| Cloud computing can either separate physical computing resource into several operatingenvironment or merge them into one operating environment. It can logically implement theabstraction or the unification of the IT resource. The key technology in implementing cloudcomputing is virtualization technology. However, it is facing a lot of security issues, such as,the security of communication between virtual machines, VM escape and malware. One of theeffective ways to protect virtualization environment is intrusion detection. According to thefeature of virtualization environment,using virtual machine introspection(VMI) to implementintrusion detection has many advantages. Therefore, research on security issues ofvirtualization environment and how to implement intrusion detection with VMI are of greatvalue and significance to the development of virtualization and cloud computing.At the beginning, this paper introduces the basic knowledge about virtualization,including the classification and the mainstream virtualization technology nowadays. After theintroduction, this paper studies VMI technology, analyzing the methods and difficulties inimplementing it. Then it gives a brief introduction to intrusion detection technique. It alsoanalyzes security threats under virtualization environment in detail and sums up copingstrategies that can be adopted to against these threats.Following this, this paper studies the use of virtual machine introspection tool LibVMI,memory forensic analysis framework Volatility and kpartx tool, analyzing the cause,detriment and detection method of intrusion mainly committed by Rootkits and Trojans.Basing on this, this paper designs and implements a VMI-based intrusion detection system.This system has two detection modules. They are virtual machine memory based detectionmodule and virtual machine file system based detection module. By applying virtual machineintrospection technology, the system gets the inside information of a virtual machine from itsoutside and detects existing intrusion by analyzing this information. After intrusion is found,the system will adopt different response method including logging, sending alert email andeven pausing virtual machines, according to the severity of intrusion.At last, this paper sets up a Xen virtualization environment and creates several virtualmachines on it to deploy and test the VMI-based intrusion detection system. The experimentresult shows that each detection module works well by effectively detecting intrusion and thesystem can correctly respond. The system has achieved its designed objective. |
PDF Full Text Request