Slick: An Intrusion Detection System for Virtualized Storage Devices

A. Bacs, C. Giuffrida, B. Grill, H.J. Bos

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review


Cloud computing is rapidly reshaping the server administration landscape. The widespread use of virtualization and the increasingly high server consolidation ratios, in particular, have introduced unprecedented security challenges for users, increasing the exposure to intrusions and opening up new opportunities for attacks. Deploying security mechanisms in the hypervisor to detect and stop intrusion attempts is a promising strategy to address this problem. Existing hypervisor-based solutions, however, are typically limited to very specific classes of attacks and introduce exceedingly high performance overhead for production use.

In this paper, we present Slick (Storage-Level Intrusion ChecKer), an intrusion detection system (IDS) for virtualized storage devices. Slick detects intrusion attempts by efficiently and transparently monitoring write accesses to critical regions on storage devices. The low-overhead monitoring component operates entirely inside the hypervisor, with no introspection or modifications required in the guest VMs. Using Slick, users can deploy generic IDS rules to detect a broad range of real-world intrusions in a flexible and practical way. Experimental results confirm that Slick is effective at enhancing the security of virtualized servers, while imposing less than 5% overhead in production.
Original languageEnglish
Title of host publicationProceedings of the 31st Annual ACM Symposium on Applied Computing, Pisa, Italy, April 4-8, 2016
EditorsSascha Ossowski
ISBN (Electronic)978-1-4503-3739-7
Publication statusPublished - 2016


  • Intrusion detection
  • Virtual storage
  • Bootkit detection


Dive into the research topics of 'Slick: An Intrusion Detection System for Virtualized Storage Devices'. Together they form a unique fingerprint.

Cite this