Many current Intrusion Detection Systems (IDS) are vulnerable to intruders because they run under the same operating system as a potential attacker. Since an attacker often attempts to co-opt the operating system, the IDS is vulnerable to subversion. While some systems escape this flaw, they generally do so by modifying the hypervisor. VMware VProbes technology allows administrators to look inside a running virtual machine, set breakpoints, and inspect memory from a virtual machine host. The authors aim to leverage VProbes to build IDS for Linux guests that is significantly harder for an attacker to subvert, while also allowing the use of a common off the-shelf hypervisor.