Research On Virtualization Security Monitoring Model And Method Based On Memory Introspection

With the rapid development of cloud computing,new security challenges are brought forth and security situation is not optimistic.The number of attacks on cloud computing is increasing yearly and as the infrastructure of cloud computing virtual machines are the main targets of these attacks.With the increasing number of attacks on cloud platforms,virtual machines,as the infrastructure of cloud computing,have been the main targets of these attacks.In addition to the traditional forms of security threats such as viruses,Trojans,denial of service attacks,and overflow attacks,virtual machines also face security risks such as virtual machine escape,virtual machine hopping,and denial of service attack,so research on reliable and efficient virtual machine security monitoring technology which can ensure the security of target virtual machine is an important research topics in the field of network security.In this paper,memory forensics technology as a breakthrough is used to establish a virtual machine security monitoring model based on memory introspection.Then research on the host machine/virtual machine running state reconstruction and abnormal behavior detection is also carried out.The main contributions of this dissertation are described as below:(1)A virtual machine security monitoring model based on memory introspection is established.Facing the difficulties in detecting co-residence attack and latent malicious code in virtual environment,a monitoring model based on memory introspection is established.By analyzing the memory change of host machine in real time,abnormal behavior in host machine and virtual machine can be discovered.Compared with the traditional monitoring model,this mode does not need to install agent in target machines.Compared with current VMI method,in this mode,information acquisition does not rely on API(Application Programming Interface)functions of VMM(Virtual Machine Monitor)or host machine,which has high real-time,anti-attack and reliability.(2)A Linux memory analysis method based on kernel code reconstruction is proposed.Aiming at the problems of limited processing scope and low degree intelligence in the current Linux memory analysis methods,a novel Linux meoory analysis method based on kernel code reconstruction is proposed.This method can identify the operating system version automatically without any prior knowledge.By deco mpiling the content of kernel functions such as update_iter and get_ksymbol_core,kernel symbol table file can be parsed from the memory content.Several valuable symbols can be picked out to acquire the information,including running processes,loaded modules,network and open files.This method has universal suitability and breaks the limitations previous methods can be available on the assumption that kernel version information is known.In other words,this method provides a more general analysis method for Linux system memory analysis.(3)A virtual machine running sate reconstruction method based on VMCS(Virtual Machine Control Structure)structure is proposed.Aiming at virtual machine system in KVM(Kernel-based Virtual Machine)and XenServer virtualization environment,a virtual machine memory forensics method based on VMCS structure is proposed.On the basis of analyzing the host machine memry.kernel symbols and kernel structures related to VMCS structure are parsed o ut.Next,double linked list corresponding to VMCS structure is traversed and running virtual machines can be detected.Physical memory info rmation of the virtual machines can be obtained and their running status information can be reconstructed.Thus,the semantic gap problem can be solved.Compared with previous VMI(Virtual Machine Introspection)technologies,the information obtained is more accurate and co mprehe nsive.(4)A host machine/virtual machine anomaly analysis method based on map and time series analysis is proposed.Based on the physical memory analysis of host and virtual machine,the malicious code can be detected through hidden process/DLL analysis,process/DLL injection analysis and path constant analysis.By analyzing process and log information of the host/virtual machine,process relationship diagram can be built.Through the analysis of abnormal behavior,virtual machine escape can be detected..Based on the above search,an effective security monitoring solution is provided for the virtualized environment.Administrators can monitor the status of the target virtual machine in real time,and can comprehensively understand the running status of the target virtual machine.To meet the need of current virtualization security,effective emergency response measures are taken when malicious behavior is discovered.The above research has important theoretical significance for improving the security of virtual machine system in cloud platform and building a credible virtualized environment.It has a good practical value for combating cybercrime.