微信服务号

微信订阅号

2025-6-5- 11
Home > Archive>Volume 23, Issue 8, 2012 >2173-2187. DOI:10.3724/SP.J.1001.2012.04219
PDF HTML XML Export Cite reminder
Virtualization-Based Security Monitoring
Author:
Affiliation:

  • Article
    • | |
  • Metrics
    • |
  • Reference [90]
    • |
  • Related
    • |
  • Cited by [2]
    • | |
  • Comments
    Abstract:

    In recent years, virtualization technology is the novel trendy of computer architecture, and it provides a solution for security monitoring. Due to the highest privilege and the smaller trusted computing base of virtual machine monitor, security tools, deployed in an isolated virtual machine, can inspect the target virtual machine with the help of virtual machine monitor. This approach can enhance the effectiveness and anti-attack ability of security tools. From the aspect of the implementation technologies, existing research works can be classified into internal monitoring and external monitoring. According to the different targets, the related works about virtualization-based monitoring are introduced in this paper in detail, such as intrusion detection, honeypot, file integrity monitoring, malware detection and analysis, security monitoring architecture and the generality of monitoring. Finally, this paper summarizes the shortcomings of existing works, and presents the future research directions. It is significant for virtualization research and security monitoring research.

    Reference
    [1] Smith JE, Nair R. The architecture of virtual machines. IEEE Computer, 2005,38(5):32-38. [doi: 10.1109/MC.2005.173]
    [2] Rosenblum M, Garfinkel T. Virtual machine monitors: Current technology and future trends. IEEE Computer, 2005,38(5):39-47.[doi: 10.1109/MC.2005.176]
    [3] Whitaker A, Cox RS, Shaw M, Gribble SD. Rethinking the design of virtual machine monitors. IEEE Computer, 2005,38(5):57-62.[doi: 10.1109/MC.2005.169]
    [4] Jin H, et al. Computer System Virtualization?Theory and Application. Beijing: Tsinghua University Press, 2008. 1-26 (inChinese).
    [5] IDC report. http://www.virtualization.info/2007/07/idc-predicts-virtualization-services.html
    [6] Gartner report. http://www.gartner.com/it/page.jsp?id=777212
    [7] Creasy RJ. The origin of the VM/370 time-sharing system. IBM Journal Research and Development, 1981,25(5):483-490. [doi:10.1147/rd.255.0483]
    [8] Popek G, Goldberg R. Formal requirements for virtualizable third generation architectures. Communications of the ACM, 1974,17(7):413-421. [doi: 10.1145/361011.361073]
    [9] Robin JS, Irvine CE. Analysis of the Intel Pentium’s ability to support a secure virtual machine monitor. In: Proc. of the 9thUSENIX Security Symp. Berkeley: USENIX Association, 2000. 129-144.
    [10] Waldspurger CA. Memory resource management in VMware ESX server. In: Proc. of the 5th Symp. on Operating Systems Designand Implementaion. New York: ACM Press, 2002. 181-194.
    [11] VMware homepage. http://www.vmware.com
    [12] Xen homepage. http://www.xen.org
    [13] Barham P, Dragovic B, Fraser K, Hand S, Harris T, Ho A, Neugebauer R, Pratt I, Warfiedld A. Xen and the art of virtualization. In:Proc. of the 19th ACM Symp. on Operating Systems Principles. New York: ACM Press, 2003. 164-177. [doi: 10.1145/1165389.945462]
    [14] Clark B, Deshane T, Dow E, Evanchik S, Finalyson M, Herne J, Matthews JN. Xen and the art of repeated research. In: Proc. of the2004 USENIX Annual Technical Conf. Berkeley: USENIX Association, 2004. 135-144.
    [15] Pratt I, Fraser K, Hand S, Limpach C, Warfield A. Xen 3.0 and the art of virtualization. In: Proc. of the 2005 Linux Symp. NewYork: ACM Press, 2005. 65-77.
    [16] Nanda S, Chiueh T. A survey on virtualization technologies. Technical Report, TR-179, Stony Brook University, 2005. 1-42.
    [17] Jin H. The key problem of cloud security. The Communications of the Computer Conf. Foundation, 2009,5(2):47-48 (in Chinesewith English abstract).
    [18] The linecount of Linux 2.6.27. http://doexcel.com/node/6572
    [19] The linecount of Windows XP. http://blog.csdn.net/syf442/article/details/4459229
    [20] Chen PM, Noble BD. When virtual is better than real. In: Proc. of the 8th Workshop on Hot Topics in Operating Systems.Washington: IEEE Computer Society, 2001. 133-138.
    [21] Payne BD, Carbone M, Sharif M, Lee W. Lares: An architecture for secure active monitoring using virtualization. In: Proc. of the29th IEEE Symp. on Security and Privacy. Washington: IEEE Computer Society, 2008. 233-247. [doi: 10.1109/SP.2008.24]
    [22] Sharif M, Lee W, Cui W, Lanzi A. Secure in-VM monitoring using hardware virtualization. In: Proc. of the 16th ACM Conf. onComputer and Communications Security. New York: ACM Press, 2009. 477-487. [doi: 10.1145/1653662.1653720]
    [23] Garfinkel T, Rosenblum M. A virtual machine introspection based architecture for intrusion detection. In: Proc. of the 10thNetwork and Distributed System Security Symp. Berkeley: USENIX Association, 2003. 191-206.
    [24] Lian Y. Survey on intrusion detection. Network Security Technology and Application, 2003,(1):46-48 (in Chinese with Englishabstract).
    [25] Axelsson S. Intrusion detection systems: A survey and taxonomy. Technical Report, 99-15, Department of Computer Engineering,Chalmers University of Technology, 2000. 1-27.
    [26] Sun J. Research on intrusion detection and antivirus model in large-scale network [Ph.D. Thesis]. Wuhan: Huazhong University ofScience and Technology, 2005 (in Chinese with English abstract).
    [27] Roesch M. Snort-Lightweight intrusion detection for networks. In: Proc. of the 13th USENIX Large Installation SystemAdministration Conf. Berkeley: USENIX Association, 1999. 229-238.
    [28] Hay A, Cid D, Bray R. OSSEC Host-Based Intrusion Detection Guide. Burlington: Syngress Press, 2008. 149-174.
    [29] Fuchsberger A. Intrusion detection systems and intrusion prevention systems. Information Security Technical Report, Elsevier,2005. 134-139.
    [30] Locasto ME, Wang K, Keromytis AD, Stolfo SJ. FLIPS: Hybrid adaptive intrusion prevention. In: Proc. of the 8th Int’l Symp. onRecent Advances in Intrusion Detection. Berlin: Springer-Verlag, 2005. 82-101. [doi: 10.1007/11663812_5]
    [31] Lam LC, Li W, Chiueh T. Accurate and automated system call policy-based intrusion prevention. In: Proc. of the 2006 Int’l Conf.on Dependable Systems and Networks. Washington: IEEE Computer Society, 2006. 413-424. [doi: 10.1109/DSN.2006.10]
    [32] Laureano M, Maziero C, Jamhour E. Intrusion detection in virtual machine environments. In: Proc. of the 30th Euromicro Conf.Washington: IEEE Computer Society, 2004. 520-525. [doi: 10.1109/EUROMICRO.2004.48]
    [33] Laureano M, Maziero C, Jamhour E. Protecting host-based intrusion detectors through virtual machines. The Journal of Computerand Telecommunications Networking, 2007,51(5):1275-1283. [doi: 10.1016/j.comnet.2006.09.007]
    [34] Hofmeyr S, Forrest S, Somayaji A. Intrusion detection using sequences of system calls. Journal of Computer Security, 1998,6(3):151-180.
    [35] Dike J. User-Mode Linux. In: Proc. of the 5th Annual Linux Showcase and Conf. Berkeley: USENIX Association, 2001. 21-28.
    [36] Zhang X, Li Q, Qing S, Zhang H. VNIDA: Building an IDS architecture using VMM-based non-intrusive approach. In: Proc. of the14th Int’l Workshop on Knowledge Discovery and Data Mining. New York: ACM Press, 2008. 594-600. [doi: 10.1109/WKDD.2008.135]
    [37] Zhang Y, Gu Y, Wang H, Wang D. Virtual-Machine-Based intrusion detection on file-aware block level storage. In: Proc. of the18th Int’l Symp. on Computer Architecture and High Performance Computing. Washington: IEEE Computer Society, 2001. 21-28.[doi: 10.1109/SBAC-PAD.2006.32]
    [38] Pennington AG, Strunk JD, Griffin JL, Soules CAN, Goodson GR, Ganger GR. Storage-Based intrusion detection: Watchingstrorage activity for suspicious behavior. In: Proc. of the 12th USENIX Security Symp. Berkeley: USENIX Association, 2003.1-15.
    [39] Kourai K, Chiba S. HyperSpector: Virtual distributed monitoring environments for secure intrusion detection. In: Proc. of the 1stACM Int’l Conf. on Virtual Execution Environments. New York: ACM Press, 2005. 197-207. [doi: 10.1145/1064979.1065006]
    [40] Roschke S, Cheng F, Meinel C. An extensible and virtualization-compatible IDS management architecture. In: Proc. of the 5th Int’lConf. on Information Assurance and Security. Washington: IEEE Computer Society, 2009. 130-134. [doi:10.1038/nchembio0309-130]
    [41] Yang Z, Deng X. A behavior mining and pattern recognition for operation system Log. Computer and Information Technology,2010,18(1):53-55 (in Chinese with English abstract).
    [42] Dunlap GW, King ST, Cinar S, Basrai MA, Chen PM. ReVirt: Enabling intrusion analysis through virtual-machine logging andreplay. In: Proc. of the 5th Symp. on Operating Systems Design and Implementation. New York: ACM Press, 2002. 211-224. [doi:10.1145/844128.844148]
    [43] King ST, Chen PT. Backtracking intrusions. In: Proc. of the 19th ACM Symp. on Operating Systems Principles. New York: ACMPress, 2003. 223-236. [doi: 10.1145/945445.945467]
    [44] King ST, Chen PT. Backtracking intrusions. ACM Trans. on Computer Systems, 2005,23(1):51-76. [doi: 10.1145/945445.945467]
    [45] Joshi A, King ST, Dunlap GW, Chen PM. Detecting past and present intrusions through vulnerability-specific predicates. In: Proc.of the 20th ACM Symp. on Operating Systems Principles. New York: ACM Press, 2005. 91-104. [doi: 10.1145/1095809.1095820]
    [46] Oliveira DAS, Crandall JR, Wassermann G, Wu SF, Su Z, Chong FT. ExecRecorder: VM-Based full-system replay for attackanalysis and system recovery. In: Proc. of the 1st Workshop on Architectural and System Support for Improving SoftwareDependability. New York: ACM Press, 2006. 66-71. [doi: 10.1145/1181309.1181320]
    [47] Quynh NA, Takefuji Y. A central and secured log data solution for Xen virtual machine. In: Proc. of the 24th Int’l Multi-Conf.Parallel and Distributed Computing and Networks. Washington: IEEE Computer Society, 2006. 218-224.
    [48] Wu J, Peng X, Gao D. On Xen virtual machine-based system Logs security. Computer Applications and Software, 2010,27(4):125-127 (in Chinese with English abstract).
    [49] Spitzner L. Honeypots: Tracking Hackers. New York: Addison Wesley Press, 2002. 1-35.
    [50] Tang Y, Lu X, Hu H, Zhu P. Honeypot technique and its applications: A survey. Journal of Chinese Computer Systems, 2007,28(8):1345-1351 (in Chinese with English abstract).
    [51] Provos N. A virtual honeypot framework. In: Proc. of the 13th USENIX Security Symp. Berkeley: USENIX Association, 2004.1-14.
    [52] Vrable M, Ma J, Chen J, Moore D, Vandekieft E, Snoeren AC, Voelker GM, Savage S. Scalability, fidelity, and containment in thepotemkin virtual honeyfarm. In: Proc. of the 20th ACM Symp. on Operating Systems Principles. New York: ACM Press, 2005.148-162. [doi: 10.1145/1095810.1095825]
    [53] Dagon D, Qin X, Gu G, Lee W. HoneyStat: Local worm detection using honeypots. In: Proc. of the 7th Int’l Symp. on RecentAdvances in Intrusion Detection. Berlin: Springer-Verlag, 2004. 39-58.
    [54] Asrigo K, Litty L, Lie D. Using VMM-based sensors to monitor honeypots. In: Proc. of the 2nd ACM Int’l Conf. on VirtualExecution Environments. New York: ACM Press, 2006. 13-23. [doi: 10.1145/1134760.1134765]
    [55] Jiang X, Xu D. Collapsar: A VM-based architecture for network attack detention center. In: Proc. of the 13th USENIX SecuritySymp. Berkeley: USENIX Association, 2005. 15-28.
    [56] Jiang X, Xu D, Wang Y. Collapsar: A VM-based honeyfarm and reverse honeyfarm architecture for network attack capture anddetention. Journal of Parallel and Distribtued Computing, 2006,66(9):1165-1180. [doi: 10.1016/j.jpdc.2006.04.012]
    [57] Jiang X, Wang X. “Out-of-the-Box” monitoring of VM-based high-interaction honeypots. In: Proc. of the 10th Int’l Symp. onRecent Advances in Intrusion Detection. Berlin: Springer-Verlag, 2007. 198-218.
    [58] Nazario J. PhoneyC: A virtual client honeypot. In: Proc. of the 2nd USENIX Workshop on Large-Scale Exploits and EmergentThreats. Berkeley: USENIX Association, 2009. 31-36.
    [59] Gobel J. Amun: A python honeypot. Technical Report, TR-2009-008, Laboratory for Dependable Distributed Systems, Universityof Mannheim, 2009. 1-14.
    [60] Li P, Salour M, Su X. A survey of Internet worm detection and containment. IEEE Communications Surveys and Tutorials, 2008,10(1):20-35. [doi: 10.1109/COMST.2008.4483668]
    [61] Zhu Z, Lu G, Chen Y. Botnet research survey. In: Proc. of the 32nd Annual IEEE Int’l Computer Software and Applications Conf.Washington: IEEE Computer Society, 2008. 967-972. [doi: 10.1109/COMPSAC.2008.205]
    [62] Hong F, Cui G, Fu X. Introduction to Information Security. Wuhan: Huazhong University of Science and Technology Press, 2005,1-21 (in Chinese).
    [63] Kim GH, Spafford EH. The design and implementation of tripwire: A file system integrity checker. In: Proc. of the 2nd ACM Conf.on Computer and Communications Security. New York: ACM Press, 1994. 18-29. [doi: 10.1145/191177.191183]
    [64] AIDE. http://aide.sourceforge.net/
    [65] Samhain. http://www.la-samhna.de/samhain/
    [66] Patil S, Kashyap A, Sivathanu G, Zadok E. I3FS: An in-kernel integrity checker and intrusion detection file system. In: Proc. of the18th USENIX Large Installation System Administration Conf. Berkeley: USENIX Association, 2004. 67-78.
    [67] Quynh NA, Takefuji Y. A novel approach for a file-system integrity monitor tool of Xen virtual machine. In: Proc. of the 2ndACM Symp. on Information, Computer and Communications Security. New York: ACM Press, 2007. 194-203. [doi: 10.1145/1229285.1229313]
    [68] Quynh NA, Takefuji Y. A real-time integrity monitor for Xen virtual machine. In: Proc. of the 2006 Int’l Conf. on Networking andServices. Washington: IEEE Computer Society, 2006. 90-95. [doi: 10.1109/ICNS.2006.13]
    [69] Jin H, Xiang G, Zou D, Zhao F, Li M, Yu C. A guest-transparent file integrity monitoring method in virtualization environment.The Journal of Computers and Mathematics with Applications, 2010,60(2):256-266. [doi: 10.1016/j.camwa.2010.01.007]
    [70] Petroni NL, Fraser T, Molina J, William AA. Copilot—A coprocessor-based kernel runtime integrity monitor. In: Proc. of the 13thConf. on USENIX Security Symp. Berkeley: USENIX Association, 2004. 179-194.
    [71] Seshadri A, Luk M, Shi E, Perrig A, Doorn L, Khosla P. Pioneer: Verifying code integrity and enforcing untampered codeexecution on legacy systems. In: Proc. of the 20th ACM Symp. on Operating Systems Principles. New York: ACM Press, 2005.1-16. [doi: 10.1145/1095809.1095812]
    [72] Seshadri A, Luk M, Qu N, Perrig A. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In:Proc. of the 21st ACM Symp. on Operating Systems Principles. New York: ACM Press, 2007. 335-350. [doi: 10.1145/1294261.1294294]
    [73] Carbone M, Cui W, Lu L, Lee W, Peinado M, Jiang X. Mapping kernel objects to enable systematic integrity checking. In: Proc. ofthe 17th ACM Conf. on Computer and Communications Security. New York: ACM Press, 2009. 555-565. [doi: 10.1145/1653662.1653729]
    [74] Xiong X, Tian D, Liu P. Practical protection of kernel integrity for commodity OS from untrusted extensions. In: Proc. of the 18thAnnual Network and Distributed System Security Symp. Rosten: Internet Society, 2011. 114-130.
    [75] Wang Z, Jiang X. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proc. of the 31stIEEE Symp. on Security and Privacy. Washington: IEEE Computer Society, 2010. 380-395. [doi: 10.1109/SP.2010.30]
    [76] Azab AM, Ning P, Wang Z, Jiang X, Zhang X, Skalsky N. HyperSentry: Enabling stealthy in-context measurement of hypervisorintegrity. In: Proc. of the 17th ACM Conf. on Computer and Communications Security. New York: ACM Press, 2010. 38-49. [doi:10.1145/1866307.1866313]
    [77] Wang J, Stavrou A, Ghosh A. HyperCheck: A hardware-assisted integrity monitor. In: Proc. of the 13th Int’l Symp. on RecentAdvances in Intrusion Detection. Berlin: Springer-Verlag, 2010. 158-177.
    [78] Jacob G, Debar H, Filiol E. Behavioral detection of malware: From a survey towards an established taxonomy. Journal inComputer Virology, 2008,4(3):251-266. [doi: 10.1007/s11416-008-0086-0]
    [79] Jiang X, Wang X, Xu D. Stealthy malware detection through VMM-based “out-of-the-box” semantic view reconstruction. In: Proc.of the 14th ACM Conf. on Computer and Communications Security. New York: ACM Press, 2007. 128-138. [doi: 10.1145/1698750.1698752]
    [80] Dinaburg A, Royal P, Sharif M, Lee W. Ether: Malware analysis via hardware virtualization extensions. In: Proc. of the 15th ACMConf. on Computer and Communications Security. New York: ACM Press, 2008. 51-62. [doi: 10.1145/1455770.1455779]
    [81] Jones ST, Arpaci-Dusseau AC, Arpaci-Dusseau RH. VMM-Based hidden process detection and identification using lycosid. In:Proc. of the 4th ACM Int’l Conf. on Virtual Execution Environments. New York: ACM Press, 2008. 91-100. [doi: 10.1145/1346256.1346269]
    [82] Lanzi A, Sharif M, Lee W. K-Tracer: A system for extracting kernel malware behavior. In: Proc. of the 16th Annual Network andDistributed System Security Symp. Rosten: Internet Society, 2009. 191-203.
    [83] Xuan C, Copeland J, Beyah R. Toward revealing kernel malware behavior in virtual execution environments. In: Proc. of the 12thInt’l Symp. on Recent Advances in Intrusion Detection. Berlin: Springer-Verlag, 2009. 304-325. [doi: 10.1007/978-3-642-04342-0_16]
    [84] Andreas M, Christopher K, Engin K. Exploring multiple execution paths for malware analysis. In: Proc. of the 28th IEEE Symp. onSecurity and Privacy. Washington: IEEE Computer Society, 2007. 231-245. [doi: 10.1109/SP.2007.17]
    [85] Crandall JR, Wassermann G, Oliveira DA, Su Z, Wu SF, Chong FT. Temporal search: Detecting hidden malware timebombs withvirtual machines. In: Proc. of the 12th Int’l Conf. on Architectural Support for Programming Languages and Operating Systems.New York: ACM Press, 2006. 25-36. [doi: 10.1145/1168857.1168862]
    [86] Wang Y, Beck D, Jiang X, Roussev R. Automated Web patrol with strider HoneyMonkeys: Finding Web sites that exploit browservulnerabilities. In: Proc. of the 13th Network and Distributed Systems Security Symp. Rosten: Internet Society, 2006, 1-15.
    [87] Payne BD, Carbone MA, Lee W. Secure and flexible monitoring of virtual machines. In: Proc. of the 23rd Annual ComputerSecurity Applications Conf. New York: ACM Press, 2007. 385-397.
    [88] Srivastava A, Singh K, Giffin J. Secure observation of kernel behavior. Technical Report, GT-CS-08-01, Georgia Institute ofTechnology, 2008. 1-14.
    [89] Xiang G, Jin H, Zou D, Zhang X, Wen S, Zhao F. VMDriver: A driver-based monitoring mechanism for virtualization. In: Proc. ofthe 29th Int’l Symp. on Reliable Distributed Systems. Washington: IEEE Computer Society, 2010. 72-81. [doi: 10.1109/SRDS.2010.38]
    [90] VMware ESX security vulnerabilities. http://www.cvedetails.com/vulnerability-list.php?vendor_id=252
    Related
Get Citation

项国富,金海,邹德清,陈学广.基于虚拟化的安全监控.软件学报,2012,23(8):2173-2187

Copy
Share
Article Metrics
  • Abstract:9308
  • PDF: 15639
  • HTML: 0
  • Cited by: 0
History
  • Received:May 04,2011
  • Revised:November 02,2011
  • Online: August 07,2012
Links:Institute of Software, CASChina Computer FederationCASNSFC
You are the first2051365Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063