Bridging the Introspection Semantic Gap
Virtual Machine Introspection (VMI) is a powerful form of Intrusion Detection Systems (IDS – virus/malware detection). Standard IDSs take two forms, in-host and down-stream traffic interpretation. In-host IDS have direct access to interpret the OS state and directly identify intrusions, but this leaves the IDS open to direct attack by the intruding virus/malware.
Down stream solutions are not susceptible to being directly attacked by malware attacking the system being observed, but also lack direct access to OS state data making it more difficult to detect intrusions.
VMI leverages Virtual Machine architecture to create a VMI based IDS which has access to OS state, without being located in-host, making VMI IDSs capable of direct intrusion detection without being susceptible to direct attack by the malware attacking the monitored host.