The popularization of both virtualization and CDP technologies mean that we can now watch disk accesses of systems from entities which are not controlled by the OS. This is a rich source of information about the system's inner workings. In this paper, we explore one way of mining the stream of data, to determine if the system had finished booting. Systems which we detect as failing to boot (or taking too long to boot) are flagged for further manual or automatic remediation.
By performing this detection out-of-band, we gain a head start on any detection scheme that runs within the OS, and therefore must wait for the boot event to finish. Additionally, our scheme is agnostic to file-system layout and to kernel architecture. This opens up the possibility of monitoring large pools of existing machines, with no need to modify their software or even notify their owners. We show that apart from the signaling of readiness for activity, we can potentially also detect major changes in the file layout of the system, which is a possible indication of intentional upgrades or malicious activity.
We implemented our solution for the x86 architecture under two different virtualization platforms, and tested it on both Windows and Linux virtual machines. Under a variety of workloads and configurations, our detector managed to successfully identify the boot termination event, in most cases within 5 seconds of the event.
By: Naama Parush; Dan Pelleg; Muli Ben-Yehuda; Paula Ta-Shma
Published in: H-0268 in 2008
LIMITED DISTRIBUTION NOTICE:
This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.
Questions about this service can be mailed to reports@us.ibm.com .