Design And Implementation Of Virtual Machine Security Event Tracking System Based On Log Analysis

In the Internet age, with the rapid development and popularization of science and technology as well as endless variety of new personal applications, Security issues because of advances in technology have brought more and more attention. In particular, the occurrence of Snoddon incidents caused an unprecedented impact and challenges to worldwide network security. In addition, in the traditional non-virtualized environment, log analysis combines with host intrusion detection systems HIDS in general and some functions are integrated in HIDS. HIDS detect system log files, match intrusion rules in knowledge base and detect security incidents of systems so as to achieve the purpose of the protection system security. But HIDS must ensure the safety of the system, all of the testing activities are under the premise that system itself has performed reasonable security settings. Even if the system has performed reasonable security settings, the attacker can delete the corresponding system log, so that the attack cannot be detected, so the traditional analysis tools are lacking in ensuring the timeliness, integrity, authenticity of data.Although there are some problems in traditional log analysis tools, but the system log still has great value to find intrusion problems. System log logging health status and error information of system, also can monitor system for all events in real-time. Users can check the cause of the error by analyzing the log, or looking for attacking traces of the intruder.But today’s log analysis tools for complex network environments can only provide single application(for example web applications) or some of the system’s error event to the users, but a single system log can’t track an attack from the beginning to the end and is unable to identify the logic behind the data. Log analysis method used in VMSET can capture different operating system logs in the entire virtual machine cluster, summarize and abstract unified log format, and store centrally. This ensures the integrity and authenticity of log data; In addition, analyze correlated centralized storage of log data, use model-based match analysis, match the collected log sequence to the model in knowledge base, and thus the invasion route can be tracked and identified effectively.