CADM: A Centralized Administration and Dynamic Monitoring Framework for Network Intrusion Detection Based on Virtualization

Virtualization technology, which has the characteristic of producing dynamic change, enables the virtual network structure to no longer depend strictly on the underlying hardware environment. With virtualization platform administrators tasked with preventing attacks in order to provide uninterrupted service, existing intrusion detection technologies are continuously challenged. Consequently, this paper proposes a Centralized Administration and Dynamic Monitoring framework (CADM) based on virtualization for network intrusion detection. CADM is able to centrally administrate, and monitor network behavior in the virtual computing environment by automatically deploying and updating intrusion detection processes and rules. In the aspect of monitoring capability, CADM allows the monitoring locations in intrusion detection to be automatically adjusted in real time, thus adapting to the dynamic changes (such as migration) of virtual machines (VMs). Moreover, the monitoring processes involved in intrusion detection could also be automatically updated by dynamically updating security strategies. In the aspect of monitoring granularity, CADM is able to monitor network interfaces of each virtual machine (VM) for fine-grained network intrusion detection and network traffic acquisition. Our experimental results demonstrate that more convenient and efficient monitoring and administrating capabilities are available with CADM for virtualization platform administrators.