze state-of-the-art intrusion detection techniques applied in virtualized environments and architectures of VMM-based IDSes. Further, we identify challenges that apply specifically to benchmarking VMM-based IDSes focussing on workloads and metrics. For example, we discuss the challenge of defining representative baseline benign workload profiles as well as the challenge of defining malicious workloads containing attacks targeted at the VMM. We also discuss the impact of on-demand resource provisioning features of virtualized environments (e.g., CPU and memory hotplugging, memory ballooning) on IDS benchmarking measures such as capacity and attack detection accuracy. Finally, we outline future research directions in the area of benchmarking VMM-based IDSes and of intrusion detection in virtualized environments in general.}}, added-at = {2020-04-06T11:21:23.000+0200}, address = {{7001 Heritage Village Plaza Suite 225, Gainesville, VA 20155, USA}}, author = {Milenkoski, Aleksandar and Kounev, Samuel and Avritzer, Alberto and Antunes, Nuno and Vieira, Marco}, biburl = {https://www.bibsonomy.org/bibtex/218bf8310ba9a837f8c959447fe6605b2/se-group}, institution = {SPEC Research Group - IDS Benchmarking Working Group, Standard Performance Evaluation Corporation (SPEC)}, interhash = {4946670213406b7ff7122741906ff533}, intrahash = {18bf8310ba9a837f8c959447fe6605b2}, keywords = {Cloud Elasticity Instrumentation_profiling_and_workload_characterization Metrics_and_benchmarking_methodologies Performance Reliability SPEC Security Survey Virtualization descartes t_techreport}, month = {June}, timestamp = {2021-02-08T15:14:55.000+0100}, title = {{On Benchmarking Intrusion Detection Systems in Virtualized Environments}}, type = {{Technical Report SPEC-RG-2013-002 v.1.0}}, year = 2013 }