{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,25]],"date-time":"2026-04-25T07:35:07Z","timestamp":1777102507177,"version":"3.51.4"},"reference-count":82,"publisher":"Association for Computing Machinery (ACM)","issue":"2","funder":[{"DOI":"10.13039\/501100001809","name":"China National Natural Science Foundation","doi-asserted-by":"crossref","award":["62202289, 62432010, 61925206, 62472279"],"award-info":[{"award-number":["62202289, 62432010, 61925206, 62472279"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]},{"name":"Fundamental and Interdisciplinary Disciplines Breakthrough Plan of the Ministry of Education of China","award":["JYB2025XDXM113"],"award-info":[{"award-number":["JYB2025XDXM113"]}]},{"name":"Alibaba Innovative Research Program"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Comput. Syst."],"published-print":{"date-parts":[[2026,5,31]]},"abstract":"<jats:p>Intrusion Detection Systems (IDSes) are widely employed to identify potential attacks in guest virtual machines (VMs). Nonetheless, traditional IDSes fall short of the demands of high-performance clouds. First, monitoring VM events increases the tail latency of guest services. Second, the throughput of traditional IDSes cannot meet high-performance cloud requirements, leading to event loss and reduced detection accuracy. Finally, cloud providers typically run complex IDS tools within the VM. Updating IDS functionality requires modifying guest VMs, which hurts maintainability.<\/jats:p>\n                  <jats:p>\n                    To overcome these challenges, this article presents EIDS, a cloud IDS framework with high performance and good maintainability. We observe that the main bottleneck is collecting VM status, and the collected status can be divided into fundamental and supplementary status. EIDS then splits the status collection procedure spatially and temporally. First, we provide a status monitor with a separate architecture that isolates the status collection logic in a microVM, thus minimizing the code in guest VMs and improving maintainability. Second, EIDS introduces a two-phase status collection method to handle multiple events in batches, asynchronously, for high IDS throughput. A tiny tracer, implemented with eBPF, operates inside the user VM to collect fundamental status. The complex status collector runs in an isolated microVM. It utilizes Virtual Machine Introspection (VMI) to gather supplementary status, using the fundamental status to bridge the semantic gap. The status collector batches the collection for multiple events to amortize the fixed overhead of microVM switching and improve event tracing throughput. Finally, to minimize tail latency overhead, a fine-grained and workload-aware scheduler executes IDS logic with small time slices during user VM idle periods. We implemented a prototype of EIDS in Linux-KVM and conducted a comprehensive evaluation. We compared EIDS\u2019s performance with Falco, an open-source IDS widely used by Kubernetes and AWS for runtime security monitoring. The results demonstrate that, compared to Falco, EIDS reduces the 99\n                    <jats:sup>th<\/jats:sup>\n                    -percentile latency overhead by\n                    <jats:bold>97%<\/jats:bold>\n                    and achieves a\n                    <jats:bold>13.8X<\/jats:bold>\n                    improvement in IDS event handling throughput.\n                  <\/jats:p>","DOI":"10.1145\/3787966","type":"journal-article","created":{"date-parts":[[2026,1,24]],"date-time":"2026-01-24T18:31:45Z","timestamp":1769279505000},"page":"1-29","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["EIDS: A Cloud Intrusion Detection System with High Performance and Maintainability"],"prefix":"10.1145","volume":"44","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3643-1668","authenticated-orcid":false,"given":"Xiaokang","family":"Hu","sequence":"first","affiliation":[{"name":"Alibaba Group","place":["Hangzhou, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2211-9120","authenticated-orcid":false,"given":"Zhichao","family":"Hua","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University","place":["Shanghai, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-6398-0340","authenticated-orcid":false,"given":"Naixuan","family":"Guan","sequence":"additional","affiliation":[{"name":"Alibaba Group","place":["Hangzhou, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-0308-9028","authenticated-orcid":false,"given":"Yun","family":"Xu","sequence":"additional","affiliation":[{"name":"Alibaba Group","place":["Hangzhou, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-3447-5577","authenticated-orcid":false,"given":"Yibin","family":"Shen","sequence":"additional","affiliation":[{"name":"Alibaba Group","place":["Hangzhou, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-5904-5115","authenticated-orcid":false,"given":"Yang","family":"Yu","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University","place":["Shanghai, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8395-1319","authenticated-orcid":false,"given":"Zeyu","family":"Mi","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University","place":["Shanghai, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6558-5298","authenticated-orcid":false,"given":"Yubin","family":"Xia","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University","place":["Shanghai, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-2702-8478","authenticated-orcid":false,"given":"Ming","family":"Wang","sequence":"additional","affiliation":[{"name":"Alibaba Group","place":["Hangzhou, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7417-5469","authenticated-orcid":false,"given":"Jiesheng","family":"Wu","sequence":"additional","affiliation":[{"name":"Alibaba Group","place":["Hangzhou, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2026,4,24]]},"reference":[{"key":"e_1_3_1_2_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-80825-9_13"},{"key":"e_1_3_1_3_2","first-page":"419","volume-title":"Proceedings of the 17th USENIX Symposium on Networked Systems Design and Implementation","author":"Agache Alexandru","year":"2020","unstructured":"Alexandru Agache, Marc Brooker, Alexandra Iordache, Anthony Liguori, Rolf Neugebauer, Phil Piwonka, and Diana-Maria Popa. 2020. Firecracker: Lightweight virtualization for serverless applications. In Proceedings of the 17th USENIX Symposium on Networked Systems Design and Implementation. 419\u2013434."},{"key":"e_1_3_1_4_2","first-page":"211","volume-title":"Proceedings of the 2012 International Conference for Internet Technology and Secured Transactions","author":"Alarifi Suaad S.","year":"2012","unstructured":"Suaad S. Alarifi and Stephen D. Wolthusen. 2012. Detecting anomalies in IaaS environments through virtual machine host system call analysis. In Proceedings of the 2012 International Conference for Internet Technology and Secured Transactions. IEEE, 211\u2013218."},{"key":"e_1_3_1_5_2","article-title":"Collection scope","year":"2025","unstructured":"Alibaba. Referenced 2025. Collection scope. Retrieved January 22, 2026 from https:\/\/www.alibabacloud.com\/help\/en\/security-center\/latest\/collection-scope","journal-title":"Retrieved January 22, 2026 from https:\/\/www.alibabacloud.com\/help\/en\/security-center\/latest\/collection-scope"},{"key":"e_1_3_1_6_2","article-title":"Detect reverse shells from multiple dimensions","year":"2025","unstructured":"Alibaba. Referenced 2025. Detect reverse shells from multiple dimensions. Retrieved January 22, 2026 from https:\/\/www.alibabacloud.com\/help\/en\/security-center\/latest\/detect-reverse-shells-from-multiple-dimensions","journal-title":"Retrieved January 22, 2026 from https:\/\/www.alibabacloud.com\/help\/en\/security-center\/latest\/detect-reverse-shells-from-multiple-dimensions"},{"key":"e_1_3_1_7_2","article-title":"Overview of the Security Center agent","year":"2025","unstructured":"Alibaba. Referenced 2025. Overview of the Security Center agent. Retrieved January 22, 2026 from https:\/\/www.alibabacloud.com\/help\/en\/security-center\/latest\/overview-of-the-security-center-agent","journal-title":"Retrieved January 22, 2026 from https:\/\/www.alibabacloud.com\/help\/en\/security-center\/latest\/overview-of-the-security-center-agent"},{"key":"e_1_3_1_8_2","article-title":"Alibaba Cloud Linux","year":"2025","unstructured":"AliCloud. Referenced 2025. Alibaba Cloud Linux. Retrieved January 22, 2026 from https:\/\/www.alibabacloud.com\/help\/en\/elastic-compute-service\/latest\/alibaba-cloud-linux-overview","journal-title":"Retrieved January 22, 2026 from https:\/\/www.alibabacloud.com\/help\/en\/elastic-compute-service\/latest\/alibaba-cloud-linux-overview"},{"key":"e_1_3_1_9_2","doi-asserted-by":"publisher","DOI":"10.1145\/1851182.1851192"},{"key":"e_1_3_1_10_2","article-title":"AWS Nitro Enclaves","year":"2025","unstructured":"Amazon. Referenced 2025. AWS Nitro Enclaves. Retrieved from https:\/\/aws.amazon.com\/ec2\/nitro\/nitro-enclaves\/","journal-title":"Retrieved from https:\/\/aws.amazon.com\/ec2\/nitro\/nitro-enclaves\/"},{"key":"e_1_3_1_11_2","first-page":"97","volume-title":"Proceedings of the 2018 USENIX Annual Technical Conference","author":"Amit Nadav","year":"2018","unstructured":"Nadav Amit and Michael Wei. 2018. The design and implementation of hyperupcalls. In Proceedings of the 2018 USENIX Annual Technical Conference. 97\u2013112."},{"key":"e_1_3_1_12_2","article-title":"White Paper: Red Hat Crash Utility","author":"Anderson David","year":"2025","unstructured":"David Anderson. Referenced 2025. White Paper: Red Hat Crash Utility. Retrieved January 22, 2026 from https:\/\/crash-utility.github.io\/crash_whitepaper.html","journal-title":"https:\/\/crash-utility.github.io\/crash_whitepaper.html"},{"key":"e_1_3_1_13_2","article-title":"Apache HTTP Server","year":"2025","unstructured":"Apache. Referenced 2025. Apache HTTP Server. Retrieved January 22, 2026 from https:\/\/nginx.org\/cn\/","journal-title":"Retrieved January 22, 2026 from https:\/\/nginx.org\/cn\/"},{"key":"e_1_3_1_14_2","doi-asserted-by":"publisher","DOI":"10.1145\/2254756.2254766"},{"key":"e_1_3_1_15_2","article-title":"How can I upgrade my standard Amazon Linux 2 kernel version 4.14.x to Amazon Linux Extras kernel versions?","year":"2025","unstructured":"AWS. Referenced 2025. How can I upgrade my standard Amazon Linux 2 kernel version 4.14.x to Amazon Linux Extras kernel versions? Retrieved January 22, 2026 from https:\/\/repost.aws\/knowledge-center\/amazon-linux-2-kernel-upgrade","journal-title":"Retrieved January 22, 2026 from https:\/\/repost.aws\/knowledge-center\/amazon-linux-2-kernel-upgrade"},{"key":"e_1_3_1_16_2","article-title":"Amazon Inspector Classic agents","author":"AWS Amazon","year":"2025","unstructured":"Amazon AWS. Referenced 2025. Amazon Inspector Classic agents. https:\/\/docs.aws.amazon.com\/inspector\/latest\/userguide\/inspector_agents.html","journal-title":"https:\/\/docs.aws.amazon.com\/inspector\/latest\/userguide\/inspector_agents.html"},{"key":"e_1_3_1_17_2","article-title":"Continuous runtime security monitoring with AWS Security Hub and Falco","author":"AWS Amazon","year":"2025","unstructured":"Amazon AWS. Referenced 2025. Continuous runtime security monitoring with AWS Security Hub and Falco. Retrieved January 22, 2026 from https:\/\/aws.amazon.com\/de\/blogs\/security\/continuous-runtime-security-monitoring-with-aws-security-hub-and-falco\/","journal-title":"Retrieved January 22, 2026 from https:\/\/aws.amazon.com\/de\/blogs\/security\/continuous-runtime-security-monitoring-with-aws-security-hub-and-falco\/"},{"key":"e_1_3_1_18_2","article-title":"Ops Agent metrics","author":"AWS Amazon","year":"2025","unstructured":"Amazon AWS. Referenced 2025. Ops Agent metrics. Retrieved January 22, 2026 from https:\/\/cloud.google.com\/monitoring\/api\/metrics_opsagent#agent-network","journal-title":"Retrieved January 22, 2026 from https:\/\/cloud.google.com\/monitoring\/api\/metrics_opsagent#agent-network"},{"key":"e_1_3_1_19_2","article-title":"Soft lockups during reading \/proc\/PID\/smaps","author":"Besogonov Aleksei","year":"2025","unstructured":"Aleksei Besogonov. Referenced 2025. Soft lockups during reading \/proc\/PID\/smaps. Retrieved January 22, 2026 from https:\/\/www.spinics.net\/lists\/kernel\/msg1798319.html","journal-title":"Retrieved January 22, 2026 from https:\/\/www.spinics.net\/lists\/kernel\/msg1798319.html"},{"key":"e_1_3_1_20_2","article-title":"Reading \/proc\/...\/map may result in deadlock","author":"Bugzilla Kernel.org","year":"2025","unstructured":"Kernel.org Bugzilla. Referenced 2025. Reading \/proc\/...\/map may result in deadlock. Retrieved January 22, 2026 from https:\/\/bugzilla.kernel.org\/show_bug.cgi?id=42965","journal-title":"Retrieved January 22, 2026 from https:\/\/bugzilla.kernel.org\/show_bug.cgi?id=42965"},{"key":"e_1_3_1_21_2","article-title":"Internet Worms: Current Capabilities in Awareness, Detection, Response","year":"2025","unstructured":"CAIDA. Referenced 2025. Internet Worms: Current Capabilities in Awareness, Detection, Response. Retrieved January 22, 2026 from https:\/\/www.caida.org\/catalog\/media\/2003_cisco_internet_worms\/cisco_internet_worms.pdf","journal-title":"Retrieved January 22, 2026 from https:\/\/www.caida.org\/catalog\/media\/2003_cisco_internet_worms\/cisco_internet_worms.pdf"},{"key":"e_1_3_1_22_2","article-title":"Threat Horizons","author":"Cloud Google","year":"2025","unstructured":"Google Cloud. Referenced 2025. Threat Horizons. Retrieved January 22, 2026 from https:\/\/services.google.com\/fh\/files\/misc\/gcat_threathorizons_full_nov2021.pdf","journal-title":"https:\/\/services.google.com\/fh\/files\/misc\/gcat_threathorizons_full_nov2021.pdf"},{"key":"e_1_3_1_23_2","article-title":"Virtual Machine Threat Detection overview","author":"Cloud Google","year":"2025","unstructured":"Google Cloud. Referenced 2025. Virtual Machine Threat Detection overview. Retrieved January 22, 2026 from https:\/\/cloud.google.com\/security-command-center\/docs\/concepts-vm-threat-detection-overview","journal-title":"https:\/\/cloud.google.com\/security-command-center\/docs\/concepts-vm-threat-detection-overview"},{"key":"e_1_3_1_24_2","article-title":"Cloud Native Computing Foundation","year":"2025","unstructured":"CNCF. Referenced 2025. Cloud Native Computing Foundation. Retrieved January 22, 2026 from https:\/\/www.cncf.io\/","journal-title":"Retrieved January 22, 2026 from https:\/\/www.cncf.io\/"},{"key":"e_1_3_1_25_2","article-title":"2022 Global Threat Report","year":"2025","unstructured":"CROWDSTRIKE. Referenced 2025. 2022 Global Threat Report. Retrieved January 22, 2026 from https:\/\/go.crowdstrike.com\/rs\/281-OBQ-266\/images\/Report2022GTR.pdf","journal-title":"https:\/\/go.crowdstrike.com\/rs\/281-OBQ-266\/images\/Report2022GTR.pdf"},{"key":"e_1_3_1_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/3538969.3539002"},{"key":"e_1_3_1_27_2","first-page":"2443","volume-title":"Proceedings of the 31st USENIX Security Symposium","author":"Datta Pubali","year":"2022","unstructured":"Pubali Datta, Isaac Polinsky, Muhammad Adil Inam, Adam Bates, and William Enck. 2022. ALASTOR: Reconstructing the provenance of serverless intrusions. In Proceedings of the 31st USENIX Security Symposium. USENIX Association, Boston, MA, 2443\u20132460. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/datta"},{"key":"e_1_3_1_28_2","doi-asserted-by":"publisher","DOI":"10.1145\/2408776.2408794"},{"key":"e_1_3_1_29_2","article-title":"CVE-2021-33909 and CVE-2021-33910-Long Path Name in Mountpoint Flaws in the Kernel and Systemd","year":"2021","unstructured":"deepwatch. 2021. CVE-2021-33909 and CVE-2021-33910-Long Path Name in Mountpoint Flaws in the Kernel and Systemd. Retrieved January 22, 2026 from https:\/\/www.deepwatch.com\/labs\/cve-2021-33909-33910-long-path-name-mountpoint-flaws-in-kernal-and-systemd\/","journal-title":"Retrieved January 22, 2026 from https:\/\/www.deepwatch.com\/labs\/cve-2021-33909-33910-long-path-name-mountpoint-flaws-in-kernal-and-systemd\/"},{"key":"e_1_3_1_30_2","doi-asserted-by":"publisher","DOI":"10.5555\/3358807.3358866"},{"key":"e_1_3_1_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/HPCC-SmartCity-DSS50907.2020.00094"},{"key":"e_1_3_1_32_2","first-page":"249","volume-title":"Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation","author":"Gao Peter X.","year":"2016","unstructured":"Peter X. Gao, Akshay Narayan, Sagar Karandikar, Joao Carreira, Sangjin Han, Rachit Agarwal, Sylvia Ratnasamy, and Scott Shenker. 2016. Network requirements for resource disaggregation. In Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation. 249\u2013264."},{"key":"e_1_3_1_33_2","first-page":"191","volume-title":"Proceedings of the Ndss","author":"Garfinkel Tal","year":"2003","unstructured":"Tal Garfinkel and Mendel Rosenblum. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Ndss. San Diega, CA, 191\u2013206."},{"key":"e_1_3_1_34_2","first-page":"1","volume-title":"Proceedings of the Workshop on Intrusion Detection and Network Monitoring","author":"Ghosh Anup K.","year":"1999","unstructured":"Anup K. Ghosh, Aaron Schwartzbard, and Michael Schatz. 1999. Learning program behavior profiles for intrusion detection. In Proceedings of the Workshop on Intrusion Detection and Network Monitoring. 1\u201313."},{"key":"e_1_3_1_35_2","article-title":"wrk - a HTTP benchmarking tool","author":"Glozer Will","year":"2025","unstructured":"Will Glozer. Referenced 2025. wrk - a HTTP benchmarking tool. Retrieved January 22, 2026 from https:\/\/github.com\/wg\/wrk","journal-title":"https:\/\/github.com\/wg\/wrk"},{"key":"e_1_3_1_36_2","first-page":"201","volume-title":"Proceedings of the USENIX","author":"Golding Richard","year":"1995","unstructured":"Richard Golding, Peter Bosch, and John Wilkes. 1995. Idleness is not sloth. In Proceedings of the USENIX. 201\u2013212."},{"key":"e_1_3_1_37_2","article-title":"Cloud Monitoring agent overview","year":"2025","unstructured":"Google. Referenced 2025. Cloud Monitoring agent overview. https:\/\/cloud.google.com\/monitoring\/agent\/monitoring","journal-title":"https:\/\/cloud.google.com\/monitoring\/agent\/monitoring"},{"key":"e_1_3_1_38_2","doi-asserted-by":"publisher","DOI":"10.1145\/2248487.2151020"},{"key":"e_1_3_1_39_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11277-014-2136-x"},{"key":"e_1_3_1_40_2","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-980109"},{"key":"e_1_3_1_41_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICNSS.2011.6059967"},{"key":"e_1_3_1_42_2","article-title":"Global DDoS Threat Landscape Report","year":"2025","unstructured":"imperva. Referenced 2025. Global DDoS Threat Landscape Report. Retrieved January 22, 2026 from https:\/\/www.imperva.com\/resources\/resource-library\/reports\/ddos-threat-landscape-report-report-ty?lang=EN&asset_id=4828","journal-title":"Retrieved January 22, 2026 from https:\/\/www.imperva.com\/resources\/resource-library\/reports\/ddos-threat-landscape-report-report-ty?lang=EN&asset_id=4828"},{"key":"e_1_3_1_43_2","volume-title":"Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, VA (November 2007)","author":"Jiang X.","year":"2007","unstructured":"X. Jiang, X. Wang, and D. Xu. 2007. Stealthy malware detection through VMM-based out-of-the-boxsemantic view. In Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, VA (November 2007)."},{"key":"e_1_3_1_44_2","doi-asserted-by":"publisher","DOI":"10.1145\/1346256.1346269"},{"key":"e_1_3_1_45_2","first-page":"1","volume-title":"Proceedings of the USENIX Annual Technical Conference, General Track","author":"Jones Stephen T.","year":"2006","unstructured":"Stephen T. Jones, Andrea C. Arpaci-Dusseau, and Remzi H. Arpaci-Dusseau Arpaci-Dusseau. 2006. Antfarm: Tracking processes in a virtual machine environment. In Proceedings of the USENIX Annual Technical Conference, General Track. 1\u201314."},{"key":"e_1_3_1_46_2","article-title":"LSM BPF Programs","author":"Kernel The Linux","year":"2025","unstructured":"The Linux Kernel. Referenced 2025. LSM BPF Programs. Retrieved January 22, 2026 from https:\/\/docs.kernel.org\/bpf\/prog_lsm.html","journal-title":"Retrieved January 22, 2026 from https:\/\/docs.kernel.org\/bpf\/prog_lsm.html"},{"key":"e_1_3_1_47_2","article-title":"kernel oops when reading \/proc\/bus\/pci\/00\/01.00 with odd size and odd alignment","author":"King Colin","year":"2025","unstructured":"Colin King. Referenced 2025. kernel oops when reading \/proc\/bus\/pci\/00\/01.00 with odd size and odd alignment. Retrieved January 22, 2026 from https:\/\/lore.kernel.org\/all\/f26b1e6f-f3fc-191b-e613-c0b5748e26ef@gmail.com\/T\/","journal-title":"Retrieved January 22, 2026 from https:\/\/lore.kernel.org\/all\/f26b1e6f-f3fc-191b-e613-c0b5748e26ef@gmail.com\/T\/"},{"key":"e_1_3_1_48_2","first-page":"61","volume-title":"Proceedings of the 2014 USENIX Annual Technical Conference","author":"Kivity Avi","year":"2014","unstructured":"Avi Kivity, Dor Laor, Glauber Costa, Pekka Enberg, Nadav HarEl, Don Marti, and Vlad Zolotarov. 2014. OSvoptimizing the operating system for virtual machines. In Proceedings of the 2014 USENIX Annual Technical Conference. 61\u201372."},{"key":"e_1_3_1_49_2","doi-asserted-by":"publisher","DOI":"10.5555\/647253.720290"},{"key":"e_1_3_1_50_2","first-page":"70","volume-title":"Proceedings of the USENIX Security Symposium","author":"Litty Lionel","year":"2008","unstructured":"Lionel Litty, H. Andr\u00e9s Lagar-Cavilla, and David Lie. 2008. Hypervisor support for identifying covertly executing binaries. In Proceedings of the USENIX Security Symposium. 70."},{"key":"e_1_3_1_51_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2020.106348"},{"key":"e_1_3_1_52_2","unstructured":"Greg Lorence. 2026. Informatica HP and Mellanox\/Voltaire Benchmark Report. Retrieved January 22 2026 from https:\/\/network.nvidia.com\/sites\/default\/files\/related-docs\/whitepapers\/Informatica-HP-Mellanox-Voltaire-2011-Benchmarks1532.pdf"},{"key":"e_1_3_1_53_2","doi-asserted-by":"publisher","DOI":"10.1145\/3132747.3132763"},{"key":"e_1_3_1_54_2","first-page":"279","volume-title":"Proceedings of the USENIX Annual Technical Conference","author":"McVoy Larry W.","year":"1996","unstructured":"Larry W. McVoy and Carl Staelin. 1996. lmbench: Portable Tools for Performance Analysis. In Proceedings of the USENIX Annual Technical Conference. San Diego, CA, USA, 279\u2013294."},{"key":"e_1_3_1_55_2","article-title":"Mellanox\/sockperf: Network Benchmarking Utility","year":"2025","unstructured":"Mellanox. Referenced 2025. Mellanox\/sockperf: Network Benchmarking Utility. Retrieved January 22, 2026 from https:\/\/github.com\/Mellanox\/sockperf","journal-title":"Retrieved January 22, 2026 from https:\/\/github.com\/Mellanox\/sockperf"},{"key":"e_1_3_1_56_2","article-title":"memcached - a distributed memory object caching system","year":"2025","unstructured":"Memcached. Referenced 2025. memcached - a distributed memory object caching system. Retrieved January 22, 2026 from https:\/\/memcached.org\/","journal-title":"Retrieved January 22, 2026 from https:\/\/memcached.org\/"},{"key":"e_1_3_1_57_2","article-title":"Azure Diagnostics extension overview","year":"2025","unstructured":"Microsoft. Referenced 2025. Azure Diagnostics extension overview. Retrieved January 22, 2026 from https:\/\/learn.microsoft.com\/en-us\/azure\/azure-monitor\/agents\/diagnostics-extension-overview","journal-title":"Retrieved January 22, 2026 from https:\/\/learn.microsoft.com\/en-us\/azure\/azure-monitor\/agents\/diagnostics-extension-overview"},{"key":"e_1_3_1_58_2","article-title":"Install Log Analytics agent on Linux computers","year":"2025","unstructured":"Microsoft. Referenced 2025. Install Log Analytics agent on Linux computers. Retrieved January 22, 2026 from https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/agents\/agent-linux","journal-title":"Retrieved January 22, 2026 from https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/agents\/agent-linux"},{"issue":"3","key":"e_1_3_1_59_2","first-page":"957","article-title":"Vmguard: A vmi-based security architecture for intrusion detection in cloud environment","volume":"8","author":"Mishra Preeti","year":"2018","unstructured":"Preeti Mishra, Vijay Varadharajan, Emmanuel S. Pilli, and Uday Tupakula. 2018. Vmguard: A vmi-based security architecture for intrusion detection in cloud environment. IEEE Transactions on Cloud Computing 8, 3 (2018), 957\u2013971.","journal-title":"IEEE Transactions on Cloud Computing"},{"key":"e_1_3_1_60_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2020.102460"},{"key":"e_1_3_1_61_2","article-title":"BlueKeep Exploit Developed That Allows Full Takeover of Windows 7 or Windows 2008 Device in 22 Seconds","year":"2025","unstructured":"NetSec. Referenced 2025. BlueKeep Exploit Developed That Allows Full Takeover of Windows 7 or Windows 2008 Device in 22 Seconds. Retrieved January 22, 2026 from https:\/\/www.netsec.news\/bluekeep-exploit-developed-that-allows-full-takeover-of-windows-7-or-windows-2008-device-in-22-seconds\/","journal-title":"Retrieved January 22, 2026 from https:\/\/www.netsec.news\/bluekeep-exploit-developed-that-allows-full-takeover-of-windows-7-or-windows-2008-device-in-22-seconds\/"},{"key":"e_1_3_1_62_2","first-page":"385","volume-title":"Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation","author":"Nishtala Rajesh","year":"2013","unstructured":"Rajesh Nishtala, Hans Fugal, Steven Grimm, Marc Kwiatkowski, Herman Lee, Harry C. Li, Ryan McElroy, Mike Paleczny, Daniel Peek, Paul Saab, et\u00a0al. 2013. Scaling memcache at facebook. In Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation. 385\u2013398."},{"key":"e_1_3_1_63_2","first-page":"361","volume-title":"Proceedings of the 16th USENIX Symposium on Networked Systems Design and Implementation","author":"Ousterhout Amy","year":"2019","unstructured":"Amy Ousterhout, Joshua Fried, Jonathan Behrens, Adam Belay, and Hari Balakrishnan. 2019. Shenango: Achieving high CPU efficiency for latency-sensitive datacenter workloads. In Proceedings of the 16th USENIX Symposium on Networked Systems Design and Implementation. 361\u2013378."},{"key":"e_1_3_1_64_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2008.24"},{"key":"e_1_3_1_65_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2007.10"},{"key":"e_1_3_1_66_2","volume-title":"Latency-driven Performance in Data Centres","author":"Popescu Diana Andreea","year":"2019","unstructured":"Diana Andreea Popescu. 2019. Latency-driven Performance in Data Centres. Ph. D. Dissertation. University of Cambridge."},{"key":"e_1_3_1_67_2","doi-asserted-by":"publisher","DOI":"10.1145\/3132747.3132780"},{"key":"e_1_3_1_68_2","article-title":"Redis Database","year":"2025","unstructured":"Redis. Referenced 2025. Redis Database. Retrieved January 22, 2026 from https:\/\/redis.io","journal-title":"Retrieved January 22, 2026 from https:\/\/redis.io"},{"key":"e_1_3_1_69_2","article-title":"memtier_benchmark","year":"2025","unstructured":"RedisLabs. Referenced 2025. memtier_benchmark. Retrieved January 22, 2026 from https:\/\/github.com\/RedisLabs\/memtier_benchmark","journal-title":"https:\/\/github.com\/RedisLabs\/memtier_benchmark"},{"key":"e_1_3_1_70_2","article-title":"Four ways to secure cloud workloads and your crown jewels","author":"Director Virsec Robert Nobilo, ANZ Regional","year":"2025","unstructured":"Virsec Robert Nobilo, ANZ Regional Director. Referenced 2025. Four ways to secure cloud workloads and your crown jewels. Retrieved January 22, 2026 from https:\/\/securitybrief.com.au\/story\/four-ways-to-secure-cloud-workloads-and-your-crown-jewels","journal-title":"Retrieved January 22, 2026 from https:\/\/securitybrief.com.au\/story\/four-ways-to-secure-cloud-workloads-and-your-crown-jewels"},{"key":"e_1_3_1_71_2","first-page":"11","volume-title":"Proceedings of the HotOS","author":"Rumble Stephen M.","year":"2011","unstructured":"Stephen M. Rumble, Diego Ongaro, Ryan Stutsman, Mendel Rosenblum, and John K. Ousterhout. 2011. It\u2019s time for low latency. In Proceedings of the HotOS. 11\u201311."},{"key":"e_1_3_1_72_2","unstructured":"Samsung. 2026. Ultra-low latency with samsung Z-NAND ssd. Retrieved January 22 2026 from https:\/\/download.semiconductor.samsung.com\/resources\/brochure\/Ultra-Low%20Latency%20with%20Samsung%20Z-NAND%20SSD.pdf"},{"key":"e_1_3_1_73_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00470-5_31"},{"key":"e_1_3_1_74_2","first-page":"227","volume-title":"Proceedings of the 16th USENIX Conference on File and Storage Technologies","author":"Son Yongseok","year":"2018","unstructured":"Yongseok Son, Sunggon Kim, Heon Y. Yeom, and Hyuck Han. 2018. High-performance transaction processing in journaling file systems. In Proceedings of the 16th USENIX Conference on File and Storage Technologies. 227\u2013240."},{"key":"e_1_3_1_75_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.sysarc.2024.103130"},{"key":"e_1_3_1_76_2","article-title":"Falco Code","year":"2025","unstructured":"sysdig. Referenced 2025. Falco Code. Retrieved January 22, 2026 from https:\/\/github.com\/falcosecurity\/falco","journal-title":"Retrieved January 22, 2026 from https:\/\/github.com\/falcosecurity\/falco"},{"key":"e_1_3_1_77_2","article-title":"The Falco Project","year":"2025","unstructured":"sysdig. Referenced 2025. The Falco Project. Retrieved January 22, 2026 from https:\/\/falco.org\/","journal-title":"Retrieved January 22, 2026 from https:\/\/falco.org\/"},{"key":"e_1_3_1_78_2","article-title":"RoCE vs. iWARP Com- petitive Analysis","author":"Technologies Mellanox","year":"2025","unstructured":"Mellanox Technologies. Referenced 2025. RoCE vs. iWARP Com- petitive Analysis. Retrieved January 22, 2026 from https:\/\/www.mellanox.com\/related-docs\/whitepapers\/WP_RoCE_vs_iWARP.pdf","journal-title":"Retrieved January 22, 2026 from https:\/\/www.mellanox.com\/related-docs\/whitepapers\/WP_RoCE_vs_iWARP.pdf"},{"key":"e_1_3_1_79_2","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.1999.766910"},{"key":"e_1_3_1_80_2","doi-asserted-by":"publisher","DOI":"10.1109\/CIT.2012.119"},{"key":"e_1_3_1_81_2","doi-asserted-by":"publisher","DOI":"10.1109\/SC2.2018.00016"},{"key":"e_1_3_1_82_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2021.06.030"},{"key":"e_1_3_1_83_2","first-page":"799","volume-title":"Proceedings of the 26th USENIX Security Symposium","author":"Zhao Siqi","year":"2017","unstructured":"Siqi Zhao, Xuhua Ding, Wen Xu, and Dawu Gu. 2017. Seeing through the same lens: Introspecting guest address space at native speed. In Proceedings of the 26th USENIX Security Symposium. 799\u2013813."}],"container-title":["ACM Transactions on Computer Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3787966","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,25]],"date-time":"2026-04-25T06:39:01Z","timestamp":1777099141000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3787966"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,4,24]]},"references-count":82,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2026,5,31]]}},"alternative-id":["10.1145\/3787966"],"URL":"https:\/\/doi.org\/10.1145\/3787966","relation":{},"ISSN":["0734-2071","1557-7333"],"issn-type":[{"value":"0734-2071","type":"print"},{"value":"1557-7333","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,4,24]]},"assertion":[{"value":"2024-12-28","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-12-12","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-04-24","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}