Design and implementation of a lightweight kernel-level network intrusion prevention system for virtualized environment (short paper)

Abstract

Cloud platforms often take advantage of virtualization technology and make their actual hosts virtualized. As network attack events occur frequently, providing system security in a virtualized environment is the focus of this study. We have designed and implemented a lightweight network-based intrusion prevention system (IPS) named VMM-IPS for the virtual machine (VM) execution environment. To ensure the system safety of VMs and the host system at the same time, VMM-IPS is operated in the Linux kernel of the host system and co-located with the Kernel-based Virtual Machine that turns Linux kernel into a hypervisor. As packets enter the system, no matter destined to VMs or passing through the host, they are detected by VMM-IPS. Unlike user-level IPS that needs switching protection domain and copying packets to user buffer for inspection, VMM-IPS is more efficient because of the capability to perform in-place packet inspection. It adopts signature-based detection and is implemented with the multiple-pattern search algorithm AC-BM for efficient string matching. Besides, VMM-IPS can protect the system against attacks using packet splitting and reassembly to evade introduction detection system (IDS). The experimental results demonstrate VMM-IPS can achieve system safety effectively and efficiently.