Research On Active Defense Method Of Hidden Process Based On Virtual Machine Introspection

After more than ten years of development,cloud computing has greatly changed the usage pattern of computing resources.This pattern not only improves the utilization rate of resources,but also reduces the cost of developing new applications for enterprises and individuals.However,while cloud computing brings convenience,the security problems it faces have become increasingly prominent.Cloud security incidents occur frequently,which has become one of the most concerned issues for enterprises.In cloud security,the security of virtual machines is the most fundamental and most urgent problem to be solved.The biggest threat faced by virtual machines is malicious code attacks with strong concealment and persistence.The hidden process is its most important feature.Therefore,the detection and defense of hidden processes is an urgent problem to be solved.At present,traditional hidden process detection methods have the following short-comings:1.In a software-based detection scheme,the detection program runs inside a virtual machine.On the one hand,it is vulnerable to attacks by malicious processes,re-sulting in inaccurate detection results,and on the other hand it is not applicable In the cloud environment,it is easy to cause a waste of computing resources;2.Hardware-based detection schemes require specialized hardware support,which is difficult to apply on a large scale;3.Detection schemes based on virtual machine monitors tend to solve the problem of obtaining virtual machine information.The agent is installed inside the virtual machine,so the detection program will also be threatened by malware.In terms of hidden process defense,the defense systems of existing solutions basically run inside the host,are not suitable for virtualized environments,and are vulnerable to malicious code attacks.In order to improve the security of virtualization platforms and cloud platforms,and solve the problems of current hidden process detection and defense solutions,this thesis proposes an active defense method for hidden processes based on virtual machine introspection.First,multiple hosts are transparently detected from the host.Hidden processes inside the virtual machine,and then take real-time active defense measures based on the detection results.The main work of this thesis is as follows:1.This thesis proposes a hidden process detection method based on virtual machine introspection technology.First,transparently obtain process and traffic information from the outside of the virtual machine,establish views of different privilege levels,and then detect hidden processes through view cross-comparison and traffic difference analysis.The solution can transparently detect hidden processes inside the virtual machine in the host machine,is suitable for a virtualized environment,ensures the safety of the detection program,and improves the reliability of the detection.2.This article proposes a hidden process defense method based on writable virtual machine introspection technology.By redirecting key system calls in the defense system to the virtual machine,the virtual machine executes specific system calls,thereby changing the internal state of the virtual machine and realizing the defense function.Compared with traditional defense solutions,the solution proposed in this article is more suitable for cloud environments.On the one hand,the defense system runs outside the virtual machine to ensure its security.On the other hand,the defense system can act on multiple virtual machines at the same time and can take measures based on the detection results in real time,improving the real-time performance and resource efficiency of defense.Utilization rate.3.This thesis designs and implements the VMIDefender prototype system based on the detection and defense scheme of hidden processes.The system is mainly divided into detection subsystem and defense subsystem.The detection subsystem designs and im-plements the acquisition module,view maintenance module and core control module of the virtual machine's internal information in detail.The defense subsystem designs and implements the system call redirection mechanism in detail from three aspects:auxiliary process selector,system call dispatcher and system call redirection.At the same time,this thesis verifies the detection and defense scheme based on the VMIDefender prototype system.Experiments show that the detection scheme in this thesis can transparently re-construct the internal semantic information of the virtual machine from the host machine,and detect the hidden process inside the virtual machine based on the semantic informa-tion.In addition,the experiment also shows that the defense scheme proposed in this thesis can modify the running state of the virtual machine according to the detection result and kill the hidden process.