CN103023912A - Method for preventing network attacks based on virtual machines - Google Patents

Method for preventing network attacks based on virtual machines Download PDF

Info

Publication number
CN103023912A
CN103023912A CN2012105746870A CN201210574687A CN103023912A CN 103023912 A CN103023912 A CN 103023912A CN 2012105746870 A CN2012105746870 A CN 2012105746870A CN 201210574687 A CN201210574687 A CN 201210574687A CN 103023912 A CN103023912 A CN 103023912A
Authority
CN
China
Prior art keywords
vmi
packet
filter
filtering device
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2012105746870A
Other languages
Chinese (zh)
Inventor
柯宗贵
柯宗庆
杨育斌
吴一冰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bluedon Information Security Technologies Co Ltd
Original Assignee
Bluedon Information Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bluedon Information Security Technologies Co Ltd filed Critical Bluedon Information Security Technologies Co Ltd
Priority to CN2012105746870A priority Critical patent/CN103023912A/en
Publication of CN103023912A publication Critical patent/CN103023912A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a method for preventing network attacks based on virtual machines. The method includes: when a virtual machine process sends out a data packet, a client operation system writes the data packet into a virtual network interface card; a VMM (virtual machine manager) captures the event and delivers the event to a VMI (vendor managed inventory) attack filter; and the VMI attack filter acquires the process ID (identity) and a user ID through the VMI technology, the VMI attack filter discards the data packet if a destination and a sending source of the data packet are matched with a certain filtering strategy, and on the contrary, the data packet is sent out. Using the method can refine the filtering strategies to the process level or user level, and overall efficiency can be improved by arranging a filter checker in the VMM.

Description

A kind of method that prevents from carrying out based on virtual machine network attack
Technical field
The present invention relates to the computer security technique field, relate in particular to a kind of method that prevents from carrying out based on virtual machine network attack.
Background technology
For IaaS cloud computing service provider (such as Amazon EC2), the user can rent its computational resource, in inner setting operation system and the application program of installing of virtual machine.The data that the powerful elasticity computing capability that cloud computing brings not only helps us to solve magnanimity are calculated, and have also brought security threat simultaneously, and the malice user of some cloud computing resources can implement more massive network attack by cloud computing.On the other hand, because the service provider haves no right fire compartment wall to be installed and corresponding strategy is set in user virtual machine, therefore how virtual machine is used substantially uncontrollablely, and then provide larger space for these malice users.This to some degree, cloud service provider also becomes the assailant, need to for some malice the user rogue attacks bear corresponding responsibility.Therefore, for cloud service provider, be badly in need of a kind ofly can utilizing virtual machine to carry out the means of network attack in the virtual machine external detection, avoid its cloud computing resources by malicious exploitation.
Present IaaS cloud service merchant often utilizes the packet filtering mode of perimeter firewall to go to detect the malicious act of virtual machine in the cloud, and perimeter firewall can utilize the information such as source IP address, port numbers, filters out this virtual machine and mails to packet outside this main frame.
For the perimeter firewall of IaaS, add a strategy and really can block the malicious data bag that certain virtual machine sends, but the while has also been blocked the network packet from the valid application program of this virtual machine.For certain virtual machine that is maliciously used fully, this scheme can adopt.But for the virtual machine that part malice is used, this scheme can cause the break in service of its inner valid application program.For example, at this moment the web server software of certain virtual machine inside only has website data to be controlled by the malice user because its leak is utilized by the malice user.And other application program can also normally provide service to be affected such as mail server.If at this moment cloud service provider is maliciously used because its web server is detected, and interrupting the legitimate correspondence of its mail server, obviously is inappropriate.
Fire compartment wall is installed and corresponding filtering policy is set in user virtual machine inside, because these fire compartment walls are arranged in operating system nucleus, can utilize the information of transmission process to implement accurately filtration.Form by process ID or user ID will be by specific process or the outwards packet obstruct of transmission of user of invader's control.And legal application program still can with the external host proper communication.
For IaaS cloud service provider, usually there is not right all fire compartment wall being installed and respective rule is set in the guest virtual machine.This behavior needs user's Virtual Machine Manager person cooperates, but because the operational rights scope that IaaS user has been dwindled in this behavior, the user often is reluctant to cooperate.Therefore, this scheme is difficult to carry out in practical operation.
Summary of the invention
The objective of the invention is in order to overcome the defective of prior art, a kind of method that prevents from carrying out based on virtual machine network attack is provided, by the method filtering policy can be become more meticulous process-level or user class, the filter detector is placed among the VMM can improves whole efficiency simultaneously.
To achieve these goals, the invention provides a kind of method that prevents from carrying out based on virtual machine network attack, the method is specially: when a virtual machine process is sent a packet, client operating system can write Microsoft Loopback Adapter with it, at this moment VMM can catch this event and it is passed to VMI attaching filtering device, VMI attaching filtering device obtains process ID and user ID by the VMI technology, if the destination of packet and a certain filtering policy of transmission source coupling, VMI attaching filtering device can be with this data packet discarding, on the contrary, will send this packet.
Preferably, in the said method, VMI attaching filtering device is an IP filter that operates among the VMM, because the bag that all virtual machines send all needs through VMM, sends all network packet so VMI attaching filtering device can be tackled this host inside.
Preferably, in the said method, for each packet, VMI attaching filtering device goes to seek the web socket that sends this packet based on IP address and port numbers, and the process that creates this socket process of giving out a contract for a project exactly, the owner of this process person that do not give out a contract for a project exactly.
Preferably, in the said method, VMI attaching filtering device is comprised of filter kernel, filter detector, three modules of filter detector.
Preferably, in the said method, process in a DomU is sent the system call of " transmission ", its operating system nucleus sends a packet and drives to front network, front network drives this data packet delivery is driven to the back-end network that is arranged in the Dom0 kernel, at this moment back-end network drives and arouses the filter kernel, rather than goes to arouse a real network-driven; This packet will abandon this bag if the filter kernel determines refusal, otherwise this bag can be passed to the filter detector, if it is an attack packets that the filter detector is judged this packet, will generate a new filtering policy and abandon this bag, if the filter detector judges that this bag is not attack packets, it will be passed to real network-driven and send on the network.
Preferably, in the said method, when the filter kernel need to the person of giving out a contract for a project information when judging this packet this abandon, it will remove to arouse the filter detector that is arranged in VMM, the filter detector can send a supervisor call instruction to VMM, this supervisor call instruction is that ID with the ID of source DomU and data packet head is as its parameter, the filter detector can check DomU, go to seek the person of giving out a contract for a project and determine whether filter, supervisor call instruction returns to the filter kernel with this decision afterwards according to the person's of giving out a contract for a project information.
The beneficial effect that technical solution of the present invention is brought:
Filtration becomes more meticulous: VMI attaching filtering device filtering policy can be become more meticulous process-level or user class, the virtual machine level and existing perimeter firewall can only become more meticulous.In case mate certain bar filtering policy, the overall network packet of this virtual machine inside all can't send, and causes legal service disruption.And VMI attaching filtering device can utilize the VMI technology to obtain the person's of giving out a contract for a project information from the client operating system data, such as process ID and user ID.Thereby reach the packet that filtering fallacious process only or malicious user send, legal process or user's packet still can normally send.Compare with existing perimeter firewall, VMI attaching filtering device can also intercept certain virtual machine for the attack with inner other virtual machines of host.
Efficiently: the filter detector is placed among the VMM can improves whole efficiency.Although by the memory pages mapping, the filter kernel and the detector that are arranged in Dom0 also can be analyzed DomU, the check information data are larger, and analysis efficiency is low.Because VMM manages whole Installed System Memories, so can directly read the internal storage state of DomU.VMI attaching filtering device only just can detect whole packets by Dom0, detects the attack packets that send inside.And when not having filtering policy, the filter kernel can be immediately with data packet delivery to detector, needn't arouse the detector among the VMM.If all components of VMI attaching filtering device all is operated among the VMM, back-end network drives has to always send supervisor call instruction to VMM.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, the below will do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art, apparently, accompanying drawing in the following describes only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is method flow diagram of the present invention;
Fig. 2 is VMI attaching filtering device fundamental diagram in the embodiments of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
The present invention proposes a kind of new prevention and carry out the method for network attack based on virtual machine, the method realizes by VMI attaching filtering device.VMI attaching filtering device can automatically detect based on the person's of giving out a contract for a project information the attack of outside and implement to intercept.
VMI attaching filtering device is one and operates in the VMM(virtual machine manager) in IP filter because the bag that sends of all virtual machines all needs through VMM, send all network packet so VMI attaching filtering device can be tackled this host inside.Compare with existing perimeter firewall, VMI attaching filtering device can also intercept certain virtual machine for the attack with inner other virtual machines of host.In addition, because VMI attaching filtering device and virtual machine isolated by VMM, so the invader is difficult to VMI attaching filtering device is implemented to control.
Because the VMI technology can directly be obtained the internal storage data of virtual machine, therefore can check the data of VME operating system by VMI, and then block the attack that virtual machine sends to the outside.Adopt the VMI technology, VMI attaching filtering device can obtain the person's of giving out a contract for a project information from the client operating system data, such as process ID and user ID.For each packet, VMI attaching filtering device goes to seek the web socket that sends this packet based on IP address and port numbers, and the process that creates this socket process of giving out a contract for a project exactly, the owner of this process person that do not give out a contract for a project exactly.In this way, VMI attaching filtering device can as the fire compartment wall of virtual machine inside, rely on process ID and user ID to intercept exactly the attack of this malicious process.
The packet filtering flow process of VMI attaching filtering device as shown in Figure 1.
Send a packet when a virtual machine process, client operating system can write Microsoft Loopback Adapter with it.At this moment VMM can catch this event and it is passed to VMI attaching filtering device.VMI attaching filtering device obtains process ID and user ID by the VMI technology, if the destination of packet and a certain filtering policy of transmission source coupling, VMI attaching filtering device can be with this data packet discarding.On the contrary, will send this packet.
VMI attaching filtering device operation principle as shown in Figure 2.
VMI attaching filtering device is comprised of filter kernel, filter detector, three modules of filter detector.
Process in a DomU is sent the system call of " transmission ", and its operating system nucleus sends a packet and drives to front network, and front network drives this data packet delivery is driven to the back-end network that is arranged in the Dom0 kernel.At this moment back-end network drives and arouses the filter kernel, rather than goes to arouse a real network-driven.This packet will abandon this bag if the filter kernel determines refusal, otherwise this bag can be passed to the filter detector.If it is an attack packets that the filter detector is judged this packet, will generates a new filtering policy and abandon this bag.If the filter detector judges that this bag is not attack packets, it will be passed to real network-driven and send on the network.
When the filter kernel need to the person of giving out a contract for a project information when judging this packet this abandon, it will remove to arouse the filter detector that is arranged in VMM.The filter detector can send a supervisor call instruction to VMM, and this supervisor call instruction is that ID with the ID of source DomU and data packet head is as its parameter.The filter detector can check DomU, goes to seek the person of giving out a contract for a project and determines whether filter according to the person's of giving out a contract for a project information.This supervisor call instruction returns to the filter kernel with this decision afterwards.
Above a kind of prevention that the embodiment of the invention is provided is described in detail based on the method that virtual machine carries out network attack, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.

Claims (6)

1. method that prevents from carrying out based on virtual machine network attack, it is characterized in that, when a virtual machine process is sent a packet, client operating system can write Microsoft Loopback Adapter with it, at this moment VMM can catch this event and it is passed to VMI attaching filtering device, VMI attaching filtering device obtains process ID and user ID by the VMI technology, if the destination of packet and a certain filtering policy of transmission source coupling, VMI attaching filtering device can be with this data packet discarding, on the contrary, will send this packet.
2. method according to claim 1, it is characterized in that, VMI attaching filtering device is an IP filter that operates among the VMM, because the bag that all virtual machines send all needs through VMM, sends all network packet so VMI attaching filtering device can be tackled this host inside.
3. method according to claim 1, it is characterized in that, for each packet, VMI attaching filtering device removes to seek the web socket that sends this packet based on IP address and port numbers, the process and the process that creates this socket is given out a contract for a project exactly, the owner of this process person that do not give out a contract for a project exactly.
4. method according to claim 1 is characterized in that, VMI attaching filtering device is comprised of filter kernel, filter detector, three modules of filter detector.
5. according to claim 1 or 4 described methods, it is characterized in that, process in a DomU is sent the system call of " transmission ", its operating system nucleus sends a packet and drives to front network, front network drives this data packet delivery is driven to the back-end network that is arranged in the Dom0 kernel, at this moment back-end network drives and arouses the filter kernel, rather than goes to arouse a real network-driven; This packet will abandon this bag if the filter kernel determines refusal, otherwise this bag can be passed to the filter detector, if it is an attack packets that the filter detector is judged this packet, will generate a new filtering policy and abandon this bag, if the filter detector judges that this bag is not attack packets, it will be passed to real network-driven and send on the network.
6. method according to claim 5, it is characterized in that, when the filter kernel need to the person of giving out a contract for a project information when judging this packet this abandon, it will remove to arouse the filter detector that is arranged in VMM, the filter detector can send a supervisor call instruction to VMM, this supervisor call instruction is that ID with the ID of source DomU and data packet head is as its parameter, the filter detector can check DomU, go to seek the person of giving out a contract for a project and determine whether filter, supervisor call instruction returns to the filter kernel with this decision afterwards according to the person's of giving out a contract for a project information.
CN2012105746870A 2012-12-26 2012-12-26 Method for preventing network attacks based on virtual machines Pending CN103023912A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2012105746870A CN103023912A (en) 2012-12-26 2012-12-26 Method for preventing network attacks based on virtual machines

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2012105746870A CN103023912A (en) 2012-12-26 2012-12-26 Method for preventing network attacks based on virtual machines

Publications (1)

Publication Number Publication Date
CN103023912A true CN103023912A (en) 2013-04-03

Family

ID=47972043

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2012105746870A Pending CN103023912A (en) 2012-12-26 2012-12-26 Method for preventing network attacks based on virtual machines

Country Status (1)

Country Link
CN (1) CN103023912A (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104732145A (en) * 2015-03-31 2015-06-24 北京奇虎科技有限公司 Parasitic course detection method and device in virtual machine
CN104917653A (en) * 2015-06-26 2015-09-16 北京奇虎科技有限公司 Virtual flow monitoring method based on cloud platform and device thereof
CN105426758A (en) * 2015-12-18 2016-03-23 北京奇虎科技有限公司 Protection method and device for virtual machine escape
CN107608752A (en) * 2016-07-12 2018-01-19 中国科学院信息工程研究所 The threat information response examined oneself based on virtual machine and method of disposal and system
CN109660535A (en) * 2018-12-17 2019-04-19 郑州云海信息技术有限公司 The treating method and apparatus of data in linux system
CN105608374B (en) * 2015-12-18 2019-04-19 北京奇虎科技有限公司 The detection method and device of virtual machine escape
US10567422B2 (en) 2014-11-26 2020-02-18 Huawei Technologies Co., Ltd. Method, apparatus and system for processing attack behavior of cloud application in cloud computing system
US10616099B2 (en) 2017-08-28 2020-04-07 Red Hat, Inc. Hypervisor support for network functions virtualization
WO2021189257A1 (en) * 2020-03-24 2021-09-30 深圳市欢太科技有限公司 Malicious process detection method and apparatus, electronic device, and storage medium
US11265291B2 (en) 2017-08-25 2022-03-01 Red Hat, Inc. Malicious packet filtering by a hypervisor
US11709716B2 (en) 2019-08-26 2023-07-25 Red Hat, Inc. Hardware offload support for an operating system offload interface using operation code verification

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567787A (en) * 2008-04-25 2009-10-28 联想(北京)有限公司 Computer system, computer network and data communication method
CN102129531A (en) * 2011-03-22 2011-07-20 北京工业大学 Xen-based active defense method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567787A (en) * 2008-04-25 2009-10-28 联想(北京)有限公司 Computer system, computer network and data communication method
CN102129531A (en) * 2011-03-22 2011-07-20 北京工业大学 Xen-based active defense method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
TAL GARFINKEL ET AL: "A Virtual Machine Introspection Based Architecture for Intrusion Detection", 《NETWORK AND DISTRIBUTED SYSTEM SECURITY SYMPOSIUM》 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10567422B2 (en) 2014-11-26 2020-02-18 Huawei Technologies Co., Ltd. Method, apparatus and system for processing attack behavior of cloud application in cloud computing system
CN104732145B (en) * 2015-03-31 2018-04-13 北京奇虎科技有限公司 A kind of parasitic process detection method and apparatus in virtual machine
CN104732145A (en) * 2015-03-31 2015-06-24 北京奇虎科技有限公司 Parasitic course detection method and device in virtual machine
CN104917653A (en) * 2015-06-26 2015-09-16 北京奇虎科技有限公司 Virtual flow monitoring method based on cloud platform and device thereof
CN105426758A (en) * 2015-12-18 2016-03-23 北京奇虎科技有限公司 Protection method and device for virtual machine escape
CN105426758B (en) * 2015-12-18 2018-07-27 北京奇虎科技有限公司 A kind of means of defence and device of virtual machine escape
CN105608374B (en) * 2015-12-18 2019-04-19 北京奇虎科技有限公司 The detection method and device of virtual machine escape
CN107608752B (en) * 2016-07-12 2020-10-16 中国科学院信息工程研究所 Threat information response and disposal method and system based on virtual machine introspection
CN107608752A (en) * 2016-07-12 2018-01-19 中国科学院信息工程研究所 The threat information response examined oneself based on virtual machine and method of disposal and system
US11265291B2 (en) 2017-08-25 2022-03-01 Red Hat, Inc. Malicious packet filtering by a hypervisor
US10616099B2 (en) 2017-08-28 2020-04-07 Red Hat, Inc. Hypervisor support for network functions virtualization
CN109660535A (en) * 2018-12-17 2019-04-19 郑州云海信息技术有限公司 The treating method and apparatus of data in linux system
US11709716B2 (en) 2019-08-26 2023-07-25 Red Hat, Inc. Hardware offload support for an operating system offload interface using operation code verification
WO2021189257A1 (en) * 2020-03-24 2021-09-30 深圳市欢太科技有限公司 Malicious process detection method and apparatus, electronic device, and storage medium

Similar Documents

Publication Publication Date Title
CN103023912A (en) Method for preventing network attacks based on virtual machines
US10567422B2 (en) Method, apparatus and system for processing attack behavior of cloud application in cloud computing system
Roschke et al. Intrusion detection in the cloud
EP3014813B1 (en) Rootkit detection by using hardware resources to detect inconsistencies in network traffic
US9106697B2 (en) System and method for identifying unauthorized activities on a computer system using a data structure model
EP2570954B1 (en) Method, device and system for preventing distributed denial of service attack in cloud system
US11012449B2 (en) Methods and cloud-based systems for detecting malwares by servers
TWI453624B (en) Information security protection host
CA3021285C (en) Methods and systems for network security
CN111274583A (en) Big data computer network safety protection device and control method thereof
CN104023034A (en) Security defensive system and defensive method based on software-defined network
CN104866407A (en) Monitoring system and method in virtual machine environment
Thongthua et al. Assessment of hypervisor vulnerabilities
CN102624721B (en) Feature code verification platform system and feature code verification method
CN104219211B (en) The detection method and device of network security in a kind of system for cloud computing
CN108183884B (en) Network attack determination method and device
Song et al. Cooperation of intelligent honeypots to detect unknown malicious codes
CN105704087A (en) Device for realizing network security management based on virtualization and management method
Roschke et al. An advanced IDS management architecture
Chouhan et al. Network based malware detection within virtualised environments
Wang et al. TVIDS: Trusted virtual IDS with SGX
CN115549950A (en) Safety protection system of industrial control equipment based on virtualization
US12067415B1 (en) Automatic receive side scaling configuration
Carter Security Analysis of a Beckhoff CX-9020 Programmable Logic Controller
CN115622808A (en) Method, electronic device, computer readable medium for secure isolation

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20130403