CN110765452A - Method, device, equipment and storage medium for identifying running application in virtual machine - Google Patents

Method, device, equipment and storage medium for identifying running application in virtual machine Download PDF

Info

Publication number
CN110765452A
CN110765452A CN201810852893.0A CN201810852893A CN110765452A CN 110765452 A CN110765452 A CN 110765452A CN 201810852893 A CN201810852893 A CN 201810852893A CN 110765452 A CN110765452 A CN 110765452A
Authority
CN
China
Prior art keywords
virtual machine
application
application program
identifying
running
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810852893.0A
Other languages
Chinese (zh)
Other versions
CN110765452B (en
Inventor
陈晓帆
古亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201810852893.0A priority Critical patent/CN110765452B/en
Publication of CN110765452A publication Critical patent/CN110765452A/en
Application granted granted Critical
Publication of CN110765452B publication Critical patent/CN110765452B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45575Starting, stopping, suspending or resuming virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Abstract

The invention discloses a method for identifying running applications in a virtual machine, which comprises the following steps: monitoring whether a new application program is started in the virtual machine; if the address space exists, determining the address space of the application program operation; judging whether the address space has bound IP and port number; and if so, identifying the application program as legal application, otherwise, identifying the application program as illegal application falsely using legal IP and port numbers. The invention also discloses a device for identifying the running application in the virtual machine, a virtualization device and a computer readable storage medium. The invention can effectively protect the east-west flow with lower performance cost under the condition of large flow.

Description

Method, device, equipment and storage medium for identifying running application in virtual machine
Technical Field
The present invention relates to the field of virtualization technologies, and in particular, to a method, an apparatus, a device, and a computer-readable storage medium for identifying an application running in a virtual machine.
Background
With the development of virtualization, container and non-service technologies, traffic models of data centers are changing, on one hand, traffic scale is increasing sharply, and on the other hand, traffic flow direction has a north-south direction leading part and gradually changes into a west-east direction leading part. There is therefore a need to find a solution that can effectively protect against east-west traffic at high flows with low performance overhead.
The current industry solutions can be broadly categorized into the following three categories:
(1) the east-west access relation is controlled based on an ACL technique (access control list). ACL is a 3-4 layer protection technology, and can only limit the horizontal movement of malicious traffic in a data center according to quintuple. The ACL is simple to implement, the performance cost is low, but the ACL has the defect of being bypassed, the essence is that the ACL considers the IP and the port as the unique identification of a malicious program, but an attacker can bypass the access control of the ACL by means of forging the port (namely forging the port into a certain legal program) and the like, obtain the access right of a target server and carry out subsequent attacks.
(2) The east-west protection is realized based on Deep Packet Inspection (DPI). The application in east-west flow is identified through the DPI, the problem that ACL is bypassed is avoided, and the identification of the application is accurate. It has several drawbacks: firstly, the resource and time cost is large; secondly, the application can be identified only by the first data packets of a certain flow, the post detection can be carried out only after the attack occurs, and the protection can not be carried out before the attack occurs.
(3) And performing east-west protection based on the terminal security agent. The application can be identified from the perspective of flow and application behavior, and in theory, advance protection can be achieved. However, the agent needs to be deployed on the host, and when the host is damaged, the agent is also likely to be contributed, even being utilized to disturb the whole intranet security system built based on the agent.
Disclosure of Invention
The invention mainly aims to provide a method, a device and equipment for identifying running applications in a virtual machine and a computer readable storage medium, and aims to solve the technical problem of how to effectively protect east-west flow under high flow with low performance overhead.
In order to achieve the above object, the present invention provides a method for identifying an application running in a virtual machine, where the method for identifying an application running in a virtual machine includes the following steps:
monitoring whether a new application program is started in the virtual machine;
if the address space exists, determining the address space of the application program operation;
judging whether the address space has bound IP and port number;
and if so, identifying the application program as legal application, otherwise, identifying the application program as illegal application falsely using legal IP and port numbers.
Optionally, the monitoring whether a new application program is started in the virtual machine includes:
monitoring whether the virtual machine executes a syscall instruction or a sysester instruction to carry out system call;
if yes, judging whether the system call is an execute system call;
and if the application program is the execute system call, determining that a new application program is started in the current virtual machine.
Optionally, the monitoring whether there is a new application program started in the virtual machine further includes:
intercepting address space switching operation in the virtual machine so as to record each address space running in the virtual machine;
judging whether a new address space is operated in the virtual machine or not;
and if so, determining that a new application program is started in the current virtual machine.
Optionally, the method for identifying an application running in the virtual machine further includes:
before identifying the application running in the virtual machine, binding the address space of the legal application running in the virtual machine with the specified IP and port number.
Optionally, the method for identifying an application running in the virtual machine further includes:
before identifying the running application in the virtual machine, setting a network connection white list rule of an application program;
the network connection white list rule is used for stipulating whether an application program can operate in the virtual machine to connect to the external network or not and the IP and the port number used by the external network.
Optionally, the method for identifying an application running in the virtual machine further includes:
when an application program runs in a virtual machine, intercepting and capturing system call related to the connection of the application program and a network so as to obtain system call parameters;
and verifying the system call parameter based on the network connection white list rule so as to identify whether the application program conforms to the network connection white list rule.
Optionally, the method for identifying an application running in the virtual machine further includes:
when illegal application which falsely uses legal IP and port numbers is identified, issuing a temporary access control list strategy to a distributed firewall so that the distributed firewall can intercept the illegal application;
when the application program is identified to be not in accordance with the network connection white list rule, network connection information which is not in accordance with the network connection white list rule is sent to the distributed firewall;
the distributed firewall is deployed between the virtual machine and the virtual network forwarding equipment and supports an access control list policy based on a quintuple and a security policy based on an application identifier.
Further, to achieve the above object, the present invention further provides an apparatus for identifying an application running in a virtual machine, where the apparatus for identifying an application running in a virtual machine includes:
the monitoring module is used for monitoring whether a new application program is started in the virtual machine;
the system comprises a determining module, a judging module and a judging module, wherein the determining module is used for determining the operating address space of an application program when a new application program is started in a virtual machine;
the judging module is used for judging whether the address space has bound IP and port numbers;
and the identification module is used for identifying the application program as legal application when the address space has the bound IP and port number, and otherwise identifying the application program as illegal application falsely using the legal IP and port number.
Optionally, the monitoring module is further configured to:
monitoring whether the virtual machine executes a syscall instruction or a sysester instruction to carry out system call; if yes, judging whether the system call is an execute system call; if the application program is the execute system call, determining that a new application program is started in the current virtual machine; or
Intercepting address space switching operation in the virtual machine so as to record each address space running in the virtual machine; judging whether a new address space is operated in the virtual machine or not; and if so, determining that a new application program is started in the current virtual machine.
Optionally, the device for identifying an application running in the virtual machine further includes: a first setting module and/or a second setting module;
the first setting module is configured to: before identifying the running application in the virtual machine, binding the address space of the legal application running in the virtual machine with the specified IP and port number;
the second setting module is configured to: before identifying the running application in the virtual machine, setting a network connection white list rule of an application program; the network connection white list rule is used for stipulating whether an application program can operate in the virtual machine to connect to the external network or not and the IP and the port number used by the external network.
Optionally, the device for identifying the applications running in the virtual machine further includes a first processing module, and/or a second processing module, and further includes a distributed firewall;
the first processing module is configured to: when an application program runs in a virtual machine, intercepting and capturing system call related to the connection of the application program and a network so as to obtain system call parameters; verifying the system call parameter based on the network connection white list rule for identifying whether the application program conforms to the network connection white list rule;
the second processing module is configured to: when illegal application which falsely uses legal IP and port numbers is identified, issuing a temporary access control list strategy to a distributed firewall so that the distributed firewall can intercept the illegal application; when the application program is identified to be not in accordance with the network connection white list rule, network connection information which is not in accordance with the network connection white list rule is sent to the distributed firewall;
the distributed firewall is deployed between the virtual machine and the virtual network forwarding equipment and used for intercepting illegal applications falsely using legal IP and port numbers based on an access control list strategy of a quintuple and processing network connection information which does not conform to the network connection white list rule based on a security strategy of an application identifier.
To achieve the above object, the present invention further provides a virtualization device, which includes a memory, a processor, and a virtual machine running application identification program stored in the memory and executable on the processor, wherein the virtual machine running application identification program, when executed by the processor, implements the steps of the virtual machine running application identification method according to any one of the above items.
To achieve the above object, the present invention further provides a computer readable storage medium, on which a virtual machine run-in application identification program is stored, and the virtual machine run-in application identification program, when executed by a processor, implements the steps of the virtual machine run-in application identification method according to any one of the above items.
In the invention, in order to avoid illegal application from falsifying IP and port numbers to achieve the purpose of falsely using legal application, the address space operated by the legal application program is bound with the IP and the port numbers in advance so as to accurately identify the application program operated in the virtual machine, if the application program newly started in the current virtual machine has the bound IP and port numbers, the application program is identified as legal application, otherwise, the application program is identified as illegal application falsely using the legal IP and the port numbers. The invention can accurately identify illegal application of falsely using legal IP and port numbers with lower performance expense under large flow, thereby realizing effective protection on east-west flow.
Drawings
FIG. 1 is a schematic structural diagram of a hardware operating environment of a device according to an embodiment of a virtualization device of the present invention;
FIG. 2 is a flowchart illustrating a first embodiment of a method for identifying an application running in a virtual machine according to the present invention;
FIG. 3 is a flowchart illustrating a second embodiment of a method for identifying an application running in a virtual machine according to the present invention;
FIG. 4 is a functional block diagram of a first embodiment of an apparatus for identifying applications running in a virtual machine according to the present invention;
FIG. 5 is a functional block diagram of a second embodiment of an application recognition apparatus running in a virtual machine according to the present invention;
fig. 6 is a functional block diagram of a third embodiment of the device for identifying an application running in a virtual machine according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The invention provides a virtualization device.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a device hardware operating environment according to an embodiment of the virtualization device of the present invention.
The virtualization device of the embodiment of the invention can be a computer, a server and other devices.
As shown in fig. 1, the virtualization apparatus may include: a processor 1001, such as a CPU, a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a memory device separate from the processor 1001 described above.
Those skilled in the art will appreciate that the hardware configuration of the virtualization apparatus shown in fig. 1 does not constitute a limitation of the virtualization apparatus, and may include more or fewer components than those shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer-readable storage medium, may include an operating system, a network communication module, a user interface module, and an application recognition program running in a virtual machine therein. The operating system is a program for managing and controlling virtualization equipment and software resources, and supports the operation of a network communication module, a user interface module, an application identification program run in a virtual machine and other programs or software; the network communication module is used to manage and control the network interface 1004; the user interface module is used to manage and control the user interface 1003.
In the hardware structure of the virtualization device shown in fig. 1, the network interface 1004 is mainly used for connecting to a system background and performing data communication with the system background; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; the virtualization device calls, through the processor 1001, the application recognition program running in the virtual machine stored in the memory 1005, and performs the following operations:
monitoring whether a new application program is started in the virtual machine;
if the address space exists, determining the address space of the application program operation;
judging whether the address space has bound IP and port number;
and if so, identifying the application program as legal application, otherwise, identifying the application program as illegal application falsely using legal IP and port numbers.
Further, the virtualization device, by the processor 1001 calling the in-virtual-machine-running-application recognition program stored in the memory 1005, further performs the following operations:
monitoring whether the virtual machine executes a syscall instruction or a sysester instruction to carry out system call;
if yes, judging whether the system call is an execute system call;
and if the application program is the execute system call, determining that a new application program is started in the current virtual machine.
Further, the virtualization device, by the processor 1001 calling the in-virtual-machine-running-application recognition program stored in the memory 1005, further performs the following operations:
intercepting address space switching operation in the virtual machine so as to record each address space running in the virtual machine;
judging whether a new address space is operated in the virtual machine or not;
and if so, determining that a new application program is started in the current virtual machine.
Further, the virtualization device, by the processor 1001 calling the in-virtual-machine-running-application recognition program stored in the memory 1005, further performs the following operations:
before identifying the application running in the virtual machine, binding the address space of the legal application running in the virtual machine with the specified IP and port number.
Further, the virtualization device, by the processor 1001 calling the in-virtual-machine-running-application recognition program stored in the memory 1005, further performs the following operations:
before identifying the running application in the virtual machine, setting a network connection white list rule of an application program;
the network connection white list rule is used for stipulating whether an application program can operate in the virtual machine to connect to the external network or not and the IP and the port number used by the external network.
Further, the virtualization device, by the processor 1001 calling the in-virtual-machine-running-application recognition program stored in the memory 1005, further performs the following operations:
when an application program runs in a virtual machine, intercepting and capturing system call related to the connection of the application program and a network so as to obtain system call parameters;
and verifying the system call parameter based on the network connection white list rule so as to identify whether the application program conforms to the network connection white list rule.
Further, the virtualization device, by the processor 1001 calling the in-virtual-machine-running-application recognition program stored in the memory 1005, further performs the following operations:
when illegal application which falsely uses legal IP and port numbers is identified, issuing a temporary access control list strategy to a distributed firewall so that the distributed firewall can intercept the illegal application;
when the application program is identified to be not in accordance with the network connection white list rule, network connection information which is not in accordance with the network connection white list rule is sent to the distributed firewall;
the distributed firewall is deployed between the virtual machine and the virtual network forwarding equipment and supports an access control list policy based on a quintuple and a security policy based on an application identifier.
Based on the hardware structure of the virtualization device, the following embodiments of the method for identifying an application running in a virtual machine according to the present invention are provided.
Referring to fig. 2, fig. 2 is a flowchart illustrating a method for identifying an application running in a virtual machine according to a first embodiment of the present invention. In this embodiment, the method for identifying an application running in a virtual machine includes the following steps:
step S110, monitoring whether a new application program is started in the virtual machine;
the east-west flow is embodied as the internal flow of the data center, that is, the application program running in the virtual machine corresponding to the data center. In order to monitor the east-west traffic, the embodiment needs to monitor whether a new application program is started in the virtual machine, and then identifies the application program, so as to realize early discovery and early interception of malicious traffic.
Optionally, in an embodiment, an implementation manner of monitoring whether there is a new application program started in the virtual machine includes:
the first method is as follows: application starting in a virtual machine is intercepted by intercepting an execute system call, and the specific implementation process is as follows:
1. monitoring whether the virtual machine executes a syscall instruction or a sysester instruction to carry out system call;
2. if yes, judging whether the system call is an execute system call;
3. and if the application program is the execute system call, determining that a new application program is started in the current virtual machine.
In the method, a syscall instruction or a sysester instruction running in a virtual machine is intercepted through a hardware virtualization technology; once the virtual machine executes the syscall instruction or the sysester instruction to perform system call, the system call is intercepted, whether the system call is an execute system call or not is judged according to the system call number stored in the register, and if the system call is the execute system call, a new application program is determined to be started currently.
The second method comprises the following steps: intercepting the address space switching operation in the virtual machine, wherein the specific implementation process comprises the following steps:
1. intercepting address space switching operation in the virtual machine so as to record each address space running in the virtual machine;
2. judging whether a new address space is operated in the virtual machine or not;
3. and if so, determining that a new application program is started in the current virtual machine.
In this manner, each application program in the operating system generally runs in its own address space, and once a new application program is executed, a new address space is created. Therefore, the address space switching in the virtual machine is intercepted, for example, by hardware virtualization, the mov-to-cr3 instruction is intercepted, so that each address space running in the virtual machine is recorded, and once the virtual machine is found to run a new address space, it can be determined that a new application program is started in the virtual machine.
Step S120, if the address space exists, the address space for the application program to run is determined, otherwise, the address space is not processed;
an address space is a set of address sets that a process can use to address memory. Each process has its own address space, and this address space is independent of the address spaces of other processes. In general, in an operating system, each application program is allocated with an address space and runs only in the own address space, so that the application programs running in the virtual machine can be accurately identified by marking the address space. If it is monitored that a new application program is started in the virtual machine, the base address of the process can be acquired through the process ID, and the address space of the process corresponding to the running of the application program is determined.
Step S130, judging whether the address space has bound IP and port number;
step S140, if yes, identifying the application program as legal application;
and step S150, if not, identifying the application program as illegal application falsely using legal IP and port numbers.
The embodiment specifically realizes the marking of the address space by binding the address space with the IP and the port number, so as to accurately identify the application program running in the virtual machine, and if the address space corresponding to the application program currently running in the virtual machine has the bound IP and port number, the application program is identified as a legal application, otherwise, the application program is identified as an illegal application falsely using the legal IP and port number.
Optionally, in an embodiment, before identifying the application running in the virtual machine, the address space of the legitimate application running in the virtual machine is bound to the specified IP and port number, so that an attacker cannot bind to the corresponding IP + port combination through another program, and thus a malicious program cannot access important virtual machine resources in the data center by impersonating a process.
Optionally, in an embodiment, when an illegal application falsifying a legal IP and a port number is identified, a temporary access control list policy is issued to the distributed firewall to allow the distributed firewall to intercept the illegal application, and after the interception is successful, that is, when a data packet is sent by switching back to a legal program, the temporary access control list policy is cancelled to allow legal traffic to pass. The method can realize the flow protection of the application layer in the east-west direction.
In the embodiment, in order to prevent illegal applications from falsifying an IP and a port number to achieve the purpose of falsely using legal applications, the address space in which the legal application program runs is bound with the IP and the port number in advance so as to accurately identify the application program running in the virtual machine, if the application program newly started in the current virtual machine has the bound IP and port number, the application program is identified as legal applications, and otherwise, the application program is identified as illegal applications falsely using the legal IP and the port number. The embodiment can accurately identify illegal application falsifying legal IP and port numbers with lower performance overhead under large flow, and further realize effective protection on east-west flow.
Referring to fig. 3, fig. 3 is a flowchart illustrating a method for identifying an application running in a virtual machine according to a second embodiment of the present invention. In this embodiment, the method for identifying an application running in a virtual machine further includes:
step S210, before identifying the running application in the virtual machine, setting a network connection white list rule of an application program;
in this embodiment, to implement the east-west traffic protection of the network layer and the transport layer, the network connection white list rule of the application program is set while the service is deployed. The network connection white list rule of the application specifies whether the application running in the virtual machine can be connected to the network externally or not, and the IP and port number of the network externally.
Step S220, when the application program runs in the virtual machine, intercepting and capturing the system call related to the connection of the application program and the network so as to obtain a system call parameter;
step S230, based on the network connection white list rule, verifying the system call parameter for identifying whether the application program conforms to the network connection white list rule.
After an application program runs in a virtual machine, system call related to network connection of the application program is intercepted, such as socket interception, system call parameters are verified, and network connection information which does not accord with a white list rule, such as application types and ports which do not accord with the white list rule, is sent to a distributed firewall for processing.
Optionally, in an embodiment, when it is recognized that the application program does not comply with the network connection white list rule, the network connection information that does not comply with the network connection white list rule is sent to the distributed firewall. In this embodiment, the distributed firewall is deployed between the virtual machine and the virtual network forwarding device, and supports an access control list policy based on a quintuple and a security policy based on an application identifier.
Referring to fig. 4, fig. 4 is a functional module diagram of a first embodiment of an application identification apparatus running in a virtual machine according to the present invention. In this embodiment, the device for identifying an application running in a virtual machine includes:
the monitoring module 10 is used for monitoring whether a new application program is started in the virtual machine;
in this embodiment, it is necessary to monitor whether a new application program is started in the virtual machine, and then identify the application program, so as to implement early discovery and early interception of malicious traffic.
Optionally, in an embodiment, an implementation manner of the monitoring module for monitoring whether there is a new application program started in the virtual machine includes:
the first method is as follows: application starting in a virtual machine is intercepted by intercepting an execute system call, and the specific implementation process is as follows:
1. monitoring whether the virtual machine executes a syscall instruction or a sysester instruction to carry out system call;
2. if yes, judging whether the system call is an execute system call;
3. and if the application program is the execute system call, determining that a new application program is started in the current virtual machine.
In the method, a syscall instruction or a sysester instruction running in a virtual machine is intercepted through a hardware virtualization technology; once the virtual machine executes the syscall instruction or the sysester instruction to perform system call, the system call is intercepted, whether the system call is an execute system call or not is judged according to the system call number stored in the register, and if the system call is the execute system call, a new application program is determined to be started currently.
The second method comprises the following steps: intercepting the address space switching operation in the virtual machine, wherein the specific implementation process comprises the following steps:
1. intercepting address space switching operation in the virtual machine so as to record each address space running in the virtual machine;
2. judging whether a new address space is operated in the virtual machine or not;
3. and if so, determining that a new application program is started in the current virtual machine.
In this manner, each application program in the operating system generally runs in its own address space, and once a new application program is executed, a new address space is created. Therefore, the address space switching in the virtual machine is intercepted, for example, by hardware virtualization, the mov-to-cr3 instruction is intercepted, so that each address space running in the virtual machine is recorded, and once the virtual machine is found to run a new address space, it can be determined that a new application program is started in the virtual machine.
A determining module 20, configured to determine, when a new application program starts up in the virtual machine, an address space in which the application program runs;
an address space is a set of address sets that a process can use to address memory. Each process has its own address space, and this address space is independent of the address spaces of other processes. In general, in an operating system, each application program is allocated with an address space and runs only in the own address space, so that the application programs running in the virtual machine can be accurately identified by marking the address space. If it is monitored that a new application program is started in the virtual machine, the base address of the process can be acquired through the process ID, and the address space of the process corresponding to the running of the application program is determined.
A judging module 30, configured to judge whether the address space has a bound IP and port number;
and the identifying module 40 is configured to identify the application program as a legal application when the address space has the bound IP and port number, and otherwise identify the application program as an illegal application falsely using the legal IP and port number.
The embodiment specifically realizes the marking of the address space by binding the address space with the IP and the port number, so as to accurately identify the application program running in the virtual machine, and if the address space corresponding to the application program currently running in the virtual machine has the bound IP and port number, the application program is identified as a legal application, otherwise, the application program is identified as an illegal application falsely using the legal IP and port number.
In the embodiment, in order to prevent illegal applications from falsifying an IP and a port number to achieve the purpose of falsely using legal applications, the address space in which the legal application program runs is bound with the IP and the port number in advance so as to accurately identify the application program running in the virtual machine, if the application program newly started in the current virtual machine has the bound IP and port number, the application program is identified as legal applications, and otherwise, the application program is identified as illegal applications falsely using the legal IP and the port number. The embodiment can accurately identify illegal application falsifying legal IP and port numbers with lower performance overhead under large flow, and further realize effective protection on east-west flow.
Referring to fig. 5, fig. 5 is a functional module diagram of a second embodiment of the device for identifying an application running in a virtual machine according to the present invention. Based on the foregoing embodiment, in this embodiment, the apparatus for identifying an application running in a virtual machine further includes:
a first setting module 50, configured to bind an address space of a valid application running in a virtual machine with a specified IP and port number before identifying an application running in the virtual machine;
in this embodiment, the address space of the legal application running in the virtual machine is bound to the specified IP and port number, so that an attacker cannot bind to the corresponding IP + port combination through other programs, and thus a malicious program cannot access important virtual machine resources in the data center by impersonating a certain process.
A second setting module 60, configured to set a network connection white list rule of the application program before identifying the application running in the virtual machine; the network connection white list rule is used for stipulating whether an application program can operate in the virtual machine to connect to the external network or not and the IP and the port number used by the external network.
In this embodiment, to implement the east-west traffic protection of the network layer and the transport layer, the network connection white list rule of the application program is set while the service is deployed. The network connection white list rule of the application specifies whether the application running in the virtual machine can be connected to the network externally or not, and the IP and port number of the network externally.
Referring to fig. 6, fig. 6 is a functional module schematic diagram of a third embodiment of the device for identifying an application running in a virtual machine according to the present invention. Based on the foregoing embodiment, in this embodiment, the apparatus for identifying an application running in a virtual machine further includes:
a first processing module 70, configured to intercept a system call related to network connection of an application program when the application program runs in a virtual machine, so as to obtain a system call parameter; verifying the system call parameter based on the network connection white list rule for identifying whether the application program conforms to the network connection white list rule;
after an application program runs in a virtual machine, system call related to network connection of the application program is intercepted, such as socket interception, system call parameters are verified, and network connection information which does not accord with a white list rule, such as application types and ports which do not accord with the white list rule, is sent to a distributed firewall for processing.
A second processing module 80, configured to, when an illegal application impersonating a legal IP and a port number is identified, issue a temporary access control list policy to a distributed firewall, so that the distributed firewall intercepts the illegal application; when the application program is identified to be not in accordance with the network connection white list rule, network connection information which is not in accordance with the network connection white list rule is sent to the distributed firewall;
and the distributed firewall 90 is deployed between the virtual machine and the virtual network forwarding equipment, and is used for intercepting illegal applications falsely using legal IP and port numbers based on an access control list policy of a quintuple and processing network connection information which does not conform to the network connection white list rule based on a security policy of an application identifier.
In this embodiment, the distributed firewall 90 is deployed between the virtual machine and the virtual network forwarding device, and is distributed in the whole network, so as to effectively filter the east-west traffic and the north-south traffic. The access control list strategy based on the quintuple can intercept illegal application falsely using legal IP and port numbers, and can realize east-west flow protection of an application layer; and the security strategy based on the application identification processes the network connection information which does not conform to the network connection white list rule, so that the east-west flow protection of a network layer and a transmission layer can be realized.
The invention also provides a computer readable storage medium.
In this embodiment, a computer-readable storage medium stores an application identification program running in a virtual machine, and the application identification program running in the virtual machine when executed by a processor implements the steps of the application identification method running in the virtual machine according to any one of the embodiments described above.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM), and includes instructions for causing a terminal (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
The present invention is described in connection with the accompanying drawings, but the present invention is not limited to the above embodiments, which are only illustrative and not restrictive, and those skilled in the art can make various changes without departing from the spirit and scope of the invention as defined by the appended claims, and all changes that come within the meaning and range of equivalency of the specification and drawings that are obvious from the description and the attached claims are intended to be embraced therein.

Claims (13)

1. A method for identifying an application running in a virtual machine is characterized by comprising the following steps:
monitoring whether a new application program is started in the virtual machine;
if the address space exists, determining the address space of the application program operation;
judging whether the address space has bound IP and port number;
and if so, identifying the application program as legal application, otherwise, identifying the application program as illegal application falsely using legal IP and port numbers.
2. The method for identifying applications running in a virtual machine according to claim 1, wherein the monitoring whether a new application program starts up in the virtual machine comprises:
monitoring whether the virtual machine executes a syscall instruction or a sysester instruction to carry out system call;
if yes, judging whether the system call is an execute system call;
and if the application program is the execute system call, determining that a new application program is started in the current virtual machine.
3. The method for identifying applications running within a virtual machine according to claim 1, wherein said monitoring whether a new application launch exists within the virtual machine further comprises:
intercepting address space switching operation in the virtual machine so as to record each address space running in the virtual machine;
judging whether a new address space is operated in the virtual machine or not;
and if so, determining that a new application program is started in the current virtual machine.
4. The method for identifying an application running in a virtual machine according to any one of claims 1 to 3, wherein the method for identifying an application running in a virtual machine further comprises:
before identifying the application running in the virtual machine, binding the address space of the legal application running in the virtual machine with the specified IP and port number.
5. The method for identifying an application running in a virtual machine according to any one of claims 1 to 3, wherein the method for identifying an application running in a virtual machine further comprises:
before identifying the running application in the virtual machine, setting a network connection white list rule of an application program;
the network connection white list rule is used for stipulating whether an application program can operate in the virtual machine to connect to the external network or not and the IP and the port number used by the external network.
6. The method for identifying applications running in a virtual machine according to claim 5, wherein the method for identifying applications running in a virtual machine further comprises:
when an application program runs in a virtual machine, intercepting and capturing system call related to the connection of the application program and a network so as to obtain system call parameters;
and verifying the system call parameter based on the network connection white list rule so as to identify whether the application program conforms to the network connection white list rule.
7. The method for identifying applications running in a virtual machine according to claim 6, wherein the method for identifying applications running in a virtual machine further comprises:
when illegal application which falsely uses legal IP and port numbers is identified, issuing a temporary access control list strategy to a distributed firewall so that the distributed firewall can intercept the illegal application;
when the application program is identified to be not in accordance with the network connection white list rule, network connection information which is not in accordance with the network connection white list rule is sent to the distributed firewall;
the distributed firewall is deployed between the virtual machine and the virtual network forwarding equipment and supports an access control list policy based on a quintuple and a security policy based on an application identifier.
8. An apparatus for identifying an application running in a virtual machine, the apparatus comprising:
the monitoring module is used for monitoring whether a new application program is started in the virtual machine;
the system comprises a determining module, a judging module and a judging module, wherein the determining module is used for determining the operating address space of an application program when a new application program is started in a virtual machine;
the judging module is used for judging whether the address space has bound IP and port numbers;
and the identification module is used for identifying the application program as legal application when the address space has the bound IP and port number, and otherwise identifying the application program as illegal application falsely using the legal IP and port number.
9. The apparatus for identifying applications running within a virtual machine according to claim 8, wherein the monitoring module is further configured to:
monitoring whether the virtual machine executes a syscall instruction or a sysester instruction to carry out system call; if yes, judging whether the system call is an execute system call; if the application program is the execute system call, determining that a new application program is started in the current virtual machine; or
Intercepting address space switching operation in the virtual machine so as to record each address space running in the virtual machine; judging whether a new address space is operated in the virtual machine or not; and if so, determining that a new application program is started in the current virtual machine.
10. The apparatus for identifying applications running in a virtual machine according to claim 8, wherein the apparatus for identifying applications running in a virtual machine further comprises: a first setting module and/or a second setting module;
the first setting module is configured to: before identifying the running application in the virtual machine, binding the address space of the legal application running in the virtual machine with the specified IP and port number;
the second setting module is configured to: before identifying the running application in the virtual machine, setting a network connection white list rule of an application program; the network connection white list rule is used for stipulating whether an application program can operate in the virtual machine to connect to the external network or not and the IP and the port number used by the external network.
11. The apparatus of claim 10, wherein the apparatus further comprises a first processing module, and/or a second processing module, and further comprises a distributed firewall;
the first processing module is configured to: when an application program runs in a virtual machine, intercepting and capturing system call related to the connection of the application program and a network so as to obtain system call parameters; verifying the system call parameter based on the network connection white list rule for identifying whether the application program conforms to the network connection white list rule;
the second processing module is configured to: when illegal application which falsely uses legal IP and port numbers is identified, issuing a temporary access control list strategy to a distributed firewall so that the distributed firewall can intercept the illegal application; when the application program is identified to be not in accordance with the network connection white list rule, network connection information which is not in accordance with the network connection white list rule is sent to the distributed firewall;
the distributed firewall is deployed between the virtual machine and the virtual network forwarding equipment and used for intercepting illegal applications falsely using legal IP and port numbers based on an access control list strategy of a quintuple and processing network connection information which does not conform to the network connection white list rule based on a security strategy of an application identifier.
12. A virtualization device comprising a memory, a processor, and a virtual machine run-in application recognition program stored on the memory and executable on the processor, the virtual machine run-in application recognition program when executed by the processor implementing the steps of the virtual machine run-in application recognition method of any one of claims 1-7.
13. A computer-readable storage medium, having stored thereon a virtual machine run-in application recognition program, which when executed by a processor implements the steps of the virtual machine run-in application recognition method of any of claims 1-7.
CN201810852893.0A 2018-07-27 2018-07-27 Method, device, equipment and storage medium for identifying running application in virtual machine Active CN110765452B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810852893.0A CN110765452B (en) 2018-07-27 2018-07-27 Method, device, equipment and storage medium for identifying running application in virtual machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810852893.0A CN110765452B (en) 2018-07-27 2018-07-27 Method, device, equipment and storage medium for identifying running application in virtual machine

Publications (2)

Publication Number Publication Date
CN110765452A true CN110765452A (en) 2020-02-07
CN110765452B CN110765452B (en) 2023-09-08

Family

ID=69328945

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810852893.0A Active CN110765452B (en) 2018-07-27 2018-07-27 Method, device, equipment and storage medium for identifying running application in virtual machine

Country Status (1)

Country Link
CN (1) CN110765452B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160065618A1 (en) * 2014-09-02 2016-03-03 Symantec Corporation Method and Apparatus for Automating Security Provisioning of Workloads
US20170286673A1 (en) * 2016-03-31 2017-10-05 Bitdefender IPR Management Ltd. Malware-Resistant Application Control in Virtualized Environments
CN107992547A (en) * 2017-11-27 2018-05-04 深信服科技股份有限公司 Apply dispositions method and device in a kind of website
US20180159826A1 (en) * 2016-12-02 2018-06-07 Vmware, Inc. Application based network traffic management

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160065618A1 (en) * 2014-09-02 2016-03-03 Symantec Corporation Method and Apparatus for Automating Security Provisioning of Workloads
US20170286673A1 (en) * 2016-03-31 2017-10-05 Bitdefender IPR Management Ltd. Malware-Resistant Application Control in Virtualized Environments
US20180159826A1 (en) * 2016-12-02 2018-06-07 Vmware, Inc. Application based network traffic management
CN107992547A (en) * 2017-11-27 2018-05-04 深信服科技股份有限公司 Apply dispositions method and device in a kind of website

Also Published As

Publication number Publication date
CN110765452B (en) 2023-09-08

Similar Documents

Publication Publication Date Title
US10657251B1 (en) Multistage system and method for analyzing obfuscated content for malware
US9594912B1 (en) Return-oriented programming detection
US10873594B2 (en) Test system and method for identifying security vulnerabilities of a device under test
CN107612895B (en) Internet anti-attack method and authentication server
US9973531B1 (en) Shellcode detection
CN106778243B (en) Virtual machine-based kernel vulnerability detection file protection method and device
US20140304800A1 (en) Methods and apparatus for agent-based malware management
US20150186645A1 (en) System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits
US20140181972A1 (en) Preventive intrusion device and method for mobile devices
CN106778244B (en) Virtual machine-based kernel vulnerability detection process protection method and device
WO2019237813A1 (en) Method and device for scheduling service resource
CN106778242B (en) Kernel vulnerability detection method and device based on virtual machine
CN108605264B (en) Method and apparatus for network management
CN112600852B (en) Vulnerability attack processing method, device, equipment and storage medium
CN108965348B (en) Network security protection method, equipment and computer readable storage medium
CN111651754A (en) Intrusion detection method and device, storage medium and electronic device
CN111182537A (en) Network access method, device and system for mobile application
CN109120626A (en) Security threat processing method, system, safety perception server and storage medium
US20160183094A1 (en) System and method for selecting means for intercepting network transmissions
CN112583841B (en) Virtual machine safety protection method and system, electronic equipment and storage medium
CN112804222B (en) Data transmission method, device, equipment and storage medium based on cloud deployment
CN112688899A (en) In-cloud security threat detection method and device, computing equipment and storage medium
CN110765452B (en) Method, device, equipment and storage medium for identifying running application in virtual machine
CN114124531B (en) Network defense system risk assessment method based on bypass attack simulation, electronic equipment and storage medium
CN112152972A (en) Method and device for detecting IOT equipment vulnerability and router

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant