Efficient Retrieval of Key Material for Inspecting Potentially Malicious Traffic in the Cloud

Author

Saxon, John T. ; Bordbar, Behzad ; Harrison, Keith

Author_Institution

Sch. of Comput. Sci., Univ. of Birmingham, Birmingham, UK

fYear

2015

fDate

9-13 March 2015

Firstpage

155

Lastpage

164

Abstract

Cloud providers must detect malicious traffic in and out of their network, virtual or otherwise. The use of Intrusion Detection Systems (IDS) has been hampered by the encryption of network communication. The result is that current signatures cannot match potentially malicious requests. A method to acquire the encryption keys is Virtual Machine Introspection (VMI). VMI is a technique to view the internal, and yet raw, representation of a Virtual Machine (VM). Current methods to find keys are expensive and use sliding windows or entropy. This inevitably requires reading the memory space of the entire process, or worse the OS, in a live environment where performance is paramount. This paper describes a structured walk of memory to find keys, particularly RSA, using as fewer reads from the VM as possible. In doing this we create a scalable mechanism to populate an IDS with keys to analyse traffic.

Keywords

cloud computing; cryptography; entropy; inspection; telecommunication traffic; virtual machines; IDS; RSA; VMI; cloud providers; encryption; entropy; intrusion detection systems; key material retrieval; memory space; network communication; potentially malicious traffic inspection; sliding windows; virtual machine introspection; Cryptography; Entropy; Forensics; Libraries; Memory management; Servers; Virtual machining; Key Material; Live Forensics; RSA; Virtual Machine Introspection;

fLanguage

English

Publisher

ieee

Conference_Titel

Cloud Engineering (IC2E), 2015 IEEE International Conference on

Conference_Location

Tempe, AZ

Type

conf

DOI

10.1109/IC2E.2015.26

Filename

7092913