Research And Implementation Of Out-of-VM Monitoring Based On VMI

With the extensive applications of cloud computing technology,the government,enterprises and individuals have migrated their IT applications and sensitive data to the cloud.At present,the key technology to solve cloud security is Virtual Machine Introspection(VMI).It is mainly implemented in the user cloud platform,such as the internal part of guest virtual machine,high privileged domain,virtual machine monitor or hardware layer to monitor all kinds of running states of guest virtual machine,and find malicious attacks or abnormal states to ensure the security of cloud platform.However,this kind of methods have the following shortcomings: Firstly,it will increase the cloud platform overhead and interfere with the normal cloud services.Secondly,it could only obtain limited type of security state information,so the function is single and difficult to expand.Thirdly,it will cause false information if the user cloud platform has been compromised,which will affect the effectiveness of cloud security monitoring.In view of the above problems,this paper proposed Cloud I(Cloud Introspection)architecture,which is an Out-of-VM monitoring architecture of introspection cloud based on VMI and uses cloud computing technology.The main achievements are as follows:1)Based on the research of virtualization techonology and monitoring method in virtualization environment,this paper proposed a method for extracting multi-source heterogeneous cloud state data based on cloud probe.We deploy a variety of lightweight cloud probes in the Hypervisor/VMM layer of the cloud platform to obtain the CPU usage,memory usage,virtual memory dump files,network data packets and disk states of guest virtual machine.Through a variety of cloud probes,we can grab multi-source heterogeneous cloud security state data,and expand the scope of monitoring.2)Based on the analysis and research of the existing VMI technology,this paper proposed a semantic reconstruction method based on multi-bridge.Through the integration of a variety of mature VMI technologies,we can reconstruct the underlying raw data into advanced semantic information,such as process,module,register,network and so on.Then make a cross-view comparison with the internal self-checking results of the guest virtual machine to judge the security status.This method can get more complete and accurate semantic information,and the defects of single VMI technology will not affect the whole process of semantic reconstruction,so the cross of semantic gap is more stable and reliable,and its robustness is higher.3)According to the above research results,this paper proposed Cloud I architecture,which is an Out-of-VM monitoring architecture of introspection cloud based on VMI and uses cloud computing technology.The method for extracting multi-source heterogeneous cloud state data based on cloud probe is implemented in the user cloud,and the semantic reconstruction method based on multi-bridge is implemented in the third-party introspection cloud.Through a variety of cloud probes,we grab multi-source heterogeneous cloud security state data of guest virtual machine in user cloud,and then synchronize them to the third-party introspection cloud,which is independently deployed.The existing VMI technology only works in the user cloud,Cloud I surpasses the existing VMI technology and jumps out of the user cloud,and builds an introspection cloud to monitor the user cloud.Finally,we not only reconstruct more complete and accurate system running state information,but also reduce the performance load of the user cloud effectively.4)Based on the multi-source heterogeneous cloud security state data obtained by the appeal method,this paper proposed association analysis method of cloud security event based on multi-source heterogeneous information.Through comprehensive correlation analysis of CPU,memory,network communication,disk status and other multi-source heterogeneous information monitored by Cloud I,we get the security status information of guest virtual machine in user cloud,which enhances the ability of discovering the security event in user cloud.