Research On Image-based Abnormal Behavior Detection Technology Of Virtualization Platform

In recent years,with the rapid development of cloud computing,more and more enterprises,institutions and business scenarios have gradually migrated to the cloud platform.The cloud platform has also gathered a large number of application systems and data resources.Therefore,the security issues of the cloud platform have become the concern of the industry.the key of.Unlike traditional environments,attackers can use virtual machines rented from cloud service providers to launch attacks on the entire cloud platform.Therefore,abnormal behavior detection in a virtualization environment is particularly important.Based on the analysis and research of existing virtual machine introspection technology and abnormal behavior detection technology,this paper aims at the problem of semantic gap faced by virtual machine introspection,which is the problem of reconstructing unreadable low-level semantics into readable high-level semantics.An image-based virtualization platform abnormal behavior detection technology research is proposed.The main work of this paper is as follows:(1)Summarize the existing virtual machine introspection technology and the method of bridging the semantic gap,and propose a new virtual machine introspection technology classification method based on the transparency of the semantic reconstruction process.At the same time,this article summarizes different methods of using malware images to detect malware,and compares these methods from the aspects of malware image generation,feature extraction and classification algorithms,analyzes the shortcomings of image methods,and proposes our own solutions.(2)A method of abnormal behavior detection based on memory images in a virtualization environment is proposed.This method uses an out-of-VM method to obtain the memory dump files of the guest virtual machine,and collects 2000 memory dump files containing abnormal behaviors and 1050 memory dump files containing normal behaviors.Then these memory dump files are converted into images,and the pictures are segmented and interpolated according to the structure of the memory dump files.Finally,the convolutional neural network is used to classify the memory image to detect of abnormal behavior.(3)In this paper,a suitable convolutional neural network structure,MIC-Net,is designed for the classification of memory images.The network structure is modified on the basis of the VGG network structure,and the global maxing pooling is used to replace the fully connected layer using the activation function.While reducing the parameters,it also better avoids over-fitting and improves the generalization ability of the network model.After experimental,the network model achieved a classification accuracy of 99.95%,which proved the feasibility of the abnormal behavior detection method based on memory images in a virtualization environment.