VICI--Virtual Machine Introspection for Cognitive Immunity

PDF
0.2MB

Timothy Fraser
The Microsoft Corporation
United States

Matthew Evenson
The Microsoft Corporation
United States

William Arbaugh
The Microsoft Corporation
United States

Abstract:
When systems are under constant attack, there is no time to restore those infected with malware to health manually---repair of infected systems must be fully automated and must occur within milliseconds. After detecting kernel-modifying rootkit infections using Virtual Machine Introspection, the VICI Agent applies a collection of novel repair techniques to automatically restore infected kernels to a healthy state. The VICI Agent operates without manual intervention and uses a form of automated reasoning borrowed from robotics to choose its best repair technique based on its assessment of the current situation, its memory of past engagements, and the potential cost of each technique. It has proven effective in tests conducted by an independent adversarial Red Team. Virtualized systems monitored by the VICI Agent experience a decrease in application performance of roughly~5\%.