CN114499945A - Intrusion detection method and device for virtual machine - Google Patents
Intrusion detection method and device for virtual machine Download PDFInfo
- Publication number
- CN114499945A CN114499945A CN202111583496.6A CN202111583496A CN114499945A CN 114499945 A CN114499945 A CN 114499945A CN 202111583496 A CN202111583496 A CN 202111583496A CN 114499945 A CN114499945 A CN 114499945A
- Authority
- CN
- China
- Prior art keywords
- physical host
- virtual machine
- detection
- machine
- end processing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 216
- 238000012545 processing Methods 0.000 claims abstract description 78
- 238000000034 method Methods 0.000 claims abstract description 41
- 238000004590 computer program Methods 0.000 claims description 14
- 238000004891 communication Methods 0.000 abstract description 8
- 230000002452 interceptive effect Effects 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 13
- 230000003993 interaction Effects 0.000 description 12
- 230000006870 function Effects 0.000 description 10
- 239000003795 chemical substances by application Substances 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 238000012423 maintenance Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000011144 upstream manufacturing Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45591—Monitoring or debugging support
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
A method and a device for intrusion detection of a virtual machine are used for solving the problems that intrusion detection of the virtual machine is easy to detect by mistake and complicated in the prior art. The virtual machine virtualization method can be applied to a first physical host machine, the first physical host machine virtualizes at least one virtual machine, the virtual machine comprises a Virtio paravirtualization driver, and the Virtio paravirtualization driver comprises a detection module. The method comprises the steps that a detection module of a first virtual machine acquires detection data, wherein the first virtual machine is any one of at least one virtual machine; a detection module of the first virtual machine sends detection data to a back-end processing module of the first physical host machine through a paravirtualized channel; and the back-end processing module of the first host machine sends the detection data to the second physical host machine. Based on the method, the interactive data between the detection module and the processing back-end module through the para-virtualization channel can be processed, so that the communication between the first virtual machine and the first physical host machine can be realized.
Description
Technical Field
The present invention relates to the field, and in particular, to an intrusion detection method and apparatus for a virtual machine.
Background
With the rapid development of computer technologies, technologies such as cloud computing, virtualization, etc. have come into play, wherein cloud computing abstracts all computers into specific computing resources and then provides the computing resources to users. Generally, a cloud computing builder employs a virtualization technology to virtualize a plurality of virtual computers (virtual machines for short) on a single physical host machine, which may be referred to as a computing node, for a plurality of users to use respectively. The various security problems are gradually exposed, and the influence range of the security threat of the virtual machine is relatively increased compared with the traditional physical host machine, so that the security detection of the virtual machine is more and more important.
Virtual machine security detection is a kind of monitoring of virtual machine performance security and function security. The virtual intrusion detection is one kind of virtual machine security detection. Currently, intrusion detection of a virtual machine is to perform real-time and all-around detection on a user space and a kernel space of a virtual machine system, so that when the virtual machine is invaded by a hacker and the like, an invasion behavior can be found, and an event alarm and protection can be performed. Currently, a security agent program is mainly installed in a virtual machine or a temporary script is executed to realize real-time detection, alarm and protection.
However, the security agent or the temporary script runs on the user layer of the operating system, occupies the resources of the user layer, and may have the possibility of false detection in actual running. Moreover, when the security agent detects the kernel space of the virtual machine system, a kernel module needs to be deployed and communicates with the kernel space, and the complexity is high. Moreover, the security agent or the temporary script needs to rely on the network resources of the user when reporting the event.
Disclosure of Invention
The embodiment of the invention provides an intrusion detection method and device of a virtual machine, which are used for solving the problems of false detection, detection complexity and dependence on a user network caused by installing a security agent program or executing a temporary script for intrusion detection in the virtual machine in the prior art.
In a first aspect, an embodiment of the present invention provides an intrusion detection method for a virtual machine, where the method is applied to a first physical host, where at least one virtual machine includes a Virtio paravirtualization driver, the Virtio paravirtualization driver includes a detection module, and the Virtio paravirtualization driver runs on a kernel frame of a corresponding virtual machine. The method comprises the steps that a detection module of a first virtual machine acquires detection data, wherein the first virtual machine is any one of the at least one virtual machine; the detection module of the first virtual machine sends the detection data to a back-end processing module of the first physical host machine through a paravirtualized channel; and the back-end processing module of the first host machine sends the detection data to the second physical host machine.
Based on the scheme, the detection module and the processing back end module in the virtual machine can perform data detection interaction through the paravirtualization channel through the Virtio paravirtualization driver, namely, the data interaction between the virtual machine and the physical host machine is realized based on the paravirtualization channel. Furthermore, data interaction is carried out through a network between the two physical host machines (namely the first physical host machine and the second physical host machine), and independence on user network resources can be achieved, so that disturbance on a user network environment is reduced, disturbance on user network operation and maintenance is avoided, and stability and timeliness of data interaction are improved.
In one possible implementation, the paravirtualized channel is a data queue of the Virtio paravirtualized device. The data queues may include an upstream data queue and a downstream data queue.
In a possible implementation manner, the acquiring, by a detection module of the first virtual machine, detection data includes: and the detection module of the first virtual machine carries out intrusion detection through the kernel framework of the first virtual machine to obtain the detection data.
The intrusion detection is carried out by using a kernel framework (Linux/Windows) of an operating system of the first virtual machine through a detection module in the first virtual machine when the first virtual machine runs, so that the operation is more transparent to a user, and the false detection caused by the false operation is not easy to occur.
In a possible implementation manner, the back-end processing module of the first physical host may further receive configuration information from a second physical host, where the second physical host is deployed with an intrusion detection management service; the back-end processing module of the first virtual machine sends the configuration information to the detection module of the first virtual machine through the paravirtualization channel; and the detection module of the first virtual machine updates the detection module according to the configuration information.
In one possible implementation, the back-end processing module of the physical host is a program of a Virtio paravirtualized device.
In a possible implementation manner, the receiving, by the back-end processing module of the first physical host, the configuration information from the second physical host includes: the back-end processing module of the first physical host receives the configuration information from the second physical host based on a network between the first physical host and the second physical host.
Data interaction is carried out through a network between two physical host machines (namely a first physical host machine and a second physical host machine), and independence on user network resources can be achieved, so that disturbance on a user network environment is reduced, interference of user network operation and maintenance is avoided, and stability and timeliness of data interaction are improved.
In a possible implementation manner, the sending, by the back-end processing module of the first physical host machine, the detection data to the second physical host machine includes: and the back-end processing module of the first physical host machine sends the detection data to the second physical host machine based on the network between the first physical host machine and the second physical host machine.
Data interaction is carried out through a network between two physical host machines (namely a first physical host machine and a second physical host machine), and independence on user network resources can be achieved, so that disturbance on a user network environment is reduced, interference of user network operation and maintenance is avoided, and stability and timeliness of data interaction are improved.
In a second aspect, an embodiment of the present invention provides a detection apparatus, where the detection apparatus is applicable to a first physical host, where the first physical host virtualizes at least one virtual machine, and the at least one virtual machine includes a Virtio paravirtualization driver, and the Virtio paravirtualization driver includes a detection module. The detection device comprises a detection module and a back-end processing module.
The detection module is used for acquiring detection data; sending the detection data to a back-end processing module of the first physical host machine through a para-virtualization channel; and the back-end processing module is used for sending the detection data to the second physical host.
In one possible implementation, the paravirtualized channel is a data queue of the Virtio paravirtualized device.
In a possible implementation manner, the detection module is configured to perform intrusion detection through a kernel framework of the first virtual machine to obtain the detection data.
In a possible implementation manner, the back-end processing module is further configured to receive configuration information from a second physical host, where the second physical host is deployed with an intrusion detection management service; sending the configuration information to the detection module of the first virtual machine through the paravirtualized channel; the detection module is used for updating the detection module according to the configuration information.
In one possible implementation, the back-end processing module of the physical host is a program of a Virtio paravirtualized device.
In a possible implementation manner, the back-end processing module is specifically configured to: receiving the configuration information from the second physical host based on a network between the first physical host and the second physical host.
In a possible implementation manner, the back-end processing module sends the detection data to the second physical host machine based on a network between the first physical host machine and the second physical host machine.
In a third aspect, the present application provides a computer-readable storage medium, in which a computer program or instructions are stored, which, when executed by a detection apparatus, cause the detection apparatus to perform the method of the first aspect or any possible implementation manner of the first aspect.
In a fourth aspect, the present application provides a computer program product comprising a computer program or instructions which, when executed by a detection apparatus, causes the detection apparatus to perform the method of the first aspect or any possible implementation manner of the first aspect.
For technical effects that can be achieved by any one of the second aspect to the fourth aspect, reference may be made to the description of the advantageous effects in the first aspect, and details are not repeated here.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a schematic diagram of a communication system architecture according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of an intrusion detection method for a virtual machine according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of another intrusion detection method for a virtual machine according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of another intrusion detection method for a virtual machine according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a detection apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a detection apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic diagram of a communication system architecture suitable for use in an embodiment of the present invention. The communication system may be referred to as a cloud computing cluster. The communication system typically includes a management node and a plurality of computing nodes. The management node and the computing node are both physical host machines. Fig. 1 illustrates an example of the system including two compute nodes and one management node, where in fig. 1, a physical host 101 is a compute node and a physical host 102 is a management node. The physical hosts 101 and 102 may communicate by wire or wirelessly, etc. Specifically, the physical hosts 101 and 102 may communicate via a mobile communication network (e.g., a 2G/3G/4G/5G/future 6G network), a Wireless Local Area Network (WLAN), a wireless fidelity (Wi-Fi) network, or the like.
Each computing node may virtualize a plurality of virtual machines, and fig. 1 exemplifies two virtual machines, namely a virtual machine 1011 and a virtual machine 1012, virtualized in the computing node (i.e., the physical host 101). An intrusion detection management service (or referred to as an intrusion detection management platform) is deployed on the management node (i.e., the physical host 102), and the intrusion detection management service is mainly used for managing intrusion detection of the virtual machine. The virtual machines (such as virtual machine 1011 and virtual machine 1012 in FIG. 1 above) include Virtio para-virtualization drivers that include a detection module. It is also understood that the detection module is implemented in a Virtio para-virtualization driver (e.g., Virtio-blk, Virtio-net, etc.) in the virtual machine. The Virtio paravirtualized driver is in a kernel framework (or called kernel space or kernel layer) of the virtual machine. Thus, a detection module in a virtual machine may use a kernel framework of the operating system of the virtual machine to perform intrusion detection while the virtual machine is running. The Virtio is an abstract Application Programming Interface (API) Interface above the hypervisor, and the virtual machine knows that the virtual machine operates in a virtualization environment, so that the virtual machine cooperates with the hypervisor according to the Virtio standard to achieve better performance, such as Input/Output (I/O) performance.
The compute node (or called physical host) further includes a back-end processing module 1013, where the back-end processing module 1013 is implemented in the QEMU program, and the back-end processing module is a Virtio paravirtualized device simulation program. The Virtio paravirtualized driver may also be referred to as a front-end driver as compared to the back-end processing module 1013. QEMU/KVM provides a fully virtualized environment that allows virtual machines to run in a KVM environment without any modification, the KVM being a hypervisor that must use hardware virtualization assistance technology (e.g., Intel VT-x, AMD-V).
Further, communication between the detection module and the back-end processing module 1013 is supported through a paravirtualized channel between the detection module and the back-end processing module 1013. It can also be understood that the communication of the virtual machine with the physical host is realized through a paravirtualized channel. The Virtio paravirtualized driver may use 0 or more queues, the specific number depending on the requirements. For example, the Virtio paravirtualized drive uses two virtual queues (one for receive, called the upstream queue, and the other for transmit, called the downstream queue). It should be noted that uplink and downlink are defined relatively, and this is not limited in the embodiment of the present invention.
In a possible implementation manner, the physical host may further include a virtual-ring layer to implement a ring buffer (ring buffer) for storing information executed by the detection module and the back-end processing module 1013, and it may store multiple I/O requests of the detection module once and deliver the multiple I/O requests to the back-end processing module 1013 for batch processing, and finally actually invoke a device driver in the physical host 101 to implement a physical I/O operation, so that batch processing may be implemented according to an agreement instead of processing each I/O request in the virtual machine once, thereby improving efficiency of information exchange between the virtual machine and the hypervisor.
It should be noted that, after the virtual machine is started in the physical host, the detection module in the virtual machine automatically takes effect, that is, defense, intrusion detection and detection data reporting are started.
As described in the background, in the prior art, by running a security agent or a temporary script on the user layer, resources of the user layer need to be occupied, and there may be a possibility of false detection in actual running. Moreover, when the security agent detects the kernel space of the virtual machine system, a kernel module needs to be deployed and communicates with the kernel space, and the complexity is high. Moreover, the security agent or the temporary script needs to rely on the network resources of the user when reporting the event.
In view of this, an embodiment of the present invention provides an intrusion detection method for a virtual machine. The method can avoid false detection, is beneficial to reducing the complexity of intrusion detection, and does not need to rely on a user network.
Based on the above, as shown in fig. 2, a method for detecting intrusion of a virtual machine according to an embodiment of the present invention is provided. The method is applied to a first physical host machine, wherein the first physical host machine virtualizes at least one virtual machine, and the at least one virtual machine is deployed with a Virtio paravirtualization drive. Taking the first virtual machine as an example, the method comprises the following steps:
step 201, a detection module of a first virtual machine acquires detection data.
The first virtual machine is any one of at least one virtual machine virtualized by the first physical host machine. With reference to fig. 1, the first physical host may be the physical host 101 in fig. 1, and the first virtual machine may be the virtual machine 1011 or the virtual machine 1012.
In a possible implementation manner, the detection module in the first virtual machine realizes detection through a kernel driver technology, and can be loaded and run as a device driver of the kernel of the first virtual machine. Specifically, the detection module in the first virtual machine is mainly used for performing intrusion detection on the first virtual machine when the first virtual machine runs by using a kernel framework (Linux/Windows) of an operating system of the first virtual machine, so as to obtain detection data. Based on this, can be to user's more transparent operation, be difficult to be caused by the maloperation and detect inefficacy, be difficult to take place the false retrieval promptly.
Step 202, the detection module of the first virtual machine sends the detection data to the back-end processing module of the first host through a paravirtualized channel.
In a possible implementation manner, the first virtual machine is deployed with a Virtio para-virtualization driver, and a para-virtualization channel is formed between a detection module of the first virtual machine and a back-end processing module of the first physical host. Here, the paravirtualized channel may also be referred to as a data queue of the Virtio paravirtualized device, and a queue in which the detection module sends data to the backend processing module may be referred to as an upstream queue of the data of the Virtio paravirtualized device.
It is also understood that the detection module of the first virtual machine may send the detection data to the back-end processing module of the first host using the data queue of the Virtio paravirtualization device of the QEMU-KVM.
Step 203, the back-end processing module of the first host sends the detection data to the second physical host.
With reference to fig. 1, the first physical host may be the physical host 101 in fig. 1, and the second physical host may be the physical host 102 in fig. 1.
In a possible implementation manner, the back-end processing module of the first physical host may be developed based on the QEMU-KVM virtualization technology, and implements a program of the Virtio paravirtualization device, which may be run as a part of a virtual machine program of the back end of the first host.
Illustratively, the back-end processing module of the first physical host may be a character device or the like. The character device is a device which transmits in units of characters in the I/O transmission process. In the LUNIX system, the character device occupies a position in the file directory tree in a special file manner and has a corresponding node. The character device may operate on the character device file, e.g., open, close, read, write, etc., using the same file operation commands as the normal file.
In one possible implementation, the second physical host is deployed with an intrusion detection management service. The back-end processing module of the first host machine and the data with the intrusion detection management service can interact through a network between the first physical host machine and the second physical host machine. Specifically, the network between the first physical host and the second physical host may include, but is not limited to: a mobile communication network (e.g., 2G/3G/4G/5G/future 6G, etc.), or a Wireless Local Area Network (WLAN), or a wireless fidelity (Wi-Fi) network.
Through the steps 201 to 203, the intrusion detection is performed on the first virtual machine during the operation of the first virtual machine by using the kernel framework (Linux/Windows) of the operating system of the first virtual machine through the detection module in the first virtual machine, so that the operation is more transparent to the user, and the false detection caused by the false operation is not easy to occur. Moreover, the interaction of the detection data between the detection module and the processing back-end module in the virtual machine can be realized based on the paravirtualization channel, that is, the data interaction between the virtual machine and the physical host machine is realized based on the paravirtualization channel. Furthermore, data interaction is carried out through a network between the two physical host machines (namely the first physical host machine and the second physical host machine), and independence on user network resources can be achieved, so that disturbance on a user network environment is reduced, disturbance on user network operation and maintenance is avoided, and stability and timeliness of data interaction are improved.
In a possible implementation mode, the detection module can operate in a unified mode with the intrusion detection assembly of the host machine, and the intrusion detection efficiency of the physical host machine is improved.
In one possible implementation, the intrusion detection management service may be implemented through any kind of application service framework. The application Service framework may include, but is not limited to, a View, a Model, a Controller (MVC) framework, a Remote Procedure Call (RPC) framework, a Service-Oriented Architecture (SOA), and the like. The intrusion detection management service is mainly used for managing intrusion detection of the virtual machine, and may include but is not limited to: storage, analysis, alarm, etc. of the detection data. Further, the intrusion detection management service may also be used for configuration management of the detection module, for example, issuing configuration information to update the detection module.
When the intrusion detection management service needs to send configuration information to the first virtual machine, the configuration information can be sent through a network between the first physical host machine and the second physical host machine. Specifically, the intrusion detection management service may send the configuration information to the back-end processing module of the first physical host through the network between the first physical host and the second physical host. For the network between the physical host and the second physical host, reference may be made to the foregoing description, and details are not repeated herein.
Further, optionally, when the back-end processing module in the first physical host sends the configuration information to the detection module in the first virtual machine, the configuration information may also pass through the paravirtualization channel in step 202, or referred to as a data queue of the Virtio paravirtualization device. Here, the data queue of the Virtio paravirtualized device may be referred to as a downstream queue. Specifically, the back-end processing module in the first physical host machine sends the configuration information to the detection module in the first virtual machine through the paravirtualization channel.
Further, optionally, the detection module in the first virtual machine may update the detection module according to the received configuration information.
Based on the above, to further explain the intrusion detection method of the virtual machine provided in the embodiment of the present invention, another intrusion detection method of the virtual machine is provided as follows. The intrusion detection method for the virtual machine can be introduced in detail from the data flow of detection data. The method comprises the following steps:
step 301, a first virtual machine is started, and a detection module included in a Virtio paravirtualization driver in the first virtual machine starts intrusion detection.
Step 302, the detection module collects detection data.
Step 302 can refer to the description of step 201 above, and is not described herein again.
Step 303, the detection module sends detection data to the Virtio paravirtualized driver. Accordingly, the Virtio para-virtualization driver receives the detection data from the detection module.
Step 304, the Virtio paravirtualized driver sends the detection data to the back-end processing module through the uplink queue of the data of the Virtio paravirtualized device. Accordingly, the back-end processing module receives the detection data from the Virtio paravirtualized drive.
The step 304 can be referred to the description of the step 202, and is not described herein again.
Step 305, the back-end processing module sends the detection data to the intrusion detection management service. Accordingly, the intrusion detection management service receives detection data from the back-end processing module.
Step 305 can refer to the description of step 203 above, and is not described herein again.
It should be noted that, before step 301, the relevant configuration of the Virtio paravirtualized device may be added to the configuration file of the first virtual machine. Specifically, a paravirtualized device driver may be added to the base image of the first virtual machine and configured to boot load.
Through the steps 301 to 305, the detection module can report the detection data to the intrusion detection management service.
Based on the above, to further explain the intrusion detection method for a virtual machine provided in the embodiment of the present invention, another intrusion detection method for a virtual machine is provided as follows. The intrusion detection method of the virtual machine can be described in detail from the flow of the configuration information. The method comprises the following steps:
step 401, the intrusion detection management service sends configuration information to the backend processing module. Accordingly, the back-end processing module receives configuration information from the intrusion detection management service.
In one possible implementation, the intrusion detection management service may send the configuration information to the back-end processing module of the first physical host over a network between the first physical host and the second physical host.
Step 402, the back-end processing module sends configuration information to the Virtio paravirtualized driver through the downlink queue of the data of the Virtio paravirtualized device. Accordingly, the Virtio paravirtualized driver receives configuration information from the back-end processing module.
Step 403, the Virtio para-virtualization driver injects configuration information into the detection module.
In step 404, the detection module updates according to the injected configuration information.
Through the above steps 401 to 404, the intrusion detection management service may send configuration information to the detection module, so as to update the detection module.
It is understood that, in order to implement the functions of the above embodiments, the detection device includes a corresponding hardware structure and/or software module for performing each function. Those of skill in the art will readily appreciate that the various illustrative modules and method steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software driven hardware depends on the particular application scenario and design constraints imposed on the solution.
Based on the same technical concept, the embodiment of the invention also provides a detection device. Fig. 5 is a schematic structural diagram of a detection apparatus according to an embodiment of the present invention. The detection device may be configured to perform the function of the physical host in the method embodiment, so that the beneficial effects of the method embodiment may also be achieved.
As shown in fig. 5, the detection apparatus 500 includes a detection module 501 and a back-end processing module 502. The detection apparatus 500 may be used to perform the methods shown in fig. 2 or fig. 3 or fig. 4.
When the detection apparatus 500 is used to implement the method embodiment shown in fig. 2, the detection module 501 is used to obtain detection data; and sending the detection data to a back-end processing module 502 of the first physical host via a para-virtualized channel; the back-end processing module 502 is configured to send the detection data to the second physical host.
In one possible implementation, the paravirtualized channel is a data queue of the Virtio paravirtualized device.
In a possible implementation manner, the detection module 501 is configured to perform intrusion detection through a kernel framework of the first virtual machine, and obtain the detection data.
In a possible implementation manner, the back-end processing module 502 is further configured to receive configuration information from a second physical host, where the second physical host is deployed with an intrusion detection management service; and sending the configuration information to the detection module 501 of the first virtual machine through the paravirtualized channel; the detection module 501 is configured to update the detection module 501 according to the configuration information.
In one possible implementation, the back-end processing module 502 of the physical host is a program of a Virtio paravirtualized device.
In a possible implementation manner, the back-end processing module 502 is specifically configured to: receiving the configuration information from the second physical host based on a network between the first physical host and the second physical host.
In a possible implementation manner, the back-end processing module 502 sends the detection data to the second physical host based on a network between the first physical host and the second physical host.
The more detailed description about the detection module 501 and the back-end processing module 502 can be directly obtained by referring to the related description in the embodiment of the method shown in fig. 2, and is not repeated here.
Based on the same technical concept, the embodiment of the present application further provides a detection apparatus, as shown in fig. 6, including at least one processor 601, a communication interface 602, and a memory 603 connected to the at least one processor, where a specific connection medium between the processor 601 and the memory 603 is not limited in this embodiment of the present application, and the processor 601 and the memory 603 are connected through a bus in fig. 6 as an example. The bus may be divided into an address bus, a data bus, a control bus, etc.
In the embodiment of the present application, the memory 603 stores instructions executable by the at least one processor 601, and the at least one processor 601 may execute the steps included in the foregoing intrusion method for a virtual machine by executing the instructions stored in the memory 603.
The processor 601 is a control center of the detection apparatus, and may connect various parts of the detection apparatus by using various interfaces and lines, and implement data processing by running or executing instructions stored in the memory 603 and calling data stored in the memory 603. Optionally, the processor 601 may include one or more processing units, and the processor 601 may integrate an application processor and a modem processor, where the application processor mainly processes an operating system, a user interface, an application program, and the like, and the modem processor mainly processes an issued instruction. It will be appreciated that the modem processor described above may not be integrated into the processor 601. In some embodiments, the processor 601 and the memory 603 may be implemented on the same chip, or in some embodiments, they may be implemented separately on separate chips.
The processor 601 may be a general-purpose processor, such as a Central Processing Unit (CPU), a digital signal processor, an Application Specific Integrated Circuit (ASIC), a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof, configured to implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present Application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the disclosed method in connection with the embodiment of the intrusion method for a virtual machine may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in the processor.
Based on the same technical concept, embodiments of the present application further provide a computer-readable storage medium storing a computer program executable by a detection apparatus, and when the program runs on the detection apparatus, the detection apparatus is caused to perform the steps of the intrusion method for the virtual machine.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (10)
1. The intrusion detection method of the virtual machine is applied to a first physical host machine, the first physical host machine virtualizes at least one virtual machine, the at least one virtual machine comprises a Virtio paravirtualization driver, the Virtio paravirtualization driver comprises a detection module, and the method comprises the following steps:
a detection module of a first virtual machine acquires detection data, wherein the first virtual machine is any one of the at least one virtual machine;
the detection module of the first virtual machine sends the detection data to a back-end processing module of the first physical host machine through a paravirtualized channel;
and the back-end processing module of the first host machine sends the detection data to the second physical host machine.
2. The method of claim 1, wherein the paravirtualized channel is a data queue of a Virtio paravirtualized device.
3. The method of claim 1, wherein the detection module of the first virtual machine obtains detection data comprising:
and the detection module of the first virtual machine carries out intrusion detection through the kernel framework of the first virtual machine to obtain the detection data.
4. The method of claim 1 or 2, wherein the method further comprises:
a back-end processing module of the first physical host machine receives configuration information from a second physical host machine, and the second physical host machine is deployed with an intrusion detection management service;
the back-end processing module of the first virtual machine sends the configuration information to the detection module of the first virtual machine through the paravirtualization channel;
and the detection module of the first virtual machine updates the detection module according to the configuration information.
5. The method of claim 4, wherein the back-end processing module of the physical host is a program of a Virtio para-virtualization device.
6. The method of claim 5, wherein the back-end processing module of the first physical host receives configuration information from the second physical host, comprising:
the back-end processing module of the first physical host receives the configuration information from the second physical host based on a network between the first physical host and the second physical host.
7. The method of claim 1, wherein the back-end processing module of the first physical host sending the detection data to the second physical host comprises:
and the back-end processing module of the first physical host machine sends the detection data to the second physical host machine based on the network between the first physical host machine and the second physical host machine.
8. A detection apparatus applied to a first physical host machine, wherein the first physical host machine virtualizes at least one virtual machine, the at least one virtual machine includes a Virtio paravirtualization driver, the Virtio paravirtualization driver includes a detection module, and the detection apparatus includes:
the detection module is used for acquiring detection data; sending the detection data to a back-end processing module through a paravirtualized channel; and the back-end processing module is used for sending the detection data to the second physical host.
9. A detection apparatus, comprising a processor coupled to a memory for storing a computer program and a transceiver for executing the computer program stored in the memory to cause the detection apparatus to perform the method of any one of claims 1 to 7.
10. A computer-readable storage medium, having stored thereon a computer program or instructions which, when executed by a detection apparatus, cause the detection apparatus to perform the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111583496.6A CN114499945B (en) | 2021-12-22 | 2021-12-22 | Intrusion detection method and device for virtual machine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111583496.6A CN114499945B (en) | 2021-12-22 | 2021-12-22 | Intrusion detection method and device for virtual machine |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114499945A true CN114499945A (en) | 2022-05-13 |
| CN114499945B CN114499945B (en) | 2023-08-04 |
Family
ID=81493729
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111583496.6A Active CN114499945B (en) | 2021-12-22 | 2021-12-22 | Intrusion detection method and device for virtual machine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114499945B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114710366A (en) * | 2022-05-31 | 2022-07-05 | 阿里巴巴(中国)有限公司 | Cross-safe-area resource access method in cloud computing system and electronic equipment |
| CN117389694A (en) * | 2023-12-13 | 2024-01-12 | 麒麟软件有限公司 | Virtual storage IO performance improving method based on virtio-blk technology |
| CN117407092A (en) * | 2023-12-13 | 2024-01-16 | 苏州元脑智能科技有限公司 | Device configuration changing method and device, electronic device and storage medium |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160004863A1 (en) * | 2013-03-01 | 2016-01-07 | Orange | Method for detecting attacks on virtual machines |
| CN106572047A (en) * | 2015-10-09 | 2017-04-19 | 东软集团股份有限公司 | Physical network safety device and control method thereof |
| US20180139215A1 (en) * | 2016-11-16 | 2018-05-17 | Microsoft Technology Licensing, Llc | Systems and methods for detecting an attack on an auto-generated website by a virtual machine |
| CN108897604A (en) * | 2018-07-03 | 2018-11-27 | 北京思空科技有限公司 | A kind of intruding detection system, device and method, computer readable storage medium |
| CN109189559A (en) * | 2018-09-12 | 2019-01-11 | 郑州云海信息技术有限公司 | A kind of secure virtual machine communication means, device, equipment and storage medium |
| CN109324873A (en) * | 2018-09-21 | 2019-02-12 | 郑州云海信息技术有限公司 | The equipment and storage medium for virtualizing method for managing security, running kernel-driven |
| CN109495422A (en) * | 2017-09-11 | 2019-03-19 | 中国电信股份有限公司 | Configuration method, device and the computer readable storage medium of virtual firewall |
| CN109597675A (en) * | 2018-10-25 | 2019-04-09 | 中国科学院信息工程研究所 | Virtual machine Malware behavioral value method and system |
| CN111625826A (en) * | 2020-05-28 | 2020-09-04 | 浪潮电子信息产业股份有限公司 | Malicious software detection method and device in cloud server and readable storage medium |
| CN111897626A (en) * | 2020-07-07 | 2020-11-06 | 烽火通信科技股份有限公司 | Cloud computing scene-oriented virtual machine high-reliability system and implementation method |
| US20200356401A1 (en) * | 2018-03-23 | 2020-11-12 | Huawei Technologies Co., Ltd. | Method for Accessing Remote Acceleration Device by Virtual Machine, and System |
| CN111988230A (en) * | 2020-08-19 | 2020-11-24 | 海光信息技术有限公司 | Virtual machine communication method, device and system and electronic equipment |
| CN112445568A (en) * | 2019-09-02 | 2021-03-05 | 阿里巴巴集团控股有限公司 | Data processing method, device and system based on hardware acceleration |
-
2021
- 2021-12-22 CN CN202111583496.6A patent/CN114499945B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160004863A1 (en) * | 2013-03-01 | 2016-01-07 | Orange | Method for detecting attacks on virtual machines |
| CN106572047A (en) * | 2015-10-09 | 2017-04-19 | 东软集团股份有限公司 | Physical network safety device and control method thereof |
| US20180139215A1 (en) * | 2016-11-16 | 2018-05-17 | Microsoft Technology Licensing, Llc | Systems and methods for detecting an attack on an auto-generated website by a virtual machine |
| CN109495422A (en) * | 2017-09-11 | 2019-03-19 | 中国电信股份有限公司 | Configuration method, device and the computer readable storage medium of virtual firewall |
| US20200356401A1 (en) * | 2018-03-23 | 2020-11-12 | Huawei Technologies Co., Ltd. | Method for Accessing Remote Acceleration Device by Virtual Machine, and System |
| CN108897604A (en) * | 2018-07-03 | 2018-11-27 | 北京思空科技有限公司 | A kind of intruding detection system, device and method, computer readable storage medium |
| CN109189559A (en) * | 2018-09-12 | 2019-01-11 | 郑州云海信息技术有限公司 | A kind of secure virtual machine communication means, device, equipment and storage medium |
| CN109324873A (en) * | 2018-09-21 | 2019-02-12 | 郑州云海信息技术有限公司 | The equipment and storage medium for virtualizing method for managing security, running kernel-driven |
| CN109597675A (en) * | 2018-10-25 | 2019-04-09 | 中国科学院信息工程研究所 | Virtual machine Malware behavioral value method and system |
| CN112445568A (en) * | 2019-09-02 | 2021-03-05 | 阿里巴巴集团控股有限公司 | Data processing method, device and system based on hardware acceleration |
| CN111625826A (en) * | 2020-05-28 | 2020-09-04 | 浪潮电子信息产业股份有限公司 | Malicious software detection method and device in cloud server and readable storage medium |
| CN111897626A (en) * | 2020-07-07 | 2020-11-06 | 烽火通信科技股份有限公司 | Cloud computing scene-oriented virtual machine high-reliability system and implementation method |
| CN111988230A (en) * | 2020-08-19 | 2020-11-24 | 海光信息技术有限公司 | Virtual machine communication method, device and system and electronic equipment |
Non-Patent Citations (3)
| Title |
|---|
| GARFINKEL TAL; MENDEL ROSENBLUM: "A virtual machine introspection based architecture for intrusion detection", 《NDSS》, vol. 3 * |
| SUAAD S. ALARIFI; STEPHEN D. WOLTHUSEN: "Detecting anomalies in IaaS environments through virtual machine host system call analysis", 《2012 INTERNATIONAL CONFERENCE FOR INTERNET TECHNOLOGY AND SECURED TRANSACTIONS》 * |
| 于佳耕; 周鹏; 武延军; 赵琛: "虚拟机确定性执行重放的模型分析和实现方法", 《软件学报》, vol. 23, no. 06 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114710366A (en) * | 2022-05-31 | 2022-07-05 | 阿里巴巴(中国)有限公司 | Cross-safe-area resource access method in cloud computing system and electronic equipment |
| CN117389694A (en) * | 2023-12-13 | 2024-01-12 | 麒麟软件有限公司 | Virtual storage IO performance improving method based on virtio-blk technology |
| CN117407092A (en) * | 2023-12-13 | 2024-01-16 | 苏州元脑智能科技有限公司 | Device configuration changing method and device, electronic device and storage medium |
| CN117407092B (en) * | 2023-12-13 | 2024-03-12 | 苏州元脑智能科技有限公司 | Device configuration changing method and device, electronic device and storage medium |
| CN117389694B (en) * | 2023-12-13 | 2024-04-05 | 麒麟软件有限公司 | Virtual storage IO performance improving method based on virtio-blk technology |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114499945B (en) | 2023-08-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114499945B (en) | Intrusion detection method and device for virtual machine | |
| CN108475217B (en) | System and method for auditing virtual machines | |
| CN102262557B (en) | Method for constructing virtual machine monitor by bus architecture and performance service framework | |
| EP2479666B1 (en) | Methods and systems to display platform graphics during operating system initialization | |
| US9158362B2 (en) | System and method for power reduction by sequestering at least one device or partition in a platform from operating system access | |
| US8572159B2 (en) | Managing device models in a virtual machine cluster environment | |
| US10678583B2 (en) | Guest controlled virtual device packet filtering | |
| US9697029B2 (en) | Guest idle based VM request completion processing | |
| US11157302B2 (en) | Idle processor management in virtualized systems via paravirtualization | |
| US20070011444A1 (en) | Method, apparatus and system for bundling virtualized and non-virtualized components in a single binary | |
| CN109634718B (en) | Method and system for creating mirror image by cloud platform | |
| MX2008014548A (en) | Launching hypervisor under running operating system. | |
| CN104321749A (en) | Architecture and method for managing interrupts in a virtualized environment | |
| CN102207886A (en) | Virtual machine fast emulation assist | |
| US9721091B2 (en) | Guest-driven host execution | |
| US11875174B2 (en) | Method and apparatus for virtual machine emulator upgrading virtualization emulator | |
| CN108737131B (en) | Method and device for realizing network equipment virtualization | |
| US20220156103A1 (en) | Securing virtual machines in computer systems | |
| US10318343B2 (en) | Migration methods and apparatuses for migrating virtual machine including locally stored and shared data | |
| CN114035842A (en) | Firmware configuration method, computing system configuration method, computing device and equipment | |
| US9898307B2 (en) | Starting application processors of a virtual machine | |
| US20150277886A1 (en) | Configuring dependent services associated with a software package on a host system | |
| CN114238236A (en) | Shared file access method, electronic device and computer readable storage medium | |
| CN109284178A (en) | A kind of interruption transmitting method and device based on KVM virtualization | |
| US9684529B2 (en) | Firmware and metadata migration across hypervisors based on supported capabilities |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20220513 Assignee: Dbappsecurity Co.,Ltd. Assignor: Tianyiyun Technology Co.,Ltd. Contract record no.: X2024990000089 Denomination of invention: A Virtual Machine Intrusion Detection Method and Device Granted publication date: 20230804 License type: Common License Record date: 20240308 |