Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

IO sequence-based virtual machine abnormal behavior detection method and system

A detection method and virtual machine technology, applied in the field of virtualization security, can solve the problems of performance loss, complex security threats, frequent read and write operations, etc., and achieve the effect of reducing performance loss and protecting security.

Active Publication Date: 2017-05-10
SICHUAN UNIV
View PDF2 Cites 6 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] The existing technical difficulties mainly include: (1) After the introduction of hardware-assisted virtualization, the I / O read and write operations of the virtual machine to the hardware device are relatively frequent during the running process, and an inappropriate IO sequence collection method of the virtual machine will cause a large number of Performance loss; (2) The collected virtual machine IO sequence is the binary semantics understood by the underlying Hypervisor. Mapping it into the high-level semantics in the virtual machine can describe the behavior of the virtual machine itself in a fine-grained manner. Anomaly detection rules are very important; (3) Traditional methods based on host system call sequence include short sequence enumeration method, data mining method, neural network method, etc. Security threats are more complicated, and the limitations brought by a single detection method can no longer meet the needs of the current cloud computing environment

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • IO sequence-based virtual machine abnormal behavior detection method and system
  • IO sequence-based virtual machine abnormal behavior detection method and system
  • IO sequence-based virtual machine abnormal behavior detection method and system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0029] The present invention will be further described in detail below with reference to the drawings and specific embodiments.

[0030] Attached figure 1 The overall architecture diagram of the KVM (Kernel-based Virtual Machine) virtual machine abnormal behavior detection system based on the IO sequence in the present invention is given. Such as figure 1 As shown, the system can be used to detect malicious behaviors in virtual machines and prevent known virtual machine escape attacks in time, including an asynchronous collection module, a process acquisition module, a communication module, and a detection module.

[0031] The asynchronous acquisition module intercepts the virtual machine I / O simulation operation, extracts the required virtual machine IO sequence and saves it in the data buffer area, wakes up the custom kernel thread located in the communication module, and restores the normal execution flow of the VMM.

[0032] Attached figure 2 The timing diagram of the asynchrono...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses an IO sequence-based virtual machine abnormal behavior detection method and system. The detection system comprises an asynchronous acquisition module, a process obtaining module, a communication module and a detection module; a virtual machine IO sequence is asynchronously acquired in a VMM through an asynchronous virtual machine IO sequence acquisition technology to reduce performance loss in a virtual machine running process to the maximum extent; virtual machine process semantics is dynamically obtained by utilizing a VMM layer through a virtual machine IO sequence process semantics dynamic obtaining technology to realize reasonable mapping of the virtual machine IO sequence and a virtual machine process so as to facilitate rule analysis of the IO sequence and confirmation of a detection result; and an abnormal detection model is built in combination with a virtual machine IO short sequence and a Markov chain through a Markov chain-based virtual machine malicious behavior detection technology to finish the detection of malicious behaviors in a virtual machine. According to the method and the system, virtual machine IO-based abnormal attack behaviors can be accurately discovered, so that the security of a cloud computing platform is protected.

Description

Technical field [0001] The present invention relates to the technical field of virtualization security, in particular to a method and system for detecting abnormal behavior of a virtual machine based on an IO sequence. Background technique [0002] The rapid development of cloud computing services based on virtualization technology has led to increasing security risks in the cloud computing environment. In addition to traditional host-based security threats, such as computer viruses, Trojan horses, and kernel rootkits, there are also some new security threats, such as virtual machine escape attacks. This type of attack uses a virtual machine to attack the host, and often uses the security vulnerabilities of the host operating system or hypervisor through the virtual machine to achieve the purpose of tampering with the host operating system or hypervisor permissions. [0003] In the traditional program abnormal behavior detection method based on the system call sequence on the host...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/55G06F9/455
CPCG06F9/45558G06F21/554G06F2009/45579G06F2009/45587
Inventor 陈兴蜀陈佳昕赵丹丹金鑫
Owner SICHUAN UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com