Constructing a Cloud-Based IDS by Merging VMI with FMA

Cloud computing has emerged in recent years as a major segment of the IT industry; however, security concerns remain the primary impediment to full-scale adoption. Leveraging properties of virtualization, virtual machine introspection (VMI) has yielded promising research for cloud security yet adoption of these approaches in production environments remains minimal due to a semantic gap: the extraction of high-level knowledge of the guest operating system's state from low-level artifacts collected out-of-VM. Within the field of forensic memory analysis (FMA), a similar semantic gap exists from the reconstruction of physical memory dumps. We implement a production oriented prototype utilizing designs that combines and narrows these semantic gaps in a modular framework to function as an intrusion detection system (IDS) detecting and defeating post-exploitation activity.