微信服务号

微信订阅号

2025年3月26日 2:36 星期三
首页 > 过刊浏览>2012年第23卷第8期 >2173-2187. DOI:10.3724/SP.J.1001.2012.04219
PDF HTML阅读 XML下载 导出引用 引用提醒
基于虚拟化的安全监控
作者:
基金项目:

国家自然科学基金(60973038, 61142010); 国家高技术研究发展计划(863)(2012AA012600); 武汉市科技攻关项目(201010621211); 信息网络安全公安部重点实验室开放课题(C11602)


Virtualization-Based Security Monitoring
Author:
  • 摘要
    • | |
  • 访问统计
    • |
  • 参考文献 [90]
    • |
  • 相似文献 [20]
    • |
  • 引证文献
    • | |
  • 文章评论
    摘要:

    近年来,虚拟化技术成为计算机系统结构的发展趋势,并为安全监控提供了一种解决思路.由于虚拟机管理器具有更高的权限和更小的可信计算基,利用虚拟机管理器在单独的虚拟机中部署安全工具能够对目标虚拟机进行检测.这种方法能够保证监控工具的有效性和防攻击性.从技术实现的角度来看,现有的研究工作可以分为内部监控和外部监控.根据不同的监控目的,详细地介绍了基于虚拟化安全监控的相关工作,例如入侵检测、蜜罐、文件完整性监控、恶意代码检测与分析、安全监控架构和安全监控通用性.最后总结了现有研究工作的不足,并指出了未来的研究方向.这对于从事虚拟化研究和安全监控研究都具有重要意义.

    Abstract:

    In recent years, virtualization technology is the novel trendy of computer architecture, and it provides a solution for security monitoring. Due to the highest privilege and the smaller trusted computing base of virtual machine monitor, security tools, deployed in an isolated virtual machine, can inspect the target virtual machine with the help of virtual machine monitor. This approach can enhance the effectiveness and anti-attack ability of security tools. From the aspect of the implementation technologies, existing research works can be classified into internal monitoring and external monitoring. According to the different targets, the related works about virtualization-based monitoring are introduced in this paper in detail, such as intrusion detection, honeypot, file integrity monitoring, malware detection and analysis, security monitoring architecture and the generality of monitoring. Finally, this paper summarizes the shortcomings of existing works, and presents the future research directions. It is significant for virtualization research and security monitoring research.

    参考文献
    [1] Smith JE, Nair R. The architecture of virtual machines. IEEE Computer, 2005,38(5):32-38. [doi: 10.1109/MC.2005.173]
    [2] Rosenblum M, Garfinkel T. Virtual machine monitors: Current technology and future trends. IEEE Computer, 2005,38(5):39-47.[doi: 10.1109/MC.2005.176]
    [3] Whitaker A, Cox RS, Shaw M, Gribble SD. Rethinking the design of virtual machine monitors. IEEE Computer, 2005,38(5):57-62.[doi: 10.1109/MC.2005.169]
    [4] Jin H, et al. Computer System Virtualization?Theory and Application. Beijing: Tsinghua University Press, 2008. 1-26 (inChinese).
    [5] IDC report. http://www.virtualization.info/2007/07/idc-predicts-virtualization-services.html
    [6] Gartner report. http://www.gartner.com/it/page.jsp?id=777212
    [7] Creasy RJ. The origin of the VM/370 time-sharing system. IBM Journal Research and Development, 1981,25(5):483-490. [doi:10.1147/rd.255.0483]
    [8] Popek G, Goldberg R. Formal requirements for virtualizable third generation architectures. Communications of the ACM, 1974,17(7):413-421. [doi: 10.1145/361011.361073]
    [9] Robin JS, Irvine CE. Analysis of the Intel Pentium’s ability to support a secure virtual machine monitor. In: Proc. of the 9thUSENIX Security Symp. Berkeley: USENIX Association, 2000. 129-144.
    [10] Waldspurger CA. Memory resource management in VMware ESX server. In: Proc. of the 5th Symp. on Operating Systems Designand Implementaion. New York: ACM Press, 2002. 181-194.
    [11] VMware homepage. http://www.vmware.com
    [12] Xen homepage. http://www.xen.org
    [13] Barham P, Dragovic B, Fraser K, Hand S, Harris T, Ho A, Neugebauer R, Pratt I, Warfiedld A. Xen and the art of virtualization. In:Proc. of the 19th ACM Symp. on Operating Systems Principles. New York: ACM Press, 2003. 164-177. [doi: 10.1145/1165389.945462]
    [14] Clark B, Deshane T, Dow E, Evanchik S, Finalyson M, Herne J, Matthews JN. Xen and the art of repeated research. In: Proc. of the2004 USENIX Annual Technical Conf. Berkeley: USENIX Association, 2004. 135-144.
    [15] Pratt I, Fraser K, Hand S, Limpach C, Warfield A. Xen 3.0 and the art of virtualization. In: Proc. of the 2005 Linux Symp. NewYork: ACM Press, 2005. 65-77.
    [16] Nanda S, Chiueh T. A survey on virtualization technologies. Technical Report, TR-179, Stony Brook University, 2005. 1-42.
    [17] Jin H. The key problem of cloud security. The Communications of the Computer Conf. Foundation, 2009,5(2):47-48 (in Chinesewith English abstract).
    [18] The linecount of Linux 2.6.27. http://doexcel.com/node/6572
    [19] The linecount of Windows XP. http://blog.csdn.net/syf442/article/details/4459229
    [20] Chen PM, Noble BD. When virtual is better than real. In: Proc. of the 8th Workshop on Hot Topics in Operating Systems.Washington: IEEE Computer Society, 2001. 133-138.
    [21] Payne BD, Carbone M, Sharif M, Lee W. Lares: An architecture for secure active monitoring using virtualization. In: Proc. of the29th IEEE Symp. on Security and Privacy. Washington: IEEE Computer Society, 2008. 233-247. [doi: 10.1109/SP.2008.24]
    [22] Sharif M, Lee W, Cui W, Lanzi A. Secure in-VM monitoring using hardware virtualization. In: Proc. of the 16th ACM Conf. onComputer and Communications Security. New York: ACM Press, 2009. 477-487. [doi: 10.1145/1653662.1653720]
    [23] Garfinkel T, Rosenblum M. A virtual machine introspection based architecture for intrusion detection. In: Proc. of the 10thNetwork and Distributed System Security Symp. Berkeley: USENIX Association, 2003. 191-206.
    [24] Lian Y. Survey on intrusion detection. Network Security Technology and Application, 2003,(1):46-48 (in Chinese with Englishabstract).
    [25] Axelsson S. Intrusion detection systems: A survey and taxonomy. Technical Report, 99-15, Department of Computer Engineering,Chalmers University of Technology, 2000. 1-27.
    [26] Sun J. Research on intrusion detection and antivirus model in large-scale network [Ph.D. Thesis]. Wuhan: Huazhong University ofScience and Technology, 2005 (in Chinese with English abstract).
    [27] Roesch M. Snort-Lightweight intrusion detection for networks. In: Proc. of the 13th USENIX Large Installation SystemAdministration Conf. Berkeley: USENIX Association, 1999. 229-238.
    [28] Hay A, Cid D, Bray R. OSSEC Host-Based Intrusion Detection Guide. Burlington: Syngress Press, 2008. 149-174.
    [29] Fuchsberger A. Intrusion detection systems and intrusion prevention systems. Information Security Technical Report, Elsevier,2005. 134-139.
    [30] Locasto ME, Wang K, Keromytis AD, Stolfo SJ. FLIPS: Hybrid adaptive intrusion prevention. In: Proc. of the 8th Int’l Symp. onRecent Advances in Intrusion Detection. Berlin: Springer-Verlag, 2005. 82-101. [doi: 10.1007/11663812_5]
    [31] Lam LC, Li W, Chiueh T. Accurate and automated system call policy-based intrusion prevention. In: Proc. of the 2006 Int’l Conf.on Dependable Systems and Networks. Washington: IEEE Computer Society, 2006. 413-424. [doi: 10.1109/DSN.2006.10]
    [32] Laureano M, Maziero C, Jamhour E. Intrusion detection in virtual machine environments. In: Proc. of the 30th Euromicro Conf.Washington: IEEE Computer Society, 2004. 520-525. [doi: 10.1109/EUROMICRO.2004.48]
    [33] Laureano M, Maziero C, Jamhour E. Protecting host-based intrusion detectors through virtual machines. The Journal of Computerand Telecommunications Networking, 2007,51(5):1275-1283. [doi: 10.1016/j.comnet.2006.09.007]
    [34] Hofmeyr S, Forrest S, Somayaji A. Intrusion detection using sequences of system calls. Journal of Computer Security, 1998,6(3):151-180.
    [35] Dike J. User-Mode Linux. In: Proc. of the 5th Annual Linux Showcase and Conf. Berkeley: USENIX Association, 2001. 21-28.
    [36] Zhang X, Li Q, Qing S, Zhang H. VNIDA: Building an IDS architecture using VMM-based non-intrusive approach. In: Proc. of the14th Int’l Workshop on Knowledge Discovery and Data Mining. New York: ACM Press, 2008. 594-600. [doi: 10.1109/WKDD.2008.135]
    [37] Zhang Y, Gu Y, Wang H, Wang D. Virtual-Machine-Based intrusion detection on file-aware block level storage. In: Proc. of the18th Int’l Symp. on Computer Architecture and High Performance Computing. Washington: IEEE Computer Society, 2001. 21-28.[doi: 10.1109/SBAC-PAD.2006.32]
    [38] Pennington AG, Strunk JD, Griffin JL, Soules CAN, Goodson GR, Ganger GR. Storage-Based intrusion detection: Watchingstrorage activity for suspicious behavior. In: Proc. of the 12th USENIX Security Symp. Berkeley: USENIX Association, 2003.1-15.
    [39] Kourai K, Chiba S. HyperSpector: Virtual distributed monitoring environments for secure intrusion detection. In: Proc. of the 1stACM Int’l Conf. on Virtual Execution Environments. New York: ACM Press, 2005. 197-207. [doi: 10.1145/1064979.1065006]
    [40] Roschke S, Cheng F, Meinel C. An extensible and virtualization-compatible IDS management architecture. In: Proc. of the 5th Int’lConf. on Information Assurance and Security. Washington: IEEE Computer Society, 2009. 130-134. [doi:10.1038/nchembio0309-130]
    [41] Yang Z, Deng X. A behavior mining and pattern recognition for operation system Log. Computer and Information Technology,2010,18(1):53-55 (in Chinese with English abstract).
    [42] Dunlap GW, King ST, Cinar S, Basrai MA, Chen PM. ReVirt: Enabling intrusion analysis through virtual-machine logging andreplay. In: Proc. of the 5th Symp. on Operating Systems Design and Implementation. New York: ACM Press, 2002. 211-224. [doi:10.1145/844128.844148]
    [43] King ST, Chen PT. Backtracking intrusions. In: Proc. of the 19th ACM Symp. on Operating Systems Principles. New York: ACMPress, 2003. 223-236. [doi: 10.1145/945445.945467]
    [44] King ST, Chen PT. Backtracking intrusions. ACM Trans. on Computer Systems, 2005,23(1):51-76. [doi: 10.1145/945445.945467]
    [45] Joshi A, King ST, Dunlap GW, Chen PM. Detecting past and present intrusions through vulnerability-specific predicates. In: Proc.of the 20th ACM Symp. on Operating Systems Principles. New York: ACM Press, 2005. 91-104. [doi: 10.1145/1095809.1095820]
    [46] Oliveira DAS, Crandall JR, Wassermann G, Wu SF, Su Z, Chong FT. ExecRecorder: VM-Based full-system replay for attackanalysis and system recovery. In: Proc. of the 1st Workshop on Architectural and System Support for Improving SoftwareDependability. New York: ACM Press, 2006. 66-71. [doi: 10.1145/1181309.1181320]
    [47] Quynh NA, Takefuji Y. A central and secured log data solution for Xen virtual machine. In: Proc. of the 24th Int’l Multi-Conf.Parallel and Distributed Computing and Networks. Washington: IEEE Computer Society, 2006. 218-224.
    [48] Wu J, Peng X, Gao D. On Xen virtual machine-based system Logs security. Computer Applications and Software, 2010,27(4):125-127 (in Chinese with English abstract).
    [49] Spitzner L. Honeypots: Tracking Hackers. New York: Addison Wesley Press, 2002. 1-35.
    [50] Tang Y, Lu X, Hu H, Zhu P. Honeypot technique and its applications: A survey. Journal of Chinese Computer Systems, 2007,28(8):1345-1351 (in Chinese with English abstract).
    [51] Provos N. A virtual honeypot framework. In: Proc. of the 13th USENIX Security Symp. Berkeley: USENIX Association, 2004.1-14.
    [52] Vrable M, Ma J, Chen J, Moore D, Vandekieft E, Snoeren AC, Voelker GM, Savage S. Scalability, fidelity, and containment in thepotemkin virtual honeyfarm. In: Proc. of the 20th ACM Symp. on Operating Systems Principles. New York: ACM Press, 2005.148-162. [doi: 10.1145/1095810.1095825]
    [53] Dagon D, Qin X, Gu G, Lee W. HoneyStat: Local worm detection using honeypots. In: Proc. of the 7th Int’l Symp. on RecentAdvances in Intrusion Detection. Berlin: Springer-Verlag, 2004. 39-58.
    [54] Asrigo K, Litty L, Lie D. Using VMM-based sensors to monitor honeypots. In: Proc. of the 2nd ACM Int’l Conf. on VirtualExecution Environments. New York: ACM Press, 2006. 13-23. [doi: 10.1145/1134760.1134765]
    [55] Jiang X, Xu D. Collapsar: A VM-based architecture for network attack detention center. In: Proc. of the 13th USENIX SecuritySymp. Berkeley: USENIX Association, 2005. 15-28.
    [56] Jiang X, Xu D, Wang Y. Collapsar: A VM-based honeyfarm and reverse honeyfarm architecture for network attack capture anddetention. Journal of Parallel and Distribtued Computing, 2006,66(9):1165-1180. [doi: 10.1016/j.jpdc.2006.04.012]
    [57] Jiang X, Wang X. “Out-of-the-Box” monitoring of VM-based high-interaction honeypots. In: Proc. of the 10th Int’l Symp. onRecent Advances in Intrusion Detection. Berlin: Springer-Verlag, 2007. 198-218.
    [58] Nazario J. PhoneyC: A virtual client honeypot. In: Proc. of the 2nd USENIX Workshop on Large-Scale Exploits and EmergentThreats. Berkeley: USENIX Association, 2009. 31-36.
    [59] Gobel J. Amun: A python honeypot. Technical Report, TR-2009-008, Laboratory for Dependable Distributed Systems, Universityof Mannheim, 2009. 1-14.
    [60] Li P, Salour M, Su X. A survey of Internet worm detection and containment. IEEE Communications Surveys and Tutorials, 2008,10(1):20-35. [doi: 10.1109/COMST.2008.4483668]
    [61] Zhu Z, Lu G, Chen Y. Botnet research survey. In: Proc. of the 32nd Annual IEEE Int’l Computer Software and Applications Conf.Washington: IEEE Computer Society, 2008. 967-972. [doi: 10.1109/COMPSAC.2008.205]
    [62] Hong F, Cui G, Fu X. Introduction to Information Security. Wuhan: Huazhong University of Science and Technology Press, 2005,1-21 (in Chinese).
    [63] Kim GH, Spafford EH. The design and implementation of tripwire: A file system integrity checker. In: Proc. of the 2nd ACM Conf.on Computer and Communications Security. New York: ACM Press, 1994. 18-29. [doi: 10.1145/191177.191183]
    [64] AIDE. http://aide.sourceforge.net/
    [65] Samhain. http://www.la-samhna.de/samhain/
    [66] Patil S, Kashyap A, Sivathanu G, Zadok E. I3FS: An in-kernel integrity checker and intrusion detection file system. In: Proc. of the18th USENIX Large Installation System Administration Conf. Berkeley: USENIX Association, 2004. 67-78.
    [67] Quynh NA, Takefuji Y. A novel approach for a file-system integrity monitor tool of Xen virtual machine. In: Proc. of the 2ndACM Symp. on Information, Computer and Communications Security. New York: ACM Press, 2007. 194-203. [doi: 10.1145/1229285.1229313]
    [68] Quynh NA, Takefuji Y. A real-time integrity monitor for Xen virtual machine. In: Proc. of the 2006 Int’l Conf. on Networking andServices. Washington: IEEE Computer Society, 2006. 90-95. [doi: 10.1109/ICNS.2006.13]
    [69] Jin H, Xiang G, Zou D, Zhao F, Li M, Yu C. A guest-transparent file integrity monitoring method in virtualization environment.The Journal of Computers and Mathematics with Applications, 2010,60(2):256-266. [doi: 10.1016/j.camwa.2010.01.007]
    [70] Petroni NL, Fraser T, Molina J, William AA. Copilot—A coprocessor-based kernel runtime integrity monitor. In: Proc. of the 13thConf. on USENIX Security Symp. Berkeley: USENIX Association, 2004. 179-194.
    [71] Seshadri A, Luk M, Shi E, Perrig A, Doorn L, Khosla P. Pioneer: Verifying code integrity and enforcing untampered codeexecution on legacy systems. In: Proc. of the 20th ACM Symp. on Operating Systems Principles. New York: ACM Press, 2005.1-16. [doi: 10.1145/1095809.1095812]
    [72] Seshadri A, Luk M, Qu N, Perrig A. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In:Proc. of the 21st ACM Symp. on Operating Systems Principles. New York: ACM Press, 2007. 335-350. [doi: 10.1145/1294261.1294294]
    [73] Carbone M, Cui W, Lu L, Lee W, Peinado M, Jiang X. Mapping kernel objects to enable systematic integrity checking. In: Proc. ofthe 17th ACM Conf. on Computer and Communications Security. New York: ACM Press, 2009. 555-565. [doi: 10.1145/1653662.1653729]
    [74] Xiong X, Tian D, Liu P. Practical protection of kernel integrity for commodity OS from untrusted extensions. In: Proc. of the 18thAnnual Network and Distributed System Security Symp. Rosten: Internet Society, 2011. 114-130.
    [75] Wang Z, Jiang X. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proc. of the 31stIEEE Symp. on Security and Privacy. Washington: IEEE Computer Society, 2010. 380-395. [doi: 10.1109/SP.2010.30]
    [76] Azab AM, Ning P, Wang Z, Jiang X, Zhang X, Skalsky N. HyperSentry: Enabling stealthy in-context measurement of hypervisorintegrity. In: Proc. of the 17th ACM Conf. on Computer and Communications Security. New York: ACM Press, 2010. 38-49. [doi:10.1145/1866307.1866313]
    [77] Wang J, Stavrou A, Ghosh A. HyperCheck: A hardware-assisted integrity monitor. In: Proc. of the 13th Int’l Symp. on RecentAdvances in Intrusion Detection. Berlin: Springer-Verlag, 2010. 158-177.
    [78] Jacob G, Debar H, Filiol E. Behavioral detection of malware: From a survey towards an established taxonomy. Journal inComputer Virology, 2008,4(3):251-266. [doi: 10.1007/s11416-008-0086-0]
    [79] Jiang X, Wang X, Xu D. Stealthy malware detection through VMM-based “out-of-the-box” semantic view reconstruction. In: Proc.of the 14th ACM Conf. on Computer and Communications Security. New York: ACM Press, 2007. 128-138. [doi: 10.1145/1698750.1698752]
    [80] Dinaburg A, Royal P, Sharif M, Lee W. Ether: Malware analysis via hardware virtualization extensions. In: Proc. of the 15th ACMConf. on Computer and Communications Security. New York: ACM Press, 2008. 51-62. [doi: 10.1145/1455770.1455779]
    [81] Jones ST, Arpaci-Dusseau AC, Arpaci-Dusseau RH. VMM-Based hidden process detection and identification using lycosid. In:Proc. of the 4th ACM Int’l Conf. on Virtual Execution Environments. New York: ACM Press, 2008. 91-100. [doi: 10.1145/1346256.1346269]
    [82] Lanzi A, Sharif M, Lee W. K-Tracer: A system for extracting kernel malware behavior. In: Proc. of the 16th Annual Network andDistributed System Security Symp. Rosten: Internet Society, 2009. 191-203.
    [83] Xuan C, Copeland J, Beyah R. Toward revealing kernel malware behavior in virtual execution environments. In: Proc. of the 12thInt’l Symp. on Recent Advances in Intrusion Detection. Berlin: Springer-Verlag, 2009. 304-325. [doi: 10.1007/978-3-642-04342-0_16]
    [84] Andreas M, Christopher K, Engin K. Exploring multiple execution paths for malware analysis. In: Proc. of the 28th IEEE Symp. onSecurity and Privacy. Washington: IEEE Computer Society, 2007. 231-245. [doi: 10.1109/SP.2007.17]
    [85] Crandall JR, Wassermann G, Oliveira DA, Su Z, Wu SF, Chong FT. Temporal search: Detecting hidden malware timebombs withvirtual machines. In: Proc. of the 12th Int’l Conf. on Architectural Support for Programming Languages and Operating Systems.New York: ACM Press, 2006. 25-36. [doi: 10.1145/1168857.1168862]
    [86] Wang Y, Beck D, Jiang X, Roussev R. Automated Web patrol with strider HoneyMonkeys: Finding Web sites that exploit browservulnerabilities. In: Proc. of the 13th Network and Distributed Systems Security Symp. Rosten: Internet Society, 2006, 1-15.
    [87] Payne BD, Carbone MA, Lee W. Secure and flexible monitoring of virtual machines. In: Proc. of the 23rd Annual ComputerSecurity Applications Conf. New York: ACM Press, 2007. 385-397.
    [88] Srivastava A, Singh K, Giffin J. Secure observation of kernel behavior. Technical Report, GT-CS-08-01, Georgia Institute ofTechnology, 2008. 1-14.
    [89] Xiang G, Jin H, Zou D, Zhang X, Wen S, Zhao F. VMDriver: A driver-based monitoring mechanism for virtualization. In: Proc. ofthe 29th Int’l Symp. on Reliable Distributed Systems. Washington: IEEE Computer Society, 2010. 72-81. [doi: 10.1109/SRDS.2010.38]
    [90] VMware ESX security vulnerabilities. http://www.cvedetails.com/vulnerability-list.php?vendor_id=252
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

项国富,金海,邹德清,陈学广.基于虚拟化的安全监控.软件学报,2012,23(8):2173-2187

复制
分享
文章指标
  • 点击次数:9274
  • 下载次数: 15384
  • HTML阅读次数: 0
  • 引用次数: 0
历史
  • 收稿日期:2011-05-04
  • 最后修改日期:2011-11-02
  • 在线发布日期: 2012-08-07
文章二维码
友情链接:中国科学院软件研究所中国计算机学会中国科学院国家自然科学基金委员会CCF数字图书馆Int'l J of Softw Info计算机系统应用
您是第19732248位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号