Research Of Active Defence Technology Based On Virtualization Platform

With the development of technology, the computer industry is evolvingconstantly, information has already penetrated people's lives. However, theInternet has brought convenience to the public, while there have been a variety ofsafety issues. Most of traditional security technologies are in a defensivesituation, faced with a complex network environment, traditional securitytechnologies lack of initiative response and the ability to predict attack, cannotobtain the intruder's means and intentions.This paper focuses on the active defense technology, that analysising?addressing and resolving network security issues from a new perspective.Honeynet technology is the most frequent kind of the active defense technology,with its wide applicable scope and the implementation of moderate difficulty, ituses active trapping attacks to surveillance intruders, to understand the intruder'sthe intention?the means and the method, providing more security informationfor the system administrator. The introduction of virtualization technology, whichgreatly improves the utilization of system resources, reducing the difficulty of thevirtual machine deployment and maintenance, and enhancing the safety factor ofthe system, while retaining the honeynet technology's strong trapping ability andthe ability to detect, provide basic needs of the dynamic deployment for theactive defense platform.This paper first introduces the research status of active defense technology,analyzes the limitations of traditional passive defense technology, emphasis thehoneypot and honeynet technology? the intrusion prevention technology.Secondly describes the dynamic deployment technical requirements of activedefense platform, from the dynamic deployment of virtualization?deception and simulation?honeynet camouflage trapping and data capture mechanisms etc fourdemand levels are analyzed in depth. System call is a interface between the userspace and kernel space, system call generated during program execution can beinvoked as an important evidence to determine whether the intrusion hasoccurred. In this paper, we present a multi-layer model of program behaviorsbased on both hidden Markov models and enumerating methods on the basis oftraditional methods, which differs from the conventional single layer approach;this method improves the detection rate and false alarm rate, which can providean important evidence for intrusion response of the active defense platform.Finally, a detailed description of the architecture and workflow of the activedefense platform, and the deployment and management of virtual machines?data analysis algorithms and the whole system are tested, experimental resultsshow that active defense platform has high detection efficiency.