CN103023912A - Method for preventing network attacks based on virtual machines - Google Patents
Method for preventing network attacks based on virtual machines Download PDFInfo
- Publication number
- CN103023912A CN103023912A CN2012105746870A CN201210574687A CN103023912A CN 103023912 A CN103023912 A CN 103023912A CN 2012105746870 A CN2012105746870 A CN 2012105746870A CN 201210574687 A CN201210574687 A CN 201210574687A CN 103023912 A CN103023912 A CN 103023912A
- Authority
- CN
- China
- Prior art keywords
- vmi
- packet
- filter
- filtering device
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method for preventing network attacks based on virtual machines. The method includes: when a virtual machine process sends out a data packet, a client operation system writes the data packet into a virtual network interface card; a VMM (virtual machine manager) captures the event and delivers the event to a VMI (vendor managed inventory) attack filter; and the VMI attack filter acquires the process ID (identity) and a user ID through the VMI technology, the VMI attack filter discards the data packet if a destination and a sending source of the data packet are matched with a certain filtering strategy, and on the contrary, the data packet is sent out. Using the method can refine the filtering strategies to the process level or user level, and overall efficiency can be improved by arranging a filter checker in the VMM.
Description
Technical field
The present invention relates to the computer security technique field, relate in particular to a kind of method that prevents from carrying out based on virtual machine network attack.
Background technology
For IaaS cloud computing service provider (such as Amazon EC2), the user can rent its computational resource, in inner setting operation system and the application program of installing of virtual machine.The data that the powerful elasticity computing capability that cloud computing brings not only helps us to solve magnanimity are calculated, and have also brought security threat simultaneously, and the malice user of some cloud computing resources can implement more massive network attack by cloud computing.On the other hand, because the service provider haves no right fire compartment wall to be installed and corresponding strategy is set in user virtual machine, therefore how virtual machine is used substantially uncontrollablely, and then provide larger space for these malice users.This to some degree, cloud service provider also becomes the assailant, need to for some malice the user rogue attacks bear corresponding responsibility.Therefore, for cloud service provider, be badly in need of a kind ofly can utilizing virtual machine to carry out the means of network attack in the virtual machine external detection, avoid its cloud computing resources by malicious exploitation.
Present IaaS cloud service merchant often utilizes the packet filtering mode of perimeter firewall to go to detect the malicious act of virtual machine in the cloud, and perimeter firewall can utilize the information such as source IP address, port numbers, filters out this virtual machine and mails to packet outside this main frame.
For the perimeter firewall of IaaS, add a strategy and really can block the malicious data bag that certain virtual machine sends, but the while has also been blocked the network packet from the valid application program of this virtual machine.For certain virtual machine that is maliciously used fully, this scheme can adopt.But for the virtual machine that part malice is used, this scheme can cause the break in service of its inner valid application program.For example, at this moment the web server software of certain virtual machine inside only has website data to be controlled by the malice user because its leak is utilized by the malice user.And other application program can also normally provide service to be affected such as mail server.If at this moment cloud service provider is maliciously used because its web server is detected, and interrupting the legitimate correspondence of its mail server, obviously is inappropriate.
Fire compartment wall is installed and corresponding filtering policy is set in user virtual machine inside, because these fire compartment walls are arranged in operating system nucleus, can utilize the information of transmission process to implement accurately filtration.Form by process ID or user ID will be by specific process or the outwards packet obstruct of transmission of user of invader's control.And legal application program still can with the external host proper communication.
For IaaS cloud service provider, usually there is not right all fire compartment wall being installed and respective rule is set in the guest virtual machine.This behavior needs user's Virtual Machine Manager person cooperates, but because the operational rights scope that IaaS user has been dwindled in this behavior, the user often is reluctant to cooperate.Therefore, this scheme is difficult to carry out in practical operation.
Summary of the invention
The objective of the invention is in order to overcome the defective of prior art, a kind of method that prevents from carrying out based on virtual machine network attack is provided, by the method filtering policy can be become more meticulous process-level or user class, the filter detector is placed among the VMM can improves whole efficiency simultaneously.
To achieve these goals, the invention provides a kind of method that prevents from carrying out based on virtual machine network attack, the method is specially: when a virtual machine process is sent a packet, client operating system can write Microsoft Loopback Adapter with it, at this moment VMM can catch this event and it is passed to VMI attaching filtering device, VMI attaching filtering device obtains process ID and user ID by the VMI technology, if the destination of packet and a certain filtering policy of transmission source coupling, VMI attaching filtering device can be with this data packet discarding, on the contrary, will send this packet.
Preferably, in the said method, VMI attaching filtering device is an IP filter that operates among the VMM, because the bag that all virtual machines send all needs through VMM, sends all network packet so VMI attaching filtering device can be tackled this host inside.
Preferably, in the said method, for each packet, VMI attaching filtering device goes to seek the web socket that sends this packet based on IP address and port numbers, and the process that creates this socket process of giving out a contract for a project exactly, the owner of this process person that do not give out a contract for a project exactly.
Preferably, in the said method, VMI attaching filtering device is comprised of filter kernel, filter detector, three modules of filter detector.
Preferably, in the said method, process in a DomU is sent the system call of " transmission ", its operating system nucleus sends a packet and drives to front network, front network drives this data packet delivery is driven to the back-end network that is arranged in the Dom0 kernel, at this moment back-end network drives and arouses the filter kernel, rather than goes to arouse a real network-driven; This packet will abandon this bag if the filter kernel determines refusal, otherwise this bag can be passed to the filter detector, if it is an attack packets that the filter detector is judged this packet, will generate a new filtering policy and abandon this bag, if the filter detector judges that this bag is not attack packets, it will be passed to real network-driven and send on the network.
Preferably, in the said method, when the filter kernel need to the person of giving out a contract for a project information when judging this packet this abandon, it will remove to arouse the filter detector that is arranged in VMM, the filter detector can send a supervisor call instruction to VMM, this supervisor call instruction is that ID with the ID of source DomU and data packet head is as its parameter, the filter detector can check DomU, go to seek the person of giving out a contract for a project and determine whether filter, supervisor call instruction returns to the filter kernel with this decision afterwards according to the person's of giving out a contract for a project information.
The beneficial effect that technical solution of the present invention is brought:
Filtration becomes more meticulous: VMI attaching filtering device filtering policy can be become more meticulous process-level or user class, the virtual machine level and existing perimeter firewall can only become more meticulous.In case mate certain bar filtering policy, the overall network packet of this virtual machine inside all can't send, and causes legal service disruption.And VMI attaching filtering device can utilize the VMI technology to obtain the person's of giving out a contract for a project information from the client operating system data, such as process ID and user ID.Thereby reach the packet that filtering fallacious process only or malicious user send, legal process or user's packet still can normally send.Compare with existing perimeter firewall, VMI attaching filtering device can also intercept certain virtual machine for the attack with inner other virtual machines of host.
Efficiently: the filter detector is placed among the VMM can improves whole efficiency.Although by the memory pages mapping, the filter kernel and the detector that are arranged in Dom0 also can be analyzed DomU, the check information data are larger, and analysis efficiency is low.Because VMM manages whole Installed System Memories, so can directly read the internal storage state of DomU.VMI attaching filtering device only just can detect whole packets by Dom0, detects the attack packets that send inside.And when not having filtering policy, the filter kernel can be immediately with data packet delivery to detector, needn't arouse the detector among the VMM.If all components of VMI attaching filtering device all is operated among the VMM, back-end network drives has to always send supervisor call instruction to VMM.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, the below will do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art, apparently, accompanying drawing in the following describes only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is method flow diagram of the present invention;
Fig. 2 is VMI attaching filtering device fundamental diagram in the embodiments of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
The present invention proposes a kind of new prevention and carry out the method for network attack based on virtual machine, the method realizes by VMI attaching filtering device.VMI attaching filtering device can automatically detect based on the person's of giving out a contract for a project information the attack of outside and implement to intercept.
VMI attaching filtering device is one and operates in the VMM(virtual machine manager) in IP filter because the bag that sends of all virtual machines all needs through VMM, send all network packet so VMI attaching filtering device can be tackled this host inside.Compare with existing perimeter firewall, VMI attaching filtering device can also intercept certain virtual machine for the attack with inner other virtual machines of host.In addition, because VMI attaching filtering device and virtual machine isolated by VMM, so the invader is difficult to VMI attaching filtering device is implemented to control.
Because the VMI technology can directly be obtained the internal storage data of virtual machine, therefore can check the data of VME operating system by VMI, and then block the attack that virtual machine sends to the outside.Adopt the VMI technology, VMI attaching filtering device can obtain the person's of giving out a contract for a project information from the client operating system data, such as process ID and user ID.For each packet, VMI attaching filtering device goes to seek the web socket that sends this packet based on IP address and port numbers, and the process that creates this socket process of giving out a contract for a project exactly, the owner of this process person that do not give out a contract for a project exactly.In this way, VMI attaching filtering device can as the fire compartment wall of virtual machine inside, rely on process ID and user ID to intercept exactly the attack of this malicious process.
The packet filtering flow process of VMI attaching filtering device as shown in Figure 1.
Send a packet when a virtual machine process, client operating system can write Microsoft Loopback Adapter with it.At this moment VMM can catch this event and it is passed to VMI attaching filtering device.VMI attaching filtering device obtains process ID and user ID by the VMI technology, if the destination of packet and a certain filtering policy of transmission source coupling, VMI attaching filtering device can be with this data packet discarding.On the contrary, will send this packet.
VMI attaching filtering device operation principle as shown in Figure 2.
VMI attaching filtering device is comprised of filter kernel, filter detector, three modules of filter detector.
Process in a DomU is sent the system call of " transmission ", and its operating system nucleus sends a packet and drives to front network, and front network drives this data packet delivery is driven to the back-end network that is arranged in the Dom0 kernel.At this moment back-end network drives and arouses the filter kernel, rather than goes to arouse a real network-driven.This packet will abandon this bag if the filter kernel determines refusal, otherwise this bag can be passed to the filter detector.If it is an attack packets that the filter detector is judged this packet, will generates a new filtering policy and abandon this bag.If the filter detector judges that this bag is not attack packets, it will be passed to real network-driven and send on the network.
When the filter kernel need to the person of giving out a contract for a project information when judging this packet this abandon, it will remove to arouse the filter detector that is arranged in VMM.The filter detector can send a supervisor call instruction to VMM, and this supervisor call instruction is that ID with the ID of source DomU and data packet head is as its parameter.The filter detector can check DomU, goes to seek the person of giving out a contract for a project and determines whether filter according to the person's of giving out a contract for a project information.This supervisor call instruction returns to the filter kernel with this decision afterwards.
Above a kind of prevention that the embodiment of the invention is provided is described in detail based on the method that virtual machine carries out network attack, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (6)
1. method that prevents from carrying out based on virtual machine network attack, it is characterized in that, when a virtual machine process is sent a packet, client operating system can write Microsoft Loopback Adapter with it, at this moment VMM can catch this event and it is passed to VMI attaching filtering device, VMI attaching filtering device obtains process ID and user ID by the VMI technology, if the destination of packet and a certain filtering policy of transmission source coupling, VMI attaching filtering device can be with this data packet discarding, on the contrary, will send this packet.
2. method according to claim 1, it is characterized in that, VMI attaching filtering device is an IP filter that operates among the VMM, because the bag that all virtual machines send all needs through VMM, sends all network packet so VMI attaching filtering device can be tackled this host inside.
3. method according to claim 1, it is characterized in that, for each packet, VMI attaching filtering device removes to seek the web socket that sends this packet based on IP address and port numbers, the process and the process that creates this socket is given out a contract for a project exactly, the owner of this process person that do not give out a contract for a project exactly.
4. method according to claim 1 is characterized in that, VMI attaching filtering device is comprised of filter kernel, filter detector, three modules of filter detector.
5. according to claim 1 or 4 described methods, it is characterized in that, process in a DomU is sent the system call of " transmission ", its operating system nucleus sends a packet and drives to front network, front network drives this data packet delivery is driven to the back-end network that is arranged in the Dom0 kernel, at this moment back-end network drives and arouses the filter kernel, rather than goes to arouse a real network-driven; This packet will abandon this bag if the filter kernel determines refusal, otherwise this bag can be passed to the filter detector, if it is an attack packets that the filter detector is judged this packet, will generate a new filtering policy and abandon this bag, if the filter detector judges that this bag is not attack packets, it will be passed to real network-driven and send on the network.
6. method according to claim 5, it is characterized in that, when the filter kernel need to the person of giving out a contract for a project information when judging this packet this abandon, it will remove to arouse the filter detector that is arranged in VMM, the filter detector can send a supervisor call instruction to VMM, this supervisor call instruction is that ID with the ID of source DomU and data packet head is as its parameter, the filter detector can check DomU, go to seek the person of giving out a contract for a project and determine whether filter, supervisor call instruction returns to the filter kernel with this decision afterwards according to the person's of giving out a contract for a project information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2012105746870A CN103023912A (en) | 2012-12-26 | 2012-12-26 | Method for preventing network attacks based on virtual machines |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2012105746870A CN103023912A (en) | 2012-12-26 | 2012-12-26 | Method for preventing network attacks based on virtual machines |
Publications (1)
Publication Number | Publication Date |
---|---|
CN103023912A true CN103023912A (en) | 2013-04-03 |
Family
ID=47972043
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2012105746870A Pending CN103023912A (en) | 2012-12-26 | 2012-12-26 | Method for preventing network attacks based on virtual machines |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103023912A (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104732145A (en) * | 2015-03-31 | 2015-06-24 | 北京奇虎科技有限公司 | Parasitic course detection method and device in virtual machine |
CN104917653A (en) * | 2015-06-26 | 2015-09-16 | 北京奇虎科技有限公司 | Virtual flow monitoring method based on cloud platform and device thereof |
CN105426758A (en) * | 2015-12-18 | 2016-03-23 | 北京奇虎科技有限公司 | Protection method and device for virtual machine escape |
CN107608752A (en) * | 2016-07-12 | 2018-01-19 | 中国科学院信息工程研究所 | The threat information response examined oneself based on virtual machine and method of disposal and system |
CN109660535A (en) * | 2018-12-17 | 2019-04-19 | 郑州云海信息技术有限公司 | The treating method and apparatus of data in linux system |
CN105608374B (en) * | 2015-12-18 | 2019-04-19 | 北京奇虎科技有限公司 | The detection method and device of virtual machine escape |
US10567422B2 (en) | 2014-11-26 | 2020-02-18 | Huawei Technologies Co., Ltd. | Method, apparatus and system for processing attack behavior of cloud application in cloud computing system |
US10616099B2 (en) | 2017-08-28 | 2020-04-07 | Red Hat, Inc. | Hypervisor support for network functions virtualization |
WO2021189257A1 (en) * | 2020-03-24 | 2021-09-30 | 深圳市欢太科技有限公司 | Malicious process detection method and apparatus, electronic device, and storage medium |
US11265291B2 (en) | 2017-08-25 | 2022-03-01 | Red Hat, Inc. | Malicious packet filtering by a hypervisor |
US11709716B2 (en) | 2019-08-26 | 2023-07-25 | Red Hat, Inc. | Hardware offload support for an operating system offload interface using operation code verification |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101567787A (en) * | 2008-04-25 | 2009-10-28 | 联想(北京)有限公司 | Computer system, computer network and data communication method |
CN102129531A (en) * | 2011-03-22 | 2011-07-20 | 北京工业大学 | Xen-based active defense method |
-
2012
- 2012-12-26 CN CN2012105746870A patent/CN103023912A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101567787A (en) * | 2008-04-25 | 2009-10-28 | 联想(北京)有限公司 | Computer system, computer network and data communication method |
CN102129531A (en) * | 2011-03-22 | 2011-07-20 | 北京工业大学 | Xen-based active defense method |
Non-Patent Citations (1)
Title |
---|
TAL GARFINKEL ET AL: "A Virtual Machine Introspection Based Architecture for Intrusion Detection", 《NETWORK AND DISTRIBUTED SYSTEM SECURITY SYMPOSIUM》 * |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10567422B2 (en) | 2014-11-26 | 2020-02-18 | Huawei Technologies Co., Ltd. | Method, apparatus and system for processing attack behavior of cloud application in cloud computing system |
CN104732145B (en) * | 2015-03-31 | 2018-04-13 | 北京奇虎科技有限公司 | A kind of parasitic process detection method and apparatus in virtual machine |
CN104732145A (en) * | 2015-03-31 | 2015-06-24 | 北京奇虎科技有限公司 | Parasitic course detection method and device in virtual machine |
CN104917653A (en) * | 2015-06-26 | 2015-09-16 | 北京奇虎科技有限公司 | Virtual flow monitoring method based on cloud platform and device thereof |
CN105426758A (en) * | 2015-12-18 | 2016-03-23 | 北京奇虎科技有限公司 | Protection method and device for virtual machine escape |
CN105426758B (en) * | 2015-12-18 | 2018-07-27 | 北京奇虎科技有限公司 | A kind of means of defence and device of virtual machine escape |
CN105608374B (en) * | 2015-12-18 | 2019-04-19 | 北京奇虎科技有限公司 | The detection method and device of virtual machine escape |
CN107608752B (en) * | 2016-07-12 | 2020-10-16 | 中国科学院信息工程研究所 | Threat information response and disposal method and system based on virtual machine introspection |
CN107608752A (en) * | 2016-07-12 | 2018-01-19 | 中国科学院信息工程研究所 | The threat information response examined oneself based on virtual machine and method of disposal and system |
US11265291B2 (en) | 2017-08-25 | 2022-03-01 | Red Hat, Inc. | Malicious packet filtering by a hypervisor |
US10616099B2 (en) | 2017-08-28 | 2020-04-07 | Red Hat, Inc. | Hypervisor support for network functions virtualization |
CN109660535A (en) * | 2018-12-17 | 2019-04-19 | 郑州云海信息技术有限公司 | The treating method and apparatus of data in linux system |
US11709716B2 (en) | 2019-08-26 | 2023-07-25 | Red Hat, Inc. | Hardware offload support for an operating system offload interface using operation code verification |
WO2021189257A1 (en) * | 2020-03-24 | 2021-09-30 | 深圳市欢太科技有限公司 | Malicious process detection method and apparatus, electronic device, and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103023912A (en) | Method for preventing network attacks based on virtual machines | |
US10567422B2 (en) | Method, apparatus and system for processing attack behavior of cloud application in cloud computing system | |
Roschke et al. | Intrusion detection in the cloud | |
EP3014813B1 (en) | Rootkit detection by using hardware resources to detect inconsistencies in network traffic | |
US9106697B2 (en) | System and method for identifying unauthorized activities on a computer system using a data structure model | |
EP2570954B1 (en) | Method, device and system for preventing distributed denial of service attack in cloud system | |
US11012449B2 (en) | Methods and cloud-based systems for detecting malwares by servers | |
TWI453624B (en) | Information security protection host | |
CA3021285C (en) | Methods and systems for network security | |
CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
CN104023034A (en) | Security defensive system and defensive method based on software-defined network | |
CN104866407A (en) | Monitoring system and method in virtual machine environment | |
Thongthua et al. | Assessment of hypervisor vulnerabilities | |
CN102624721B (en) | Feature code verification platform system and feature code verification method | |
CN104219211B (en) | The detection method and device of network security in a kind of system for cloud computing | |
CN108183884B (en) | Network attack determination method and device | |
Song et al. | Cooperation of intelligent honeypots to detect unknown malicious codes | |
CN105704087A (en) | Device for realizing network security management based on virtualization and management method | |
Roschke et al. | An advanced IDS management architecture | |
Chouhan et al. | Network based malware detection within virtualised environments | |
Wang et al. | TVIDS: Trusted virtual IDS with SGX | |
CN115549950A (en) | Safety protection system of industrial control equipment based on virtualization | |
US12067415B1 (en) | Automatic receive side scaling configuration | |
Carter | Security Analysis of a Beckhoff CX-9020 Programmable Logic Controller | |
CN115622808A (en) | Method, electronic device, computer readable medium for secure isolation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20130403 |