The Design And Implementation Of Security Monitoring System Based On Virtual Machine

The rapid growth of the internet data amount and the gradually matured virtualization technology make more and more computing system and background program be deployed in virtualization environment. Relying on its high barrier property and dynamic, Virtualization technology can effectively support the huge Internet business. Due to the virtualization environment just makes different virtual subsystems be in isolation, and individual subsystems will also be invaded by the attacker because being exposure in the network environment. In order to detect the intrusion behavior of hacker in virtualized environment, effective security monitoring system must be deployed. In the traditional method, monitoring system will be deployed in each virtual subsystem respectively, so that each subsystem will be protected by their own independent monitoring system. In consideration of that the monitoring system itself is exposed to the guest operating system, it is easy to be destroyed by the attacker; In addition, this kind of monitoring system which is based on the host often also need to modify the core of guest operation system, so that it could bring about unstable factors to the applications which are run in the guest operating system.This paper designed and implemented a security monitoring system that is based on the Xen virtual machine, also based on the security of the monitoring system and not modifying the guest operation system. Based on the characteristics of Xen virtual machine, the safety monitoring system was deployed in a privilege domain of the virtual environment. Relying on this point, the system can monitor every virtual subsystem in all of the virtualized environment which improve the maintainability and flexibility of the monitoring.In order to protect the safety of the virtual machine from different aspects, this system realized the monitoring of virtual subsystem through the three function module, including process monitoring, file system monitoring and network monitoring. Firstly, the system changes virtual address to machine address by using the privilege interface, then the information of the process was getting through the iterative of process tree. Secondly, using para-virtualization can realize the monitoring of file system and network by capturing and analyzing the data stream of I/O in the privilege domain.