CN110765452B - Method, device, equipment and storage medium for identifying running application in virtual machine - Google Patents

Method, device, equipment and storage medium for identifying running application in virtual machine Download PDF

Info

Publication number
CN110765452B
CN110765452B CN201810852893.0A CN201810852893A CN110765452B CN 110765452 B CN110765452 B CN 110765452B CN 201810852893 A CN201810852893 A CN 201810852893A CN 110765452 B CN110765452 B CN 110765452B
Authority
CN
China
Prior art keywords
virtual machine
application
application program
running
network connection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810852893.0A
Other languages
Chinese (zh)
Other versions
CN110765452A (en
Inventor
陈晓帆
古亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201810852893.0A priority Critical patent/CN110765452B/en
Publication of CN110765452A publication Critical patent/CN110765452A/en
Application granted granted Critical
Publication of CN110765452B publication Critical patent/CN110765452B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45575Starting, stopping, suspending or resuming virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Abstract

The invention discloses a method for identifying running applications in a virtual machine, which comprises the following steps: monitoring whether a new application program is started in the virtual machine; if so, determining an address space in which the application program runs; judging whether the address space has a bound IP and port number; if yes, the application program is identified as legal application, otherwise, the application program is identified as illegal application which impersonates legal IP and port number. The invention also discloses a device for identifying the running application in the virtual machine, a virtualization device and a computer readable storage medium. The invention can effectively protect east-west flow with lower performance cost under large flow.

Description

Method, device, equipment and storage medium for identifying running application in virtual machine
Technical Field
The present invention relates to the field of virtualization technologies, and in particular, to a method, an apparatus, a device, and a computer readable storage medium for identifying an operating application in a virtual machine.
Background
With the development of virtualization, containers and no-service technologies, traffic models of data centers are changed, on one hand, traffic scale is rapidly increased, and on the other hand, traffic flow direction is gradually changed from north-south dominant to east-west dominant. There is thus a need to find a solution that can effectively protect east-west traffic at high traffic with low performance overhead.
The current industry solutions can be broadly categorized into three categories:
(1) The east-west access relationship is controlled based on ACL technology (access control list ). ACL is a 3-4 layer protection technique that can only restrict the lateral movement of malicious traffic in the data center according to five-tuple. The ACL has the advantages of simple realization and low performance cost, but has the defect of being bypassed, and the essence is that the ACL considers the IP and the port as the unique identification of a malicious program, but an attacker can bypass the access control of the ACL through the means of forging the port (namely, forging the port to be a legal program) and the like, obtain the access right of a target server and carry out subsequent attacks.
(2) East-west protection is achieved based on DPI (Deep Packet Inspection ). The application in east-west traffic is identified through DPI, the problem that ACL is bypassed is avoided, and the identification of the application is accurate. It has several drawbacks: firstly, the resource and time cost is high; secondly, the application can be identified only by the first data packets of a certain flow, and the application can be detected only after the attack occurs and cannot be protected before the attack occurs.
(3) East-west protection is done based on the terminal security agent. The application can be identified from the aspects of flow and application behaviors, and the prior protection can be realized theoretically. But agents need to be deployed on hosts, and when hosts are trapped, agents are likely to be contributed, and even utilized to disturb the whole intranet security system built based on agents.
Disclosure of Invention
The invention mainly aims to provide a method, a device, equipment and a computer readable storage medium for identifying running applications in a virtual machine, and aims to solve the technical problem of effectively protecting east-west traffic with lower performance overhead under high traffic.
In order to achieve the above object, the present invention provides a method for identifying an operating application in a virtual machine, the method for identifying an operating application in a virtual machine comprising the steps of:
monitoring whether a new application program is started in the virtual machine;
if so, determining an address space in which the application program runs;
judging whether the address space has a bound IP and port number;
if yes, the application program is identified as legal application, otherwise, the application program is identified as illegal application which impersonates legal IP and port number.
Optionally, the monitoring whether a new application program is started in the virtual machine includes:
monitoring whether the virtual machine executes a syscall instruction or a sysenter instruction to make a system call;
if yes, judging whether the system call is an exeve system call or not;
and if the execution system call is executed, determining that a new application program exists in the current virtual machine to start.
Optionally, the monitoring whether a new application program is started in the virtual machine further includes:
intercepting an address space switching operation in the virtual machine so as to record each address space running in the virtual machine;
judging whether a new address space is operated in the virtual machine;
if yes, determining that a new application program exists in the current virtual machine to start.
Optionally, the method for identifying the running application in the virtual machine further comprises the following steps:
before identifying the running application in the virtual machine, binding the address space of the legal application running in the virtual machine with the appointed IP and port number.
Optionally, the method for identifying the running application in the virtual machine further comprises the following steps:
before the running application in the virtual machine is identified, setting a network connection white list rule of the application program;
the network connection whitelist rule is used for specifying whether an application program can be connected to the external network and an IP and a port number used by the external network when running in the virtual machine.
Optionally, the method for identifying the running application in the virtual machine further comprises the following steps:
when an application program runs in a virtual machine, intercepting system call related to network connection of the application program so as to obtain system call parameters;
and verifying the system call parameters based on the network connection whitelist rule to identify whether the application program accords with the network connection whitelist rule.
Optionally, the method for identifying the running application in the virtual machine further comprises the following steps:
when illegal application using legal IP and port number is identified, a temporary access control list strategy is issued to the distributed firewall so that the distributed firewall can intercept the illegal application;
when the application program is identified to be not in accordance with the network connection white list rule, transmitting network connection information which is not in accordance with the network connection white list rule to the distributed firewall;
the distributed firewall is deployed between the virtual machine and the virtual network forwarding device, and supports access control list policies based on quintuple and security policies based on application identification.
Further, in order to achieve the above object, the present invention further provides an apparatus for identifying an running application in a virtual machine, where the apparatus for identifying an running application in a virtual machine includes:
the monitoring module is used for monitoring whether a new application program is started in the virtual machine or not;
the determining module is used for determining an address space in which the application program runs when a new application program exists in the virtual machine and is started;
the judging module is used for judging whether the address space has the bound IP and port number;
and the identification module is used for identifying the application program as legal application when the address space has the bound IP and port number, or identifying the application program as illegal application which impersonates the legal IP and port number.
Optionally, the monitoring module is further configured to:
monitoring whether the virtual machine executes a syscall instruction or a sysenter instruction to make a system call; if yes, judging whether the system call is an exeve system call or not; if the execution system call is made, determining that a new application program exists in the current virtual machine to start; or (b)
Intercepting an address space switching operation in the virtual machine so as to record each address space running in the virtual machine; judging whether a new address space is operated in the virtual machine; if yes, determining that a new application program exists in the current virtual machine to start.
Optionally, the device for identifying running application in the virtual machine further comprises: the first setting module and/or the second setting module;
the first setting module is used for: before identifying the running application in the virtual machine, binding the address space of the legal application running in the virtual machine with the appointed IP and port number;
the second setting module is used for: before the running application in the virtual machine is identified, setting a network connection white list rule of the application program; the network connection whitelist rule is used for specifying whether an application program can be connected to the external network and an IP and a port number used by the external network when running in the virtual machine.
Optionally, the device for identifying running application in the virtual machine further comprises a first processing module and/or a second processing module and further comprises a distributed firewall;
the first processing module is used for: when an application program runs in a virtual machine, intercepting system call related to network connection of the application program so as to obtain system call parameters; verifying the system call parameters based on the network connection whitelist rule to identify whether the application program accords with the network connection whitelist rule;
the second processing module is used for: when illegal application using legal IP and port number is identified, a temporary access control list strategy is issued to the distributed firewall so that the distributed firewall can intercept the illegal application; when the application program is identified to be not in accordance with the network connection white list rule, transmitting network connection information which is not in accordance with the network connection white list rule to the distributed firewall;
the distributed firewall is deployed between the virtual machine and the virtual network forwarding device, and is used for intercepting illegal applications which use legal IP and port numbers based on a quintuple access control list policy and processing network connection information which does not accord with the network connection white list rule based on a security policy of application identification.
In order to achieve the above object, the present invention further provides a virtualization device, where the virtualization device includes a memory, a processor, and an application identification program stored in the memory and capable of running in a virtual machine running on the processor, and the method for identifying an application running in a virtual machine is implemented when the application identification program running in a virtual machine is executed by the processor.
In order to achieve the above object, the present invention further provides a computer readable storage medium having stored thereon an in-virtual machine running application identification program which, when executed by a processor, implements the steps of the in-virtual machine running application identification method as set forth in any one of the above.
In the invention, in order to avoid illegal application from falsifying IP and port number to achieve the purpose of impersonating legal application, address space operated by legal application program is bound with IP and port number in advance for accurately identifying application program operated in virtual machine, if newly started application program in current virtual machine has bound IP and port number, the application program is identified as legal application, otherwise, illegal application with legal IP and port number is identified. The invention can accurately identify illegal application of illegal use of legal IP and port number with lower performance cost under large flow, thereby realizing effective protection of east-west flow.
Drawings
FIG. 1 is a schematic diagram of a device hardware operating environment according to an embodiment of the virtualized device of the invention;
FIG. 2 is a flowchart illustrating a first embodiment of a method for identifying an application running in a virtual machine according to the present invention;
FIG. 3 is a flowchart illustrating a second embodiment of a method for identifying an application running in a virtual machine according to the present invention;
FIG. 4 is a schematic diagram of a functional module of a first embodiment of an apparatus for identifying an application running in a virtual machine according to the present invention;
FIG. 5 is a schematic diagram of a functional module of a second embodiment of an apparatus for identifying an application running in a virtual machine according to the present invention;
fig. 6 is a schematic functional block diagram of a third embodiment of an apparatus for identifying an application running in a virtual machine according to the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The invention provides a virtualization device.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a device hardware running environment related to an embodiment of a virtualized device according to the present invention.
The virtualization device in the embodiment of the invention can be a computer, a server and other devices.
As shown in fig. 1, the virtualization device may include: a processor 1001, such as a CPU, a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a stable memory (non-volatile memory), such as a disk memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
Those skilled in the art will appreciate that the hardware architecture of the virtualization device shown in fig. 1 does not constitute a limitation of the virtualization device, and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.
As shown in fig. 1, an operating system, a network communication module, a user interface module, and an application recognition program running within a virtual machine may be included in a memory 1005, which is a type of computer-readable storage medium. The operating system is a program for managing and controlling the virtualized equipment and software resources, and supports the running of a network communication module, a user interface module, an application identification program running in the virtual machine and other programs or software; the network communication module is used to manage and control the network interface 1004; the user interface module is used to manage and control the user interface 1003.
In the hardware structure of the virtualization device shown in fig. 1, the network interface 1004 is mainly used for connecting to a system background and performing data communication with the system background; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; the virtualization apparatus calls, through the processor 1001, an in-virtual-machine running application identification program stored in the memory 1005, and performs the following operations:
monitoring whether a new application program is started in the virtual machine;
if so, determining an address space in which the application program runs;
judging whether the address space has a bound IP and port number;
if yes, the application program is identified as legal application, otherwise, the application program is identified as illegal application which impersonates legal IP and port number.
Further, the virtualized device calls the in-virtual-machine running application identification program stored in the memory 1005 through the processor 1001 to further perform the following operations:
monitoring whether the virtual machine executes a syscall instruction or a sysenter instruction to make a system call;
if yes, judging whether the system call is an exeve system call or not;
and if the execution system call is executed, determining that a new application program exists in the current virtual machine to start.
Further, the virtualized device calls the in-virtual-machine running application identification program stored in the memory 1005 through the processor 1001 to further perform the following operations:
intercepting an address space switching operation in the virtual machine so as to record each address space running in the virtual machine;
judging whether a new address space is operated in the virtual machine;
if yes, determining that a new application program exists in the current virtual machine to start.
Further, the virtualized device calls the in-virtual-machine running application identification program stored in the memory 1005 through the processor 1001 to further perform the following operations:
before identifying the running application in the virtual machine, binding the address space of the legal application running in the virtual machine with the appointed IP and port number.
Further, the virtualized device calls the in-virtual-machine running application identification program stored in the memory 1005 through the processor 1001 to further perform the following operations:
before the running application in the virtual machine is identified, setting a network connection white list rule of the application program;
the network connection whitelist rule is used for specifying whether an application program can be connected to the external network and an IP and a port number used by the external network when running in the virtual machine.
Further, the virtualized device calls the in-virtual-machine running application identification program stored in the memory 1005 through the processor 1001 to further perform the following operations:
when an application program runs in a virtual machine, intercepting system call related to network connection of the application program so as to obtain system call parameters;
and verifying the system call parameters based on the network connection whitelist rule to identify whether the application program accords with the network connection whitelist rule.
Further, the virtualized device calls the in-virtual-machine running application identification program stored in the memory 1005 through the processor 1001 to further perform the following operations:
when illegal application using legal IP and port number is identified, a temporary access control list strategy is issued to the distributed firewall so that the distributed firewall can intercept the illegal application;
when the application program is identified to be not in accordance with the network connection white list rule, transmitting network connection information which is not in accordance with the network connection white list rule to the distributed firewall;
the distributed firewall is deployed between the virtual machine and the virtual network forwarding device, and supports access control list policies based on quintuple and security policies based on application identification.
Based on the hardware structure of the virtualized device, the following embodiments of the method for identifying running applications in a virtual machine according to the present invention are provided.
Referring to fig. 2, fig. 2 is a flowchart of a first embodiment of a method for identifying an application running in a virtual machine according to the present invention. In this embodiment, the method for identifying the running application in the virtual machine includes the following steps:
step S110, monitoring whether a new application program is started in the virtual machine;
the east-west flow is specifically expressed as the flow in the data center, namely, the application program running in the virtual machine corresponding to the data center. In order to monitor east-west traffic, the embodiment needs to monitor whether a new application program is started in the virtual machine, and then identify the application program, so that early discovery and early interception of malicious traffic are realized.
Optionally, in an embodiment, the implementation of monitoring whether a new application launch exists in the virtual machine includes:
mode one: intercepting application starting in the virtual machine by intercepting an exeve system call, wherein the specific implementation process is as follows:
1. monitoring whether the virtual machine executes a syscall instruction or a sysenter instruction to make a system call;
2. if yes, judging whether the system call is an exeve system call or not;
3. and if the execution system call is executed, determining that a new application program exists in the current virtual machine to start.
In the method, a syscall instruction or a sysenter instruction running in a virtual machine is intercepted through a hardware virtualization technology; the virtual machine is intercepted once executing the syscall instruction or the sysenter instruction to make a system call, then judges whether the virtual machine is an exeve system call or not according to the system call number stored in the register, and if the virtual machine is the exeve system call, determines that a new application program is currently started.
Mode two: intercepting and capturing address space switching operation in a virtual machine, wherein the specific implementation process is as follows:
1. intercepting an address space switching operation in the virtual machine so as to record each address space running in the virtual machine;
2. judging whether a new address space is operated in the virtual machine;
3. if yes, determining that a new application program exists in the current virtual machine to start.
In this manner, each application in the operating system typically runs in its own address space, and once a new application executes, a new address space is created. Therefore, the address space switching in the virtual machine is intercepted, for example, the interception of the mov-to-cr3 instruction is realized through hardware virtualization, so that each address space running in the virtual machine is recorded, and once the virtual machine is found to run a new address space, it can be judged that a new application program is started in the virtual machine.
Step S120, if yes, determining an address space in which the application program runs, otherwise, not processing;
an address space is a set of addresses that a process can use to address memory. Each process has its own address space and this address space is independent of the address space of the other processes. Typically, in an operating system, each application is assigned an address space and runs only in its own address space, so that applications running in a virtual machine can be accurately identified by marking the address space. If the fact that a new application program is started in the virtual machine is detected, a base address of a process can be obtained through the process ID, and then an address space of the process corresponding to the running application program is determined.
Step S130, judging whether the address space has a bound IP and port number;
step S140, if yes, identifying the application program as legal application;
step S150, if not, identifying the application program as illegal application which impersonates legal IP and port number.
The embodiment realizes the marking of the address space by binding the address space with the IP and the port number, thereby being convenient for accurately identifying the application program running in the virtual machine, and identifying the application program as legal application if the address space corresponding to the application program running in the virtual machine has the bound IP and the port number, otherwise identifying the application program as illegal application which uses the legal IP and the port number.
Optionally, in an embodiment, before the application running in the virtual machine is identified, an address space of a legal application running in the virtual machine is bound with the specified IP and port number, so that an attacker cannot bind with a corresponding ip+port combination through other programs, and thus a malicious program cannot access important virtual machine resources in the data center by impersonating a process.
Further optionally, in an embodiment, when an illegal application using legal IP and port number is identified, a temporary access control list policy is issued to the distributed firewall to intercept the illegal application, and after the interception is successful, that is, when a switch back to a legal program is found to send a data packet, the temporary access control list policy is cancelled to release legal traffic. The mode can realize east-west traffic protection of an application layer.
In this embodiment, in order to avoid that an illegal application falsifies an IP and a port number to achieve the purpose of impersonating a legal application, an address space operated by a legal application program is bound with the IP and the port number in advance so as to accurately identify the application program operated in the virtual machine, if the newly started application program in the current virtual machine has the bound IP and port number, the application program is identified as the legal application, otherwise, the application program is identified as the illegal application impersonating the legal IP and the port number. The embodiment can accurately identify illegal application which impersonates legal IP and port numbers with lower performance cost under large traffic, thereby realizing effective protection of east-west traffic.
Referring to fig. 3, fig. 3 is a flowchart illustrating a second embodiment of a method for identifying an application running in a virtual machine according to the present invention. In this embodiment, the method for identifying an running application in a virtual machine further includes:
step S210, before identifying the running application in the virtual machine, setting a network connection white list rule of the application program;
in this embodiment, in order to realize east-west traffic protection of the network layer and the transport layer, a network connection whitelist rule of an application program is set while a service is deployed. The network connection whitelist rule of the application program specifies whether the application program running in the virtual machine can externally connect to the network, and the IP and port number of the externally connected network.
Step S220, when an application program runs in a virtual machine, intercepting a system call related to the connection of the application program and a network so as to obtain a system call parameter;
step S230, based on the network connection whitelist rule, verifies the system call parameter to identify whether the application program meets the network connection whitelist rule.
After an application program is operated in the virtual machine, intercepting system call related to network connection of the application program, such as intercepting socket, verifying system call parameters, and sending network connection information which does not accord with a white list rule, such as application type and port which do not accord with the white list rule, to a distributed firewall for processing.
Optionally, in an embodiment, when the application program is identified as not conforming to the network connection whitelist rule, network connection information that does not conform to the network connection whitelist rule is issued to the distributed firewall. In this embodiment, the distributed firewall is disposed between the virtual machine and the virtual network forwarding device, and supports an access control list policy based on five-tuple and a security policy based on application identifier.
Referring to fig. 4, fig. 4 is a schematic functional block diagram of a first embodiment of an apparatus for identifying an application running in a virtual machine according to the present invention. In this embodiment, the device for identifying an running application in a virtual machine includes:
a monitoring module 10, configured to monitor whether a new application program is started in the virtual machine;
in this embodiment, it is required to monitor whether a new application program is started in the virtual machine, and then identify the application program, so as to implement early discovery and early interception of malicious traffic.
Optionally, in an embodiment, an implementation manner of the monitoring module to monitor whether a new application program is started in the virtual machine includes:
mode one: intercepting application starting in the virtual machine by intercepting an exeve system call, wherein the specific implementation process is as follows:
1. monitoring whether the virtual machine executes a syscall instruction or a sysenter instruction to make a system call;
2. if yes, judging whether the system call is an exeve system call or not;
3. and if the execution system call is executed, determining that a new application program exists in the current virtual machine to start.
In the method, a syscall instruction or a sysenter instruction running in a virtual machine is intercepted through a hardware virtualization technology; the virtual machine is intercepted once executing the syscall instruction or the sysenter instruction to make a system call, then judges whether the virtual machine is an exeve system call or not according to the system call number stored in the register, and if the virtual machine is the exeve system call, determines that a new application program is currently started.
Mode two: intercepting and capturing address space switching operation in a virtual machine, wherein the specific implementation process is as follows:
1. intercepting an address space switching operation in the virtual machine so as to record each address space running in the virtual machine;
2. judging whether a new address space is operated in the virtual machine;
3. if yes, determining that a new application program exists in the current virtual machine to start.
In this manner, each application in the operating system typically runs in its own address space, and once a new application executes, a new address space is created. Therefore, the address space switching in the virtual machine is intercepted, for example, the interception of the mov-to-cr3 instruction is realized through hardware virtualization, so that each address space running in the virtual machine is recorded, and once the virtual machine is found to run a new address space, it can be judged that a new application program is started in the virtual machine.
A determining module 20, configured to determine an address space in which the application program runs when a new application program exists in the virtual machine and is started;
an address space is a set of addresses that a process can use to address memory. Each process has its own address space and this address space is independent of the address space of the other processes. Typically, in an operating system, each application is assigned an address space and runs only in its own address space, so that applications running in a virtual machine can be accurately identified by marking the address space. If the fact that a new application program is started in the virtual machine is detected, a base address of a process can be obtained through the process ID, and then an address space of the process corresponding to the running application program is determined.
A judging module 30, configured to judge whether the address space has a bound IP and port number;
and the identifying module 40 is used for identifying the application program as legal application when the address space has the bound IP and port number, otherwise identifying the application program as illegal application which impersonates the legal IP and port number.
The embodiment realizes the marking of the address space by binding the address space with the IP and the port number, thereby being convenient for accurately identifying the application program running in the virtual machine, and identifying the application program as legal application if the address space corresponding to the application program running in the virtual machine has the bound IP and the port number, otherwise identifying the application program as illegal application which uses the legal IP and the port number.
In this embodiment, in order to avoid that an illegal application falsifies an IP and a port number to achieve the purpose of impersonating a legal application, an address space operated by a legal application program is bound with the IP and the port number in advance so as to accurately identify the application program operated in the virtual machine, if the newly started application program in the current virtual machine has the bound IP and port number, the application program is identified as the legal application, otherwise, the application program is identified as the illegal application impersonating the legal IP and the port number. The embodiment can accurately identify illegal application which impersonates legal IP and port numbers with lower performance cost under large traffic, thereby realizing effective protection of east-west traffic.
Referring to fig. 5, fig. 5 is a schematic functional block diagram of a second embodiment of an apparatus for identifying an application running in a virtual machine according to the present invention. Based on the above embodiment, in this embodiment, the device for identifying an running application in a virtual machine further includes:
a first setting module 50, configured to bind an address space of a legal application running in the virtual machine with a specified IP and port number before identifying the application running in the virtual machine;
in this embodiment, an address space of a legal application running in a virtual machine is bound with a specified IP and port number, so that an attacker cannot bind with a corresponding ip+port combination through other programs, and thus a malicious program cannot access important virtual machine resources in a data center by impersonating a process.
A second setting module 60, configured to set a network connection whitelist rule of an application program before identifying an application running in the virtual machine; the network connection whitelist rule is used for specifying whether an application program can be connected to the external network and an IP and a port number used by the external network when running in the virtual machine.
In this embodiment, in order to realize east-west traffic protection of the network layer and the transport layer, a network connection whitelist rule of an application program is set while a service is deployed. The network connection whitelist rule of the application program specifies whether the application program running in the virtual machine can externally connect to the network, and the IP and port number of the externally connected network.
Referring to fig. 6, fig. 6 is a schematic functional block diagram of a third embodiment of an apparatus for identifying an application running in a virtual machine according to the present invention. Based on the above embodiment, in this embodiment, the device for identifying an running application in a virtual machine further includes:
a first processing module 70, configured to intercept a system call related to a network connection of an application program when the application program is running in a virtual machine, so as to obtain a system call parameter; verifying the system call parameters based on the network connection whitelist rule to identify whether the application program accords with the network connection whitelist rule;
after an application program is operated in the virtual machine, intercepting system call related to network connection of the application program, such as intercepting socket, verifying system call parameters, and sending network connection information which does not accord with a white list rule, such as application type and port which do not accord with the white list rule, to a distributed firewall for processing.
A second processing module 80, configured to, when an illegal application that impersonates a legal IP and a port number is identified, issue a temporary access control list policy to a distributed firewall, so that the distributed firewall intercepts the illegal application; when the application program is identified to be not in accordance with the network connection white list rule, network connection information which is not in accordance with the network connection white list rule is issued to the distributed firewall;
the distributed firewall 90 is disposed between the virtual machine and the virtual network forwarding device, and is configured to intercept illegal applications that use legal IPs and port numbers based on a quintuple access control list policy, and process network connection information that does not conform to the network connection whitelist rule based on a security policy of an application identifier.
In this embodiment, the distributed firewall 90 is disposed between the virtual machine and the virtual network forwarding device, and the distributed firewall is distributed throughout the network, so as to effectively filter east-west traffic and north-south traffic. The access control list policy based on the five-tuple can intercept illegal applications which impersonate legal IP and port numbers, and can realize east-west traffic protection of an application layer; and the security policy based on the application identifier processes the network connection information which does not accord with the network connection white list rule, so that east-west traffic protection of a network layer and a transmission layer can be realized.
The invention also provides a computer readable storage medium.
In this embodiment, a computer-readable storage medium stores an in-virtual-machine running application identification program, where the in-virtual-machine running application identification program, when executed by a processor, implements the steps of the in-virtual-machine running application identification method described in any one of the embodiments above.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM), comprising instructions for causing a terminal (which may be a mobile phone, a computer, a server or a network device, etc.) to perform the method according to the embodiments of the present invention.
While the embodiments of the present invention have been described above with reference to the drawings, the present invention is not limited to the above-described embodiments, which are merely illustrative and not restrictive, and many modifications may be made thereto by those of ordinary skill in the art without departing from the spirit of the present invention and the scope of the appended claims, which are to be accorded the full scope of the present invention as defined by the following description and drawings, or by any equivalent structures or equivalent flow changes, or by direct or indirect application to other relevant technical fields.

Claims (12)

1. The method for identifying the running application in the virtual machine is characterized in that an address space of a legal application running in the virtual machine is bound with an appointed IP and a port number in advance, and the method for identifying the running application in the virtual machine comprises the following steps:
monitoring whether a new application program is started in the virtual machine;
if so, determining an address space in which the application program runs;
judging whether the address space has a bound IP and port number;
if yes, the application program is identified as legal application, otherwise, the application program is identified as illegal application which impersonates legal IP and port number.
2. The method for identifying an application running in a virtual machine according to claim 1, wherein the monitoring whether a new application launch exists in the virtual machine comprises:
monitoring whether the virtual machine executes a syscall instruction or a sysenter instruction to make a system call;
if yes, judging whether the system call is an exeve system call or not;
and if the execution system call is executed, determining that a new application program exists in the current virtual machine to start.
3. The method for identifying an application running in a virtual machine according to claim 1, wherein the monitoring whether a new application launch exists in the virtual machine further comprises:
intercepting an address space switching operation in the virtual machine so as to record each address space running in the virtual machine;
judging whether a new address space is operated in the virtual machine;
if yes, determining that a new application program exists in the current virtual machine to start.
4. The method for identifying an in-virtual machine running application according to any one of claims 1 to 3, wherein the method for identifying an in-virtual machine running application further comprises:
before the running application in the virtual machine is identified, setting a network connection white list rule of the application program;
the network connection whitelist rule is used for specifying whether an application program can be connected to the external network and an IP and a port number used by the external network when running in the virtual machine.
5. The method for identifying an operating application in a virtual machine according to claim 4, wherein the method for identifying an operating application in a virtual machine further comprises:
when an application program runs in a virtual machine, intercepting system call related to network connection of the application program so as to obtain system call parameters;
and verifying the system call parameters based on the network connection whitelist rule to identify whether the application program accords with the network connection whitelist rule.
6. The method for identifying an operating application in a virtual machine according to claim 5, further comprising:
when illegal application using legal IP and port number is identified, a temporary access control list strategy is issued to the distributed firewall so that the distributed firewall can intercept the illegal application;
when the application program is identified to be not in accordance with the network connection white list rule, transmitting network connection information which is not in accordance with the network connection white list rule to the distributed firewall;
the distributed firewall is deployed between the virtual machine and the virtual network forwarding device, and supports access control list policies based on quintuple and security policies based on application identification.
7. An in-virtual machine running application recognition device, characterized in that the in-virtual machine running application recognition device comprises:
the monitoring module is used for monitoring whether a new application program is started in the virtual machine or not;
the determining module is used for determining an address space in which the application program runs when a new application program exists in the virtual machine and is started;
the judging module is used for judging whether the address space has the bound IP and port number;
the identification module is used for identifying the application program as legal application when the address space has the bound IP and port number, or identifying the application program as illegal application which impersonates the legal IP and port number;
the device for identifying the running application in the virtual machine further comprises a first setting module;
the first setting module is used for: and binding the address space of legal application running in the virtual machine with the appointed IP and port number in advance.
8. The in-virtual machine running application identification apparatus of claim 7, wherein the monitoring module is further to:
monitoring whether the virtual machine executes a syscall instruction or a sysenter instruction to make a system call; if yes, judging whether the system call is an exeve system call or not; if the execution system call is made, determining that a new application program exists in the current virtual machine to start; or (b)
Intercepting an address space switching operation in the virtual machine so as to record each address space running in the virtual machine; judging whether a new address space is operated in the virtual machine; if yes, determining that a new application program exists in the current virtual machine to start.
9. The in-virtual-machine running application identification apparatus of claim 7, wherein the in-virtual-machine running application identification apparatus further comprises a second setting module;
the second setting module is used for: before the running application in the virtual machine is identified, setting a network connection white list rule of the application program; the network connection whitelist rule is used for specifying whether an application program can be connected to the external network and an IP and a port number used by the external network when running in the virtual machine.
10. The in-virtual machine running application identification apparatus of claim 9, wherein the in-virtual machine running application identification apparatus further comprises a first processing module, and/or a second processing module, and further comprises a distributed firewall;
the first processing module is used for: when an application program runs in a virtual machine, intercepting system call related to network connection of the application program so as to obtain system call parameters; verifying the system call parameters based on the network connection whitelist rule to identify whether the application program accords with the network connection whitelist rule;
the second processing module is used for: when illegal application using legal IP and port number is identified, a temporary access control list strategy is issued to the distributed firewall so that the distributed firewall can intercept the illegal application; when the application program is identified to be not in accordance with the network connection white list rule, transmitting network connection information which is not in accordance with the network connection white list rule to the distributed firewall;
the distributed firewall is deployed between the virtual machine and the virtual network forwarding device, and is used for intercepting illegal applications which use legal IP and port numbers based on a quintuple access control list policy and processing network connection information which does not accord with the network connection white list rule based on a security policy of application identification.
11. A virtualization device comprising a memory, a processor and an in-virtual machine running application identification program stored on the memory and operable to run on the processor, the in-virtual machine running application identification program when executed by the processor implementing the steps of the in-virtual machine running application identification method according to any one of claims 1-6.
12. A computer readable storage medium, wherein a virtual in-machine running application identification program is stored on the computer readable storage medium, which when executed by a processor, implements the steps of the virtual in-machine running application identification method according to any one of claims 1-6.
CN201810852893.0A 2018-07-27 2018-07-27 Method, device, equipment and storage medium for identifying running application in virtual machine Active CN110765452B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810852893.0A CN110765452B (en) 2018-07-27 2018-07-27 Method, device, equipment and storage medium for identifying running application in virtual machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810852893.0A CN110765452B (en) 2018-07-27 2018-07-27 Method, device, equipment and storage medium for identifying running application in virtual machine

Publications (2)

Publication Number Publication Date
CN110765452A CN110765452A (en) 2020-02-07
CN110765452B true CN110765452B (en) 2023-09-08

Family

ID=69328945

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810852893.0A Active CN110765452B (en) 2018-07-27 2018-07-27 Method, device, equipment and storage medium for identifying running application in virtual machine

Country Status (1)

Country Link
CN (1) CN110765452B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107992547A (en) * 2017-11-27 2018-05-04 深信服科技股份有限公司 Apply dispositions method and device in a kind of website

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9705923B2 (en) * 2014-09-02 2017-07-11 Symantec Corporation Method and apparatus for automating security provisioning of workloads
US10043005B2 (en) * 2016-03-31 2018-08-07 Bitdefender IPR Management Ltd. Systems and methods for application control in virtualized environments
US10484332B2 (en) * 2016-12-02 2019-11-19 Vmware, Inc. Application based network traffic management

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107992547A (en) * 2017-11-27 2018-05-04 深信服科技股份有限公司 Apply dispositions method and device in a kind of website

Also Published As

Publication number Publication date
CN110765452A (en) 2020-02-07

Similar Documents

Publication Publication Date Title
US10666686B1 (en) Virtualized exploit detection system
US10454953B1 (en) System and method for separated packet processing and static analysis
AU2016369460B2 (en) Dual memory introspection for securing multiple network endpoints
US9438623B1 (en) Computer exploit detection using heap spray pattern matching
US11349881B2 (en) Security-on-demand architecture
US9594912B1 (en) Return-oriented programming detection
KR102017810B1 (en) Preventive Instrusion Device and Method for Mobile Devices
US9973531B1 (en) Shellcode detection
EP3481029A1 (en) Internet defense method and authentication server
US20170279826A1 (en) Protecting dynamic and short-lived virtual machine instances in cloud environments
CN105635084B (en) Terminal authentication apparatus and method
WO2019237813A1 (en) Method and device for scheduling service resource
CN106778243B (en) Virtual machine-based kernel vulnerability detection file protection method and device
CN106778244B (en) Virtual machine-based kernel vulnerability detection process protection method and device
US9584550B2 (en) Exploit detection based on heap spray detection
CN108605264B (en) Method and apparatus for network management
CN106778242B (en) Kernel vulnerability detection method and device based on virtual machine
CN111651754A (en) Intrusion detection method and device, storage medium and electronic device
US9357394B1 (en) System and method for selecting means for intercepting network transmissions
KR101657180B1 (en) System and method for process access control system
CN110765452B (en) Method, device, equipment and storage medium for identifying running application in virtual machine
CN112583841A (en) Virtual machine safety protection method and system, electronic equipment and storage medium
KR102082889B1 (en) Apparatus and method for analyzing protocol
EP3035633B1 (en) System and method for selecting means for intercepting network transmissions
CN115333866A (en) Security protection method, device, terminal equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant