SHADuDT: Secure hypervisor-based anomaly detection using danger theory

Intrusion Detection based upon learning methods is an attractive approach in research community. These researches have two critical concerns: secure information gathering and accurate detection method. Here we used system calls together with their arguments as a suitable pattern for describing behavior of each process. In security applications, these patterns must be collected safely, so we proposed SHADuDT, a secure and robust hypervisor-based architecture for system call intercepting and information gathering that utilizes the second generation of Artificial Immune Systems (AIS) as intrusion detection method. Generally intrusion detection based on AISs fall into two categories. The first generation of AIS is inspired from adaptive immune reactions but the second one that is called danger theory focuses on both of these reactions to build a more biologically-realistic model of Human Immune System.Here we presented a novel Algorithm in Danger Theory field as SHADuDT detection method (SHADuDT_DM) for anomaly detection and utilized hypervisor architecture for SHADuDT secure auditor (SHADuDT_SA) to guarantee the safety of information gathering. We evaluated SHADuDT architecture through several criteria and compared its detection method with classic AIS methods for anomaly detection. These Evaluation results show considerable improvements in terms of detection performance and false alarm rates while keeping low overheads in execution time and memory by using the advantages of both hypervisor technology and Artificial Immune Systems.