Micha Moffie scite author profile

As virtualization technology gains in popularity, so do attempts to compromise the security and integrity of virtualized computing resources. Anti-virus software and firewall programs are typically deployed in the guest virtual machine to detect malicious software. These security measures are effective in detecting known malware, but do little to protect against new variants of intrusions. Intrusion detection systems (IDSs) can be used to detect malicious behavior. Most intrusion detection systems for virtual execution environments track behavior at the application or operating system level, using virtualization as a means to isolate themselves from a compromised virtual machine. In this paper, we present a novel approach to intrusion detection of virtual server environments which utilizes only information available from the perspective of the virtual machine monitor (VMM). Such an IDS can harness the ability of the VMM to isolate and manage several virtual machines (VMs), making it possible to provide monitoring of intrusions at a common level across VMs. It also offers unique advantages over recent advances in intrusion detection for virtual machine environments. By working purely at the VMM-level, the IDS does not depend on structures or abstractions visible to the OS (e.g., file systems), which are susceptible to attacks and can be modified by malware to contain corrupted information (e.g., the Windows registry). In addition, being situated within the VMM provides ease of deployment as the IDS is not tied to a specific OS and can be deployed transparently below different operating systems. Due to the semantic gap between the information available to the VMM and the actual application behavior, we employ the power of data mining techniques to extract useful nuggets of knowledge from the raw, low-level architectural data. We show in this paper that by working entirely at the VMM-level, we are able to capture enough information to characterize normal executions and identify the presence of abnormal malicious behavior. Our experiments on over 300 real-world malware and exploits illustrate that there is sufficient information embedded within the VMM-level data to allow accurate detection of malicious attacks, with an acceptable false alarm rate.

show abstract

Counting Polyominoes on Twisted Cylinders

Barequet¹,

Moffie²,

Ribó³

et al. 2005

View full text Add to dashboard Cite

International audience We improve the lower bounds on Klarner's constant, which describes the exponential growth rate of the number of polyominoes (connected subsets of grid squares) with a given number of squares. We achieve this by analyzing polyominoes on a different surface, a so-called $\textit{twisted cylinder}$ by the transfer matrix method. A bijective representation of the "states'' of partial solutions is crucial for allowing a compact representation of the successive iteration vectors for the transfer matrix method.

show abstract

Workload Characterization at the Virtualization Layer

Azmandian

Moffie

et al. 2011

View full text Add to dashboard Cite

Characterizing antivirus workload execution

Uluski

Moffie

Kaeli

2005

SIGARCH Comput. Archit. News

View full text Add to dashboard Cite

Despite the pervasive use of anti-virus (AV) software, there has not been a systematic study of the characteristics of the execution of this workload. In this paper we present a characterization of four commonly used anti-virus software packages. Using the Virtutech Simics toolset, we profile the behavior of four popular anti-virus packages as run on an Intel PentiumIV platform running Microsoft Windows-XP.In our study, we focus on the overhead introduced by the anti-virus software during on-access execution. The overhead associated with anti-virus execution can dominate overall performance. The AV-Test group has already reported that this overhead can range from 23-129% on live systems running on-access experiments [3]. 1 The performance impact of the anti-virus execution is clearly an important issue, and we present the first quantitative study of the characteristics of this workload. Our study includes the impact of both operating system execution and system call execution.

show abstract

Effective Virtual Machine Monitor Intrusion Detection Using Feature Selection on Highly Imbalanced Data

Alshawabkeh

Moffie

Azmandian

et al. 2010

View full text Add to dashboard Cite

Maintaining Trustworthiness of Socio-Technical Systems at Run-Time

Mohammadi

Bandyszak

Moffie

et al. 2014

View full text Add to dashboard Cite

Exploring Novel Parallelization Technologies for 3-D Imaging Applications

Rivera

Schaa

Moffie

et al. 2007

View full text Add to dashboard Cite

show abstract

12 3

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

334 Leonard St

Brooklyn, NY 11211

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Micha Moffie

Towards a GDPR compliant way to secure European cross border Healthcare Industry 4.0

Virtual machine monitor-based lightweight intrusion detection

Counting Polyominoes on Twisted Cylinders

Workload Characterization at the Virtualization Layer

Characterizing antivirus workload execution

Effective Virtual Machine Monitor Intrusion Detection Using Feature Selection on Highly Imbalanced Data

Maintaining Trustworthiness of Socio-Technical Systems at Run-Time

Exploring Novel Parallelization Technologies for 3-D Imaging Applications

Contact Info

Product

Resources

About