Snapshot Based Intrusion Detection System
Kuisma, Nina-Mari (2018)
Kuisma, Nina-Mari
2018
Tietotekniikka
Tieto- ja sähkötekniikan tiedekunta - Faculty of Computing and Electrical Engineering
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2018-12-05
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tty-201811282776
https://urn.fi/URN:NBN:fi:tty-201811282776
Tiivistelmä
The subject of this thesis is to implement an intrusion detection system designed for virtual machines, which cannot be tampered by a malicious party, by taking advantage of virtualization technology by using snapshots of system disks of virtual machines. This thesis also describes previous solutions. The solutions that has been widely adopted in industry are always run on the monitored system itself, making it possible for an attacker to tamper the results.
The primary purpose of this thesis is to describe the architecture, used components, and workflow of the new solution. The described solution is not without issues, and especially the requirement, or strong recommendation, of using dedicated virtual machines without other applications running causes extra costs for implementing this solution. Additionally, the system sets various requirements to monitored virtual machines, such as operating system being run and disk partitioning. The solution software has been developed without third party influence or funding.
Theoretical security problems are caused by collision vulnerabilites of hash algorithms, allowing attacker to generate modified files that have matching hash as the original. This is solved by calculating multiple algorithmically different hashes and using all hashes to determine integrity of a file. Another problem with systems like this is fairly large amount of false alerts when new unknown non-malicious files cause unnecessary alerts. The thesis discusses various methods of decreasing the amount of such unnecesasry alerts, such as using the package repositories of Linux-distributions to determine harmless files and hashes ahead of time.
The primary purpose of this thesis is to describe the architecture, used components, and workflow of the new solution. The described solution is not without issues, and especially the requirement, or strong recommendation, of using dedicated virtual machines without other applications running causes extra costs for implementing this solution. Additionally, the system sets various requirements to monitored virtual machines, such as operating system being run and disk partitioning. The solution software has been developed without third party influence or funding.
Theoretical security problems are caused by collision vulnerabilites of hash algorithms, allowing attacker to generate modified files that have matching hash as the original. This is solved by calculating multiple algorithmically different hashes and using all hashes to determine integrity of a file. Another problem with systems like this is fairly large amount of false alerts when new unknown non-malicious files cause unnecessary alerts. The thesis discusses various methods of decreasing the amount of such unnecesasry alerts, such as using the package repositories of Linux-distributions to determine harmless files and hashes ahead of time.