Biblio
Security of VMs is now becoming a hot topic due to their outsourcing in cloud computing paradigm. All VMs present on the network are connected to each other, making exploited VMs danger to other VMs. and threats to organization. Rejuvenation of virtualization brought the emergence of hyper-visor based security services like VMI (Virtual machine introspection). As there is a greater chance for any intrusion detection system running on the same system, of being dis-abled by the malware or attacker. Monitoring of VMs using VMI, is one of the most researched and accepted technique, that is used to ensure computer systems security mostly in the paradigm of cloud computing. This thesis presents a work that is to integrate LibVMI with Volatility on a KVM, a Linux based hypervisor, to introspect memory of VMs. Both of these tools are used to monitor the state of live VMs. VMI capability of monitoring VMs is combined with the malware analysis and virtual honeypots to achieve the objective of this project. A testing environment is deployed, where a network of VMs is used to be introspected using Volatility plug-ins. Time execution of each plug-in executed on live VMs is calculated to observe the performance of Volatility plug-ins. All these VMs are deployed as Virtual Honeypots having honey-pots configured on them, which is used as a detection mechanism to trigger alerts when some malware attack the VMs. Using STIX (Structure Threat Information Expression), extracted IOCs are converted into the understandable, flexible, structured and shareable format.