Research On Virtual Machine Security Detection Based On Introspection Technology

In recent years,cloud computing and virtualization technology have been widely used.It has become a trend to provide various services for different users by carrying multiple virtual machines on one host.With the popularization of technology,various safety problems are gradually exposed.Compared with traditional physical hosts,the impact scope of virtual machine after being threatened by security is a wider range,and the security problem should be paid more attention to.The technology of virtual machine introspection which based on the characteristics of virtual machine brings new methods and challenges to information collection and security detection of virtual machines.In the current research,there is a semantic gap when to recovery the information of the virtual machine from the outside.And fewer types of information can be got.In order to reduce the semantic gap,using proxy to obtain operating system-level semantics from the virtual machine will lead to poor system isolation of the system and low information reliability.At the same time,due to the problems in the early information collection,that will lack of sufficient and credible basis for later detection.All kinds of information can not be fully related and applied,so it is difficult to meet the requirements of comprehensive detection.In view of the above problems,this thesis studies the information recovery based on virtual machine introspection and the security detection of virtual machine based on machine learning.And it also implements a prototype system of virtual machine security detection based on introspection technology.The specific work includes the following three aspects:First,the thesis studied the information recovery based on virtual machine introspection,which can improve the reliability and integrity of information acquisition while ensuring system isolation.The state,memory and register data of virtual machine are obtained from the outside of the virtual machine without modifying the virtual machine operating system and the virtual machine manager layer.Through the study of the structure and function of the system kernel,the semantic recovery and effective association of process state,file,port and system call are carried out.At the same time,the detailed external information view of virtual machine is constructed with the information of recovery.Next,the thesis researched on the security detection of virtual machine based on machine learning,which fully correlates and applies the acquired information to improve the comprehensiveness of detection.Starting from the problem analysis and induction,the problem of virtual machine state and process security was attributed to two classification problems,and a classification model was established.The state and process information were analyzed and processed by the incremental and the time window method,that formed the feature vectors of the virtual machine state and process.Then,the local outlier factor method was used to complete the detection of the abnormal state.A process classification model was established by multiple machine learning algorithms which was used to complete the detection of malicious processes.In the experiment,there is a 3.8% false alarm rate in the detection method based on random forest,but the detection rate of malicious software reaches 99.76%,which exceeds most of the anti-virus software in the market.Finally,integrating the research of the first two parts,this thesis designed and implemented a virtual machine security detection based on virtual machine introspection technology prototype system combining with the external network detection tool(Snort).Functional testing and performance testing of the system are carried out to verify the feasibility and effectiveness of the system.To sum up,this thesis studies the information recovery based on virtual machine introspection and the security detection of virtual machine based on machine learning.On this basis,a system of virtual machine security detection system based on virtual machine introspection technology is implemented,which can effectively improve the security of the virtual machine.