File-system integrity tools (FIT) are commonly deployed host-based intrusion detections (HIDS) tool to detect unauthorized file-system changes. While FIT are widely used, this kind of HIDS has many drawbacks: the intrusion detection is not done in real-time manner, which might render the whole scheme useless if the attacker can somehow take over the system with privileged access in the time between. The administrator also has a lot of problems to keep the base-line database updating. Besides, the database and the FIT itself are vulnerable if the attacker gains local privileged access.This paper presents a novel approach to address the outstanding problems of the current FIT. We propose a design and implementation of a tool named XenFIT for Xen virtual machines. XenFIT can monitor and fires alarms on intrusion in real-time manner, and our approach does not require to create and update the database like in the legacy methods. XenFIT works by dynamically patching memory of the protected machine, so it is not necessary to install any kernel code or user-space application into the protected machines. As a result, XenFIT is almost effortless to deploy and maintain. In addition, thanks to the advantage introduced by Xen, the security polices as well as the detection process are put in a secure machine, so XenFIT is tamper-resistant with attack, even in case the attacker takes over the whole VM he is penetrating in. Finally, if deploying strictly, XenFIT is able to function very stealthily to avoid the suspect of the intruder.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	N. A. Kamble, J. Nakajima, and A. K. Mallick. Evolution in kernel debugging using hardware virtualization with xen. In Proceedings of the 2006 Ottawa Linux Symposium, Ottawa, Canada, July 2006.
	2	Kurniadi Asrigo , Lionel Litty , David Lie, Using VMM-based sensors to monitor honeypots, Proceedings of the 2nd international conference on Virtual execution environments, June 14-16, 2006, Ottawa, Ontario, Canada  [doi>10.1145/1134760.1134765]
	3	T. Atkins. SWATCH: The Simple WATCHer of Logfiles. http://swatch.sourceforge.net/, July 2004.
	4	CERT Coordination Center. CERT/CC Overview Incident and Vulnerability Trends. Technical report, Carnegie Mellon Software Engineering Institute, May 2003.
	5	CMN. SAdoor: A non listening remote shell and execution server. http://cmn.listprojects.darklab.org/, 2002.
	6	Paul Barham , Boris Dragovic , Keir Fraser , Steven Hand , Tim Harris , Alex Ho , Rolf Neugebauer , Ian Pratt , Andrew Warfield, Xen and the art of virtualization, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	7	DWARF Workgroup. DWARF Debugging Format Standard. http://dwarf.freestandards.org/Home.php, January 2006.
	8	R. Hock. Dica rootkit. http://packetstormsecurity.nl/UNIX/penetration/rootkits/dica.tgz, 2002.
	9	Intersect Alliance. System iNtrusion Analysis and Reporting Environment. http://www.intersectalliance.com/projects/Snare/, January 2005.
	10	Gene H. Kim , Eugene H. Spafford, The design and implementation of tripwire: a file system integrity checker, Proceedings of the 2nd ACM Conference on Computer and communications security, p.18-29, November 1994, Fairfax, Virginia, United States  [doi>10.1145/191177.191183]
	11	T. Miller. Analysis of the Knark rootkit. www.ossec.net/rootkits/studies/knark.txt, 2001.
	12	T. Miller. Analysis of the T0rn rootkit. http://www.sans.org/y2k/t0rn.htm, 2002.
	13	Swapnil Patil , Anand Kashyap , Gopalan Sivathanu , Erez Zadok, FS: An In-Kernel Integrity Checker and Intrusion Detection File System, Proceedings of the 18th USENIX conference on System administration, November 14-19, 2004, Atlanta, GA
	14	H. Pomeranz. File Integrity Assessment via SSH. http://www.samag.com/documents/s=9950/sam0 602a/0 602a.htm, February 2006.
	15	I. Pratt, K. Fraser, S. Hand, C. Limpach, A. Warfield, D. Magenheimer, J. Nakajima, and A. Mallick. Xen 3.0 and the art of virtualization. In Proceedings of the 2005 Ottawa Linux Symposium, Ottawa, Canada, July 2005.
	16	sd. Linux on-the-fly kernel patching. http://www.phrack.org/show.php?p=58&a=7, July 2002.
	17	SGI Inc. LKCD - Linux Kernel Crash Dump. http://lked.sf.net, April 2006.
	18	L. Somer. Linux Rootkit 5. http://packetstormsecurity.nl/UNIX/penetration/rootkits/lrk5.src.tar.gz, 2000.
	19	The AIDE team. AIDE: Advanced Intrusion Detection Environment. http://sourceforge.net/projects/aide, November 2005.
	20	The Osiris team. Osiris host integrity monitoring. http://www.hostintegrity.com/osiris/, September 2005.
	21	The Samhain Labs. Samhain manual. http://la-samhna.de/samhain/manual/index.html, 2004.
	22	The Samhain Labs. The SAMHAIN file integrity/intrusion detection system. http://la-samhna.de/samhain/, January 2006.
	23	The Snort team. Snort - the de-facto standard for intrusion detection/prevention. http://www.snort.org, January 2006.
	24	Xen project. Xen interface manual. http://www.cl.cam.ac.uk/Research/SRG/netos/xen/readmes/interface/interface.html, August 2006.