基于虚拟机IO序列与Markov模型的异常行为检测

doi:10.16511/j.cnki.qhdxxb.2018.25.018

摘要
图/表
参考文献
相关文章
Metrics

全文: PDF(1324 KB)
输出: BibTeX | EndNote (RIS)

摘要为检测虚拟机内部的IO异常行为，及时发现已知和未知的虚拟机逃逸攻击，基于硬件辅助虚拟化技术，该文提出了一种基于虚拟机IO序列的异常检测方法，包括：提出了一种异步采集技术高效采集虚拟机IO序列；建立了虚拟机IO序列与虚拟机内部进程的映射关联关系，以细粒度描述虚拟机自身IO行为；提出了一种基于双层Hash表的虚拟机IO短序列生成算法，并采用Markov链模型检测异常虚拟机IO序列。在KVM（Kernel-based virtual machine）虚拟化环境下设计并实现原型系统VMDec（virtual machine detecting），通过实验评测了VMDec系统的功能和性能。实验结果表明：VMDec能有效检测出虚拟机内部基于IO的恶意攻击以及已知和未知的虚拟机逃逸攻击，且检测误报率和性能开销在可接受范围内。

	服务

	把本文推荐给朋友
	加入引用管理器
	E-mail Alert
	RSS

	作者相关文章
	陈兴蜀
	陈佳昕
	赵丹丹
	金鑫

关键词 ： IO序列, 异常检测, 虚拟机逃逸, Markov链, 短序列

Abstract：A abnormal IO behavior in virtual machines is monitored to discover known and unknown virtual machine escape attacks. Hardware-assisted virtualization is used here in an anomaly detection method for IO sequences in virtual machines including asynchronous acquisition to efficiently collect the IO sequences of the virtual machine, relating the IO sequences with the processes running in the virtual machine for a fine-grained description of the virtual machine's IO behavior, and an algorithm for generating short IO sequences in virtual machines based on a double-layer hash table and a Markov chain model to detect the IO sequences of malicious virtual machines. A virtual machine detection system was implemented on a Kernel-based virtual machine (KVM) to evaluate the effectiveness of this system. The results show that the system can effectively detect some IO based on security threats and some known and unknown virtual machine escape attacks with an acceptable false alarm rate and performance overhead.

Key words： IO sequence anomaly detection virtual machine (VM) escape Markov chain short sequence

收稿日期: 2017-08-18 出版日期: 2018-04-15

ZTFLH:

TP309

基金资助:国家自然科学基金资助项目（61272447）

作者简介: 陈兴蜀(1968-),女,教授。E-mail:chenxsh@scu.edu.cn

引用本文:

陈兴蜀, 陈佳昕, 赵丹丹, 金鑫. 基于虚拟机IO序列与Markov模型的异常行为检测[J]. 清华大学学报（自然科学版）, 2018, 58(4): 395-401,410.
CHEN Xingshu, CHEN Jiaxin, ZHAO Dandan, JIN Xin. Anomaly detection based on IO sequences in a virtual machine with the Markov mode. Journal of Tsinghua University(Science and Technology), 2018, 58(4): 395-401,410.

链接本文:

http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2018.25.018 或 http://jst.tsinghuajournals.com/CN/Y2018/V58/I4/395

图１ VMDec总体架构图

图２异步采集过程图

图３ task_struct与thread_info关系图

图４虚拟机进程语义动态获取示意图

图５双层 Hash表示意图

图６虚拟机IO 短序列生成算法

表１功能测试结果

表２性能测试结果

[1] 陈兴蜀, 赵丹丹, 李辉, 等. 基于虚拟化的不可信模块运行监控[J]. 华中科技大学学报(自然科学版), 2016, 44(3):34-38. CHEN X S, ZHAO D D, LI H, et al. Virtualization-based monitoring of untrusted extensions execution[J]. Journal of Huazhong University of Science and Technology (Natural Science Edition), 2016, 44(3):34-38. (in Chinese)
[2] Wikipedia. Virtual machine escape[EB/OL].[2017-04-01]. http://en.wikipedia.org/wiki/Virtual_machine_escape.
[3] GUAN Q, ZHANG Z, FU S. Ensemble of Bayesian predictors and decision trees for proactive failure management in cloud computing system[J]. Journal of Communications, 2012, 7(1):52-61.
[4] TAN Y, VENKATESH V, GU X. Resilient self-compressive monitoring for large-scale hosting infrastructures[J]. IEEE Transaction on Parallel and Distributed Systems, 2013, 24(3):576-586.
[5] KC K, GU X. ELT:Efficient log-based troubleshooting system for cloud computing infrastructures[C]//Proceedings of 201130th IEEE International Symposium on Reliable Distributed Systems. Madrid, Spain:IEEE, 2011:11-20.
[6] NIKOLAI J, WANG Y. Hypervisor-based cloud intrusion detection system[C]//International Conference on Computing, Networking and Communications. Honolulu, HI, USA:IEEE, 2014:989-993.
[7] 汪圣平, 唐青昊. 一种虚拟机逃逸的防护方法及装置:中国, CN201510958935.5[P]. 2015-12-18. WANG S P, TANG Q H. Protection method and device for virtual machine escape:China, CN201510958935.5[P]. 2015-12-18. (in Chinese)
[8] 栾建海, 汤迪斌, 李常坤, 等. 一种检测虚拟机逃逸的方法及装置:中国, CN201610513980.4[P]. 2016-06-03. LUAN J H, TANG D B, LI C K, et al. Method and device for detecting virtual machine escape:China, CN201610513980.4[P]. 2016-06-03. (in Chinese)
[9] FORREST S, HOFMEYR S A, SOMAYAJI A, et al. A sense of self for UNIX processes[C]//Proceedings of the 1996 IEEE Symposium on Security and Privacy. Oakland, CA, USA:IEEE, 1996:120-128.
[10] PAYNE B D, CARBONE M, SHARIF M, et al. Lares:An architecture for secure active monitoring using virtualization[C]//IEEE Symposium on Security and Privacy, 2008. Washington, DC, USA:IEEE, 2008:233-247.
[11] SHARIF M I, LEE W, CUI W, et al. Secure in-VM monitoring using hardware virtualization[C]//Proceedings of the 16th ACM Conference on Computer and Communications Security. Chicago, Illinois, USA:ACM, 2009:477-487.
[12] HAMID R G, ROYA S S. Toward a policy-based distributed intrusion detection system in cloud computing using data mining approaches[C]//2015 International Congress on Technology, Communication and Knowledge. Mashhad, Iran:IEEE, 2015:412-419.
[13] ILHAME E F, MOHAMMED S, SARA C, et al. The analysis performance of an intrusion detection systems based on neural network[C]//Proceedings of the 4th IEEE International Conference. Tangier, Morocco:IEEE, 2017:145-151.
[14] JHA S, TAN K, Maxion R A. Markov chains, callifiers and intrusion detection[C]//Processings of the 14th IEEE Computer Security Foundations Workshop. Cape Breton, Nova Scotia, Canada:IEEE, 2001:206-219.
[15] 国家信息安全漏洞库. QEMU Floppy Disk Controller缓冲区溢出漏洞[EB/OL].[2015-06-03]. http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CCNNV-201505-207. China National Vulnerability Database of Information Security. Buffer overflow vulnerability of QEMU Floppy Disk Controller[EB/OL].[2015-06-03]. http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CCNNV-201505-207.(in Chinese)
[16] 国家信息安全漏洞库. QEMU AMD PC-Net Ⅱ Ethernet Controller CRC Handling缓冲区溢出漏洞[EB/OL].[2015-12-01]. http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-201511-435. China National Vulnerability Database of Information Security. Buffer overflow vulnerability of QEMU AMD PC-Net Ⅱ ethernet controller CRC handling[EB/OL].[2015-12-01]. http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-201511-435. (in Chinese)
[17] 国家信息安全漏洞库. QEMU安全漏洞[EB/OL].[2017-02-09]. http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-201702-234. China National Vulnerability Database of Information Security. Security vulnerability of QEMU[EB/OL].[2017-02-09]. http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-201702-234. (in Chinese)

[1]	高洋, 任望, 吴润浦, 王卫苹, 伊胜伟, 韩白静. 信息物理系统的攻击检测与安全状态估计[J]. 清华大学学报（自然科学版）, 2021, 61(11): 1234-1239.
[2]	王志国, 章毓晋. 监控视频异常检测：综述[J]. 清华大学学报（自然科学版）, 2020, 60(6): 518-529.
[3]	梁杰, 陈嘉豪, 张雪芹, 周悦, 林家骏. 基于独热编码和卷积神经网络的异常检测[J]. 清华大学学报（自然科学版）, 2019, 59(7): 523-529.
[4]	宋宇波, 杨慧文, 武威, 胡爱群, 高尚. 软件定义网络DDoS联合检测系统[J]. 清华大学学报（自然科学版）, 2019, 59(1): 28-35.
[5]	贾凡, 严妍, 张家琪. 基于K-means聚类特征消减的网络异常检测[J]. 清华大学学报（自然科学版）, 2018, 58(2): 137-142.
[6]	彭勇, 向憧, 张淼, 陈冬青, 高海辉, 谢丰, 戴忠华. 工业控制系统场景指纹及异常检测[J]. 清华大学学报（自然科学版）, 2016, 56(1): 14-21.

Viewed

Full text

Abstract

Cited

Shared

Discussed