Intrusion detection systems

The invention claimed is: 1. An intrusion detection system, comprising: a monitor to receive messages from a target over a communication link comprising a controlled access memory structure logically positioned between the target and the monitor using a point-to-point interconnect, the controlled access memory structure to store the messages including a message from the target indicating that the target has entered a System Management Mode (SMM) that is a privileged execution mode of a central processing unit (CPU), the monitor to compare the messages retrieved from the controlled access memory structure to information of an expected behavior of the target, for detecting a deviation from the expected behavior that is indicative of an intrusion. 2. The intrusion detection system of claim 1 , wherein the controlled access memory structure comprises a linear or circular array in which the messages are processed in an order in which the messages are received. 3. The intrusion detection system of claim 1 , wherein a physical address of the target is mapped to the monitor. 4. The intrusion detection system of claim 1 , wherein the monitor has exclusive access to the communication link while the target is executing. 5. The intrusion detection system of claim 1 , wherein the monitor comprises a virtual machine instantiated over physical hardware allocated in a virtualized system using a hypervisor. 6. The intrusion detection system of claim 5 , wherein the monitor comprises the hypervisor. 7. The intrusion detection system of claim 1 , wherein the controlled access memory structure is provided as part of the target or the monitor or as a standalone component. 8. An intrusion detection system comprising a communication link between a target and a monitor, the communication link comprising a controlled access memory structure logically positioned between the target and the monitor using a point-to- point interconnect, the controlled access memory structure to receive a message from the target indicating that the target has entered a System Management Mode (SMM) of operation that is a privileged execution mode of a central processing unit (CPU). 9. The intrusion detection system of claim 8 , wherein the target comprises a mapping from a physical address of the target to the monitor. 10. The intrusion detection system of claim 8 , further comprising the monitor that has exclusive access to the communication link while the target is executing. 11. A monitor in an intrusion detection system, the monitor to: receive messages from a monitored component over a low-latency communication link comprising a controlled access memory structure logically positioned between the monitored component and the monitor using a point-to-point interconnect, the controlled access memory structure to receive messages from the monitored component, the messages including a message indicating that the monitored component has entered a System Management Mode (SMM) that is a privileged execution mode of a central processing unit (CPU); and compare the messages retrieved from the controlled access memory structure to information of an expected behavior of the monitored component, for detecting a deviation from the expected behavior that is indicative of an intrusion. 12. The monitor of claim 11 , wherein the controlled access memory structure comprises a linear or circular array in which the messages received from the monitored component are processed in an order in which the messages are received. 13. The monitor of claim 11 , wherein the controlled access memory structure comprises a mapping to a physical address of the monitored component. 14. The monitor of claim 11 , wherein the monitor is a virtual machine instantiated over physical hardware allocated in a virtualized system using a hypervi sor. 15. The monitor of claim 14 , wherein the virtual machine comprises a secure execution environment inaccessible to other components of the virtualized system. 16. A non-transitory machine-readable storage medium encoded with instructions executable by a processor of a monitor to: receive first messages from a monitored component over a low-latency communication link comprising a controlled access memory structure logically positioned between the monitored component and the monitor using a point-to-point interconnect; and receive a message from the monitored component indicating that the monitored component has entered a System Management Mode (SMM) that is a privileged execution mode of a central processing unit (CPU). 17. The non-transitory machine-readable storage medium of claim 16 , wherein the instructions are executable by the processor of the monitor to: compare the first messages retrieved from the controlled access memory structure to information of an expected behavior of the monitored component, for detecting a deviation from the expected behavior that is indicative of an intrusion.