Flux Research Group / School of Computing

A Wingman for Virtual Appliances

Prashanth Nayak, Mike Hibler, David Johnson, and Eric Eide

Runtime Verification: 17th International Conference, RV 2017 (RV) 2017.

DOI: 10.1007/978-3-319-67531-2_25

Operating Systems, Security, Virtualization, Cloud


Wingman is a run-time monitoring system that aims to detect and mitigate anomalies, including malware infections, within virtual appliances (VAs). It observes the kernel state of a VA and uses an expert system to determine when that state is anomalous. Wingman does not simply restart a compromised VA; instead, it attempts to repair the VA, thereby minimizing potential downtime and state loss. This paper describes Wingman and summarizes experiments in which it detected and mitigated three types of malware within a web-server VA. For each attack, Wingman was able to defend the VA by bringing it to an acceptable state.