| Traditional security monitoring aims at pediocratic network and computing environment. Virtualizaiton technology is a novel computing mode, which changes the traditional computer architecture. At present, due to theses characteristics of high efficency, isolation, and dynamicity for virtualization, large numbers of computing systems turn to virtual computing environment. Guest operating system and services running in virtual machine are diverse, and the administrator can configure software as need. Moreover, Due to the dynamic of virtual machine, the administrator can create, start, migrate or destroy virtual machine dynamically. Aiming at these new features, it is necessary to research on security monitoring for virtual computing environment.Virtualization has great benefits for computing systems, but its diversity and dynamic also bring tremendous challenges for security monitoring. In order to meet them, our purpose is to monitor virtual machine with effectiveness and comprehensiveness. A security monitoring framework is proposed for virtual computing environment. With the purpose of analysis, we do research from these aspects of network, file and process.From the aspect of network monitoring, all newtork packages in/out virtual machine pass through the management domain in virtual computing environment. The network monitoring tool deployed in virtual bridge can sniffer all network packages. Since the sevices running in virtual machines maybe different with other, and virtual machines can migrate between physical nodes. In order to solve these problems, detection rules are configured for each domain according to the service types. After it is finished, detection threads run in parallel. Further, non-deterministic finite automation (NFA) is used to describe the states of virtual machines. The detection thread state varies with the state of virtual machine.From the aspect of file monitoring, the existing monitoring approach of file integrity is not transparent for target virtual machine, or it is not sufficient to get the full monitoring information. For the sake of solving these problems, a real-time transparent monitoring approach of file integrity is proposed in this paper. According to the file significancy, the administrator can set the policy of file monitoring. During the execution of virtual machine, the file operations are intercepted and analysed in virtual machine monitor. And then, the different actions are taken in terms of the policy of file monitoring. This method can inspect file integrity of virtual machine in real time and transparent manner, and get the detail information during the procedure of file operation.From the aspect of process monitoring, the generality problem will happen when all virtual machines are inspected. Multiple virtual machines run on the same physical node, and guest operatings systems in virtual machines may be various, such as Linux, Windows. Otherwise, virtual machine can migrate between different physical nodes freely. It brings tremendous chanllages for monitoring the internal process state of virtual mahchine. For the sake of solving this problem, a general monitoring approach based on driver is proposed in this paper. Event interception is implemented in the virtual machine monitor, and semantic reconstruction is achieved by the monitoring driver in kernel mode of the management domain. Similar to the device driver mechanism of Linux, the monitoring driver corresponds to the type of guest operating system. All monitoring drivers provide the unified interface for monitoring tool in user mode, which realizes the generality of security monitoring. In consideration of adapting to the dynamic of virtual machine, the monitoring driver is loaded in the form of kernel module as needed. Consequently, this method has these characteristics of real-time, transparency and generality.
|
PDF Full Text Request