Date of Award
Master of Science in Computer Engineering
Department of Electrical and Computer Engineering
Barry E. Mullins, PhD
In this research, a compiled memory analysis tool for virtualization (CMAT-V) is developed as a virtual machine introspection (VMI) utility to conduct live analysis during cyber attacks. CMAT-V leverages static memory dump analysis techniques to provide live dynamic system state data. Unlike some VMI applications, CMAT-V bridges the semantic gap using derivation techniques. CMAT-V detects Windows-based operating systems and uses the Microsoft Symbol Server to provide this context to the user. This research demonstrates the usefulness of CMAT-V as a situational awareness tool during cyber attacks, tests the detection of CMAT-V from the guest system level and measures its impact on host performance. During experimental testing, live system state information was successfully extracted from two simultaneously executing virtual machines (VM’s) under four rootkit-based malware attack scenarios. For each malware attack scenario, CMAT-V was able to provide evidence of the attack. Furthermore, data from CMAT-V detection testing did not confirm detection of the presence of CMAT-V’s live memory analysis from the VM itself. This supports the conclusion that CMAT-V does not create uniquely identifiable interference in the VM. Finally, three different benchmark tests reveal an 8% to 12% decrease in the host VM performance while CMAT-V is executing.
DTIC Accession Number
Not in DTIC
Dodge, Dustyn A., "Cyber Situational Awareness Using Live Hypervisor-Based Virtual Machine Introspection" (2010). Theses and Dissertations. 1979.