基于VMI的入侵检测系统的研究与实现

发布时间：2018-02-03 15:50

本文关键词： 虚拟化安全虚拟机自省(VMI) 入侵检测 Xen　出处：《华南理工大学》2014年硕士论文　论文类型：学位论文

【摘要】：虚拟化技术是云计算实现的关键技术，虚拟化技术能够将计算机底层的物理资源切分成多个或者合并成一个运行环境，实现IT资源的逻辑抽象和统一。虚拟化环境面临着许多安全问题，如虚拟机之间的通信安全、虚拟机逃逸、恶意软件（Malware）等。入侵检测是保护虚拟化环境安全的有效方法之一，而根据虚拟化环境的特点，，采用虚拟机自省（Virtual Machine Introspection, VMI）技术实现入侵检测有诸多优点。因此，对虚拟化环境下的安全性以及如何采用VMI技术实现入侵检测的研究对虚拟化和云计算的发展有重要的价值和意义。本文首先介绍了虚拟化的相关内容，详细介绍了虚拟化的分类和当前主流的虚拟化技术。之后本文研究了虚拟机自省技术，对其实现方式和难点进行分析。继而简要介绍了入侵检测技术。对虚拟化环境下存在的安全威胁进行了详细的分析，总结了针对这些威胁可以采取的应对方式。本文对开源虚拟机自省工具LibVMI和内存取证分析工具Volatility以及kpartx工具的使用进行研究，对一些主要来自rootkit和木马的入侵行为和入侵痕迹的成因、危害与检测方法进行了探讨。在此基础上，本文设计并实现了基于VMI的入侵检测系统，系统主要包括基于虚拟机内存和基于虚拟机文件系统的两大检测模块，通过使用虚拟机自省技术从虚拟机外部获取虚拟机内部信息并进行检测，发现存在的入侵行为和入侵痕迹后根据严重程度采取不同的响应方式，包括日志记录，邮件告警和暂停虚拟机。本文最后搭建了Xen虚拟化环境，在其上建立多台测试虚拟机，并在此环境下对系统进行部署和测试，实验结果表明系统的各个检测功能模块能正常工作，能实现对入侵的检测，且响应功能正常，达到了系统最初的设计目标。
[Abstract]:Virtualization technology is the key technology of cloud computing implementation. Virtualization technology can divide the physical resources of the underlying computer into more than one or merge into a single running environment. The virtualization environment faces many security problems, such as the security of communication between virtual machines and the escape of virtual machines. Intrusion detection is one of the effective methods to protect the security of virtualized environment, according to the characteristics of virtualized environment. There are many advantages in implementing intrusion detection using virtual Machine introspection (VMI) technology. The research on security in virtualized environment and how to implement intrusion detection with VMI technology is of great value and significance to the development of virtualization and cloud computing. Firstly, this paper introduces the related contents of virtualization, introduces the classification of virtualization and the current mainstream virtualization technology in detail. Then, this paper studies the virtual machine introspection technology. Then the intrusion detection technology is briefly introduced, and the security threats in virtualization environment are analyzed in detail. The possible responses to these threats are summarized. This paper studies the use of open source virtual machine introspection tool (LibVMI), memory forensics analysis tool (Volatility) and kpartx tool. This paper probes into the causes, hazards and detection methods of some intrusions and traces of intrusion mainly from rootkit and Trojan horses. The intrusion detection system based on VMI is designed and implemented in this paper. The system mainly includes two detection modules based on virtual machine memory and virtual machine file system. By using virtual machine introspection technology to obtain the virtual machine internal information from the virtual machine and detect the existence of intrusion behavior and intrusion traces after taking different response according to the severity including logging. Mail alarm and pause virtual machine. At the end of this paper, we build Xen virtualization environment, build several test virtual machines on it, and deploy and test the system in this environment. The experimental results show that the detection function modules of the system can work properly. The intrusion detection can be realized, and the response function is normal, which achieves the initial design goal of the system.
【学位授予单位】：华南理工大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】