Document Type

Conference Proceeding

Publication Date



This paper presents a methodology for signaling potentially malicious insider behavior using virtual machine introspection (VMI). VMI provides a novel means to detect potential malicious insiders because the introspection tools remain transparent and inaccessible to the guest and are extremely difficult to subvert. This research develops a four step methodology for development and validation of malicious insider threat alerting using VMI. A malicious attacker taxonomy is used to decompose each scenario to aid identification of observables for monitoring for potentially malicious actions. The effectiveness of the identified observables is validated using two data sets. Results of the research show the developed methodology is effective in detecting the malicious insider scenarios on Windows guests.


© 2013 IEEE. All rights reserved. AFIT Scholar furnishes the draft version of this conference paper. The published version of record is available from IEEE via subscription at the DOI link in the citation below.



Source Publication

2013 46th Hawaii International Conference on System Sciences (HICSS)