CN114499945A - Intrusion detection method and device for virtual machine - Google Patents

Intrusion detection method and device for virtual machine Download PDF

Info

Publication number
CN114499945A
CN114499945A CN202111583496.6A CN202111583496A CN114499945A CN 114499945 A CN114499945 A CN 114499945A CN 202111583496 A CN202111583496 A CN 202111583496A CN 114499945 A CN114499945 A CN 114499945A
Authority
CN
China
Prior art keywords
physical host
detection
virtual machine
end processing
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111583496.6A
Other languages
Chinese (zh)
Other versions
CN114499945B (en
Inventor
辛晨
陈川
白雪
郭海燕
张钊
冯纯刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Cloud Technology Co Ltd
Original Assignee
China Telecom Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Cloud Technology Co Ltd filed Critical China Telecom Cloud Technology Co Ltd
Priority to CN202111583496.6A priority Critical patent/CN114499945B/en
Publication of CN114499945A publication Critical patent/CN114499945A/en
Application granted granted Critical
Publication of CN114499945B publication Critical patent/CN114499945B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45591Monitoring or debugging support
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

一种虚拟机的入侵检测方法及装置,用于解决现有技术中虚拟机入侵检测容易误检和复杂的问题。可应用于第一物理宿主机,第一物理宿主机虚拟出至少一个虚拟机,虚拟机包括Virtio半虚拟化驱动,Virtio半虚拟化驱动包括检测模块。方法包括第一虚拟机的检测模块获取检测数据,第一虚拟机为至少一个虚拟机中的任一个;第一虚拟机的检测模块通过半虚拟化通道,向第一物理宿主机的后端处理模块发送检测数据;第一宿主机的后端处理模块向第二物理宿主机发送检测数据。基于该方法既可以使得检测模块和处理后端模块之间通过半虚拟化通道的交互数据,从而可实现第一虚拟机与第一物理宿主机的通信。

Figure 202111583496

An intrusion detection method and device for a virtual machine are used to solve the problems of easy false detection and complexity in the intrusion detection of a virtual machine in the prior art. It can be applied to a first physical host, where the first physical host virtualizes at least one virtual machine, the virtual machine includes a Virtio paravirtualized driver, and the Virtio paravirtualized driver includes a detection module. The method includes that a detection module of a first virtual machine acquires detection data, the first virtual machine is any one of at least one virtual machine; the detection module of the first virtual machine processes the backend of the first physical host through a paravirtualized channel The module sends detection data; the back-end processing module of the first host sends the detection data to the second physical host. Based on the method, the detection module and the processing back-end module can exchange data through the paravirtualized channel, so that the communication between the first virtual machine and the first physical host can be realized.

Figure 202111583496

Description

一种虚拟机的入侵检测方法及装置Intrusion detection method and device for virtual machine

技术领域technical field

本发明涉及领域,尤其涉及一种虚拟机的入侵检测方法及装置。The present invention relates to the field, in particular to a method and device for intrusion detection of a virtual machine.

背景技术Background technique

随着计算机技术的飞速发展,云计算、虚拟化等技术的应运而生,其中,云计算是将所有的计算机抽象成特定的计算资源,然后将这些计算资源提供给用户。通常,云计算构建者会采用虚拟化技术,在单台物理宿主机上虚拟出多个虚拟计算机(简称为虚拟机),以供多个用户分别使用,这台物理宿主机可称之为计算节点。随之而来的各种安全问题逐步暴露,相对于传统的物理宿主机,虚拟机的安全威胁的影响范围相对增加,因此,虚拟机的安全检测越来越重要。With the rapid development of computer technology, cloud computing, virtualization and other technologies have emerged. Among them, cloud computing abstracts all computers into specific computing resources, and then provides these computing resources to users. Usually, cloud computing builders use virtualization technology to virtualize multiple virtual computers (referred to as virtual machines) on a single physical host for use by multiple users. This physical host can be called computing node. The various security problems that follow are gradually exposed. Compared with the traditional physical host, the impact scope of the security threat of the virtual machine is relatively increased. Therefore, the security detection of the virtual machine is more and more important.

虚拟机安全检测是一种对虚拟机性能安全和功能安全的监控。其中,虚拟入侵检测为虚拟机安全检测的一种。目前,虚拟机入侵检测是通过对虚拟机系统的用户空间及内核空间进行实时全方位检测,能够在虚拟机被黑客等入侵时,发现入侵行为并进行事件告警及防护。目前主要是在虚拟机中安装安全代理程序或执行临时脚本,以实现实时检测、告警及防护。Virtual machine security detection is a monitoring of virtual machine performance security and functional security. Among them, virtual intrusion detection is a kind of virtual machine security detection. At present, virtual machine intrusion detection is a real-time all-round detection of the user space and kernel space of the virtual machine system. When the virtual machine is invaded by hackers, it can detect the intrusion behavior and perform event alarm and protection. Currently, security agents are installed in virtual machines or temporary scripts are executed to achieve real-time detection, alarm, and protection.

然而,安全代理程序或临时脚本运行在操作系统的用户层,占用用户层资源,在实际运行时可能会存在误检的可能性。而且,安全代理对虚拟机系统的内核空间检测时,需要部署内核模块并与内核空间通信,复杂度较高。而且,安全代理或临时脚本进行事件上报时,需要依赖用户网络资源。However, security agents or temporary scripts run in the user layer of the operating system, occupying user layer resources, and there may be a possibility of false detection during actual operation. Moreover, when the security agent detects the kernel space of the virtual machine system, it needs to deploy the kernel module and communicate with the kernel space, which is more complicated. Moreover, when a security agent or a temporary script reports events, it needs to rely on user network resources.

发明内容SUMMARY OF THE INVENTION

本发明实施例提供一种虚拟机的入侵检测方法及装置,用以解决现有技术在虚拟机中安装安全代理程序或执行临时脚本进行入侵检测导致的误检、检测复杂度以及需要依赖用户网络的问题。Embodiments of the present invention provide an intrusion detection method and device for a virtual machine, which are used to solve the problems of false detection, detection complexity, and dependence on the user network caused by installing a security agent program in a virtual machine or executing a temporary script for intrusion detection in the prior art The problem.

第一方面,本发明实施例提供一种虚拟机的入侵检测方法,该方法应用于第一物理宿主机,所述至少一个虚拟机包括Virtio半虚拟化驱动,所述Virtio半虚拟化驱动包括检测模块,所述Virtio半虚拟化驱动运行于对应的虚拟机的内核框架。该方法包括第一虚拟机的检测模块获取检测数据,所述第一虚拟机为所述至少一个虚拟机中的任一个;所述第一虚拟机的检测模块通过半虚拟化通道,向所述第一物理宿主机的后端处理模块发送所述检测数据;所述第一宿主机的后端处理模块向所述第二物理宿主机发送所述检测数据。In a first aspect, an embodiment of the present invention provides an intrusion detection method for a virtual machine, the method is applied to a first physical host, the at least one virtual machine includes a Virtio paravirtualized driver, and the Virtio paravirtualized driver includes detection module, the Virtio paravirtualized driver runs on the kernel framework of the corresponding virtual machine. The method includes that a detection module of a first virtual machine acquires detection data, and the first virtual machine is any one of the at least one virtual machine; the detection module of the first virtual machine sends the detection data to the The back-end processing module of the first physical host sends the detection data; the back-end processing module of the first host sends the detection data to the second physical host.

基于上述方案,通过Virtio半虚拟化驱动可以实现虚拟机中的检测模块和处理后端模块进行检测数据通过半虚拟化通道进行交互,也就是说,基于半虚拟化通道实现了虚拟机与物理宿主机的数据交互。进一步,通过两个物理宿主机(即第一物理宿主机和第二物理宿主机)之间的网络进行数据交互,可以实现不依赖于用户网络资源,从而减少对用户网络环境的打扰,并不会受到用户网络运维的干扰,提高数据交互的稳定性和时效性。Based on the above solution, through the Virtio paravirtualized driver, the detection module in the virtual machine and the processing back-end module can interact with the detection data through the paravirtualized channel, that is to say, the virtual machine and the physical sink are realized based on the paravirtualized channel Host data interaction. Further, data interaction is carried out through the network between the two physical hosts (ie, the first physical host and the second physical host), which can achieve independence from user network resources, thereby reducing disturbance to the user's network environment, and does not depend on user network resources. It will be interfered by user network operation and maintenance, which improves the stability and timeliness of data interaction.

在一种可能的实现方式中,所述半虚拟化通道为Virtio半虚拟化设备的数据队列。该数据队列可以包括上行数据队列和下行数据队列。In a possible implementation manner, the paravirtualized channel is a data queue of a Virtio paravirtualized device. The data queue may include an uplink data queue and a downlink data queue.

在一种可能的实现方式中,所述第一虚拟机的检测模块获取检测数据,包括:所述第一虚拟机的检测模块通过所述第一虚拟机的内核框架,进行入侵检测,获得所述检测数据。In a possible implementation manner, acquiring the detection data by the detection module of the first virtual machine includes: the detection module of the first virtual machine performs intrusion detection through the kernel framework of the first virtual machine, and obtains the detection data. the detection data.

通过第一虚拟机中的检测模块使用第一虚拟机的操作系统的内核框架(Linux/Windows)在第一虚拟机运行时进行入侵检测,可以使得对用户更加透明的运行,不容易被误操作导致误检。The detection module in the first virtual machine uses the kernel framework (Linux/Windows) of the operating system of the first virtual machine to perform intrusion detection when the first virtual machine is running, which can make the operation more transparent to the user and is not easy to be misused lead to false detection.

在一种可能的实现方式中,所述第一物理宿主机的后端处理模块还可接收来自第二物理宿主机的配置信息,所述第二物理宿主机部署有入侵检测管理服务;所述第一虚拟机的后端处理模块通过所述半虚拟化通道,向所述第一虚拟机的所述检测模块发送所述配置信息;所述第一虚拟机的所述检测模块根据所述配置信息,更新所述检测模块。In a possible implementation manner, the back-end processing module of the first physical host may further receive configuration information from a second physical host, and the second physical host is deployed with an intrusion detection management service; the The back-end processing module of the first virtual machine sends the configuration information to the detection module of the first virtual machine through the paravirtualized channel; the detection module of the first virtual machine is based on the configuration information, update the detection module.

在一种可能的实现方式中,所述物理宿主机的后端处理模块为Virtio半虚拟化设备的程序。In a possible implementation manner, the back-end processing module of the physical host is a program of a Virtio paravirtualized device.

在一种可能的实现方式中,所述第一物理宿主机的后端处理模块接收来自第二物理宿主机的配置信息,包括:所述第一物理宿主机的后端处理模块基于所述第一物理宿主机与所述第二物理宿主机之间的网络,接收来自所述第二物理宿主机的所述配置信息。In a possible implementation manner, the back-end processing module of the first physical host receives the configuration information from the second physical host, including: the back-end processing module of the first physical host is based on the first physical host. The network between a physical host and the second physical host receives the configuration information from the second physical host.

通过两个物理宿主机(即第一物理宿主机和第二物理宿主机)之间的网络进行数据交互,可以实现不依赖于用户网络资源,从而减少对用户网络环境的打扰,并不会受到用户网络运维的干扰,提高数据交互的稳定性和时效性。Data interaction through the network between two physical hosts (ie, the first physical host and the second physical host) can achieve independence from user network resources, thereby reducing disturbance to the user's network environment, and will not be affected by The interference of user network operation and maintenance improves the stability and timeliness of data interaction.

在一种可能的实现方式中,所述第一物理宿主机的后端处理模块向所述第二物理宿主机发送所述检测数据,包括:所述第一物理宿主机的后端处理模块基于所述第一物理宿主机与所述第二物理宿主机之间的网络,向所述第二物理宿主机发送所述检测数据。In a possible implementation manner, sending the detection data to the second physical host by the back-end processing module of the first physical host includes: the back-end processing module of the first physical host is based on The network between the first physical host and the second physical host sends the detection data to the second physical host.

通过两个物理宿主机(即第一物理宿主机和第二物理宿主机)之间的网络进行数据交互,可以实现不依赖于用户网络资源,从而减少对用户网络环境的打扰,并不会受到用户网络运维的干扰,提高数据交互的稳定性和时效性。Data interaction through the network between two physical hosts (ie, the first physical host and the second physical host) can achieve independence from user network resources, thereby reducing disturbance to the user's network environment, and will not be affected by The interference of user network operation and maintenance improves the stability and timeliness of data interaction.

第二方面,本发明实施例提供一种检测装置,该检测装置可应用于第一物理宿主机,所述第一物理宿主机虚拟出至少一个虚拟机,所述至少一个虚拟机包括Virtio半虚拟化驱动,所述Virtio半虚拟化驱动包括检测模块。该检测装置包括检测模块和后端处理模块。In a second aspect, an embodiment of the present invention provides a detection device, which can be applied to a first physical host, where the first physical host virtualizes at least one virtual machine, and the at least one virtual machine includes Virtio paravirtualized Virtualization driver, the Virtio paravirtualized driver includes a detection module. The detection device includes a detection module and a back-end processing module.

其中,检测模块用于获取检测数据;以及通过半虚拟化通道,向所述第一物理宿主机的后端处理模块发送所述检测数据;后端处理模块用于向所述第二物理宿主机发送所述检测数据。Wherein, the detection module is used to obtain detection data; and through the paravirtualized channel, send the detection data to the back-end processing module of the first physical host; the back-end processing module is used to send the detection data to the second physical host The detection data is sent.

在一种可能的实现方式中,所述半虚拟化通道为Virtio半虚拟化设备的数据队列。In a possible implementation manner, the paravirtualized channel is a data queue of a Virtio paravirtualized device.

在一种可能的实现方式中,检测模块用于通过所述第一虚拟机的内核框架,进行入侵检测,获得所述检测数据。In a possible implementation manner, the detection module is configured to perform intrusion detection through the kernel framework of the first virtual machine to obtain the detection data.

在一种可能的实现方式中,后端处理模块还用于接收来自第二物理宿主机的配置信息,所述第二物理宿主机部署有入侵检测管理服务;以及通过所述半虚拟化通道,向所述第一虚拟机的所述检测模块发送所述配置信息;所述检测模块用于根据所述配置信息,更新所述检测模块。In a possible implementation manner, the back-end processing module is further configured to receive configuration information from a second physical host, where the second physical host is deployed with an intrusion detection management service; and through the paravirtualized channel, The configuration information is sent to the detection module of the first virtual machine; the detection module is configured to update the detection module according to the configuration information.

在一种可能的实现方式中,所述物理宿主机的后端处理模块为Virtio半虚拟化设备的程序。In a possible implementation manner, the back-end processing module of the physical host is a program of a Virtio paravirtualized device.

在一种可能的实现方式中,后端处理模块具体用于:基于所述第一物理宿主机与所述第二物理宿主机之间的网络,接收来自所述第二物理宿主机的所述配置信息。In a possible implementation manner, the back-end processing module is specifically configured to: receive the data from the second physical host based on the network between the first physical host and the second physical host configuration information.

在一种可能的实现方式中,后端处理模块基于所述第一物理宿主机与所述第二物理宿主机之间的网络,向所述第二物理宿主机发送所述检测数据。In a possible implementation manner, the back-end processing module sends the detection data to the second physical host based on the network between the first physical host and the second physical host.

第三方面,本申请提供一种计算机可读存储介质,计算机可读存储介质中存储有计算机程序或指令,当计算机程序或指令被检测装置执行时,使得该检测装置执行上述第一方面或第一方面的任意可能的实现方式中的方法。In a third aspect, the present application provides a computer-readable storage medium, where a computer program or instruction is stored in the computer-readable storage medium, and when the computer program or instruction is executed by a detection device, the detection device is made to execute the first aspect or the first aspect above. A method in any possible implementation of an aspect.

第四方面,本申请提供一种计算机程序产品,该计算机程序产品包括计算机程序或指令,当该计算机程序或指令被检测装置执行时,使得该检测装置执行上述第一方面或第一方面的任意可能的实现方式中的方法。In a fourth aspect, the present application provides a computer program product, the computer program product includes a computer program or an instruction, when the computer program or instruction is executed by a detection device, the detection device is made to perform the above-mentioned first aspect or any of the first aspects. methods in possible implementations.

上述第二方面至第四方面中任一方面可以达到的技术效果可以参照上述第一方面中有益效果的描述,此处不再重复赘述。For the technical effects that can be achieved in any one of the above-mentioned second aspect to the fourth aspect, reference may be made to the description of the beneficial effects in the above-mentioned first aspect, which will not be repeated here.

附图说明Description of drawings

为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions in the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without any creative effort.

图1为本发明实施例提供的一种通信系统架构示意图;1 is a schematic diagram of a communication system architecture according to an embodiment of the present invention;

图2为本发明实施例提供的一种虚拟机的入侵检测方法流程示意图;FIG. 2 is a schematic flowchart of an intrusion detection method for a virtual machine according to an embodiment of the present invention;

图3为本发明实施例提供的另一种虚拟机的入侵检测方法流程示意图;3 is a schematic flowchart of another intrusion detection method for a virtual machine provided by an embodiment of the present invention;

图4为本发明实施例提供的又一种虚拟机的入侵检测方法流程示意图;FIG. 4 is a schematic flowchart of another intrusion detection method for a virtual machine provided by an embodiment of the present invention;

图5为本发明实施例提供的一种检测装置的结构示意图;5 is a schematic structural diagram of a detection device according to an embodiment of the present invention;

图6为本发明实施例提供的一种检测装置的结构示意图。FIG. 6 is a schematic structural diagram of a detection apparatus according to an embodiment of the present invention.

具体实施方式Detailed ways

为了使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明作进一步地详细描述,显然,所描述的实施例仅仅是本发明一部份实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. . Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

图1为适用于本发明实施例中一种通信系统架构示意图。该通信系统可称为云计算集群。该通信系统通常包括一个管理节点和多个计算节点。其中,管理节点和计算节点均为物理宿主机。图1以包括两个计算节点和一个管理节点为例,图1中以物理宿主机101为计算节点,物理宿主机102为管理节点为例说明。物理宿主机101与物理宿主机102可以通过有线或无线等方式进行通信。具体的,物理宿主机101与物理宿主机102可以通过移动通信网络(例如2G/3G/4G/5G/未来6G等网络)、或无线局域网络(wireless local area networks,WLAN)、或无线保真(wireless fidelity,Wi-Fi)网络等进行通信。FIG. 1 is a schematic diagram of an architecture of a communication system applicable to an embodiment of the present invention. The communication system may be referred to as a cloud computing cluster. The communication system typically includes a management node and a plurality of computing nodes. The management node and the computing node are both physical hosts. FIG. 1 takes the example including two computing nodes and one management node. In FIG. 1 , the physical host 101 is used as the computing node, and the physical host 102 is used as the management node. The physical host machine 101 and the physical host machine 102 may communicate with each other in a wired or wireless manner. Specifically, the physical host 101 and the physical host 102 can use a mobile communication network (eg, 2G/3G/4G/5G/future 6G and other networks), or wireless local area networks (WLAN), or wireless fidelity (wireless fidelity, Wi-Fi) network, etc.

其中,每个计算节点可以虚拟出多个虚拟机,图1中以计算节点(即物理宿主机101)中虚拟出两个虚拟机,分别为虚拟机1011和虚拟机1012为例。管理节点(即物理宿主机102)上部署有入侵检测管理服务(或称为入侵检测管理平台),该入侵检测管理服务主要用于管理虚拟机的入侵检测。虚拟机(如上述图1中的虚拟机1011和虚拟机1012)包括Virtio半虚拟化驱动,Virtio半虚拟化驱动包括检测模块。也可以理解为,检测模块是在虚拟机中的Virtio半虚拟化驱动(如virtio-blk、virtio-net等)中实现的。其中,Virtio半虚拟化驱动是在虚拟机的内核框架(或称为内核空间或内核层)。因此,虚拟机中的检测模块可以使用虚拟机的操作系统的内核框架在虚拟机运行时进行入侵检测。其中,Virtio是一个在hypervisor之上的抽象应用程序编程接口(Application Programming Interface,API)接口,让虚拟机知道自己运行在虚拟化环境中,从而与hypervisor根据virtio标准协作,使得虚拟机达到较好的性能,如输入/输出端口(Input/Output,I/O)性能。Wherein, each computing node can virtualize multiple virtual machines. In FIG. 1 , two virtual machines, namely virtual machine 1011 and virtual machine 1012 , are virtualized in the computing node (ie, physical host machine 101 ) as an example. An intrusion detection management service (or referred to as an intrusion detection management platform) is deployed on the management node (ie, the physical host 102 ), and the intrusion detection management service is mainly used to manage intrusion detection of virtual machines. The virtual machines (such as the virtual machine 1011 and the virtual machine 1012 in FIG. 1 above) include a Virtio paravirtualized driver, and the Virtio paravirtualized driver includes a detection module. It can also be understood that the detection module is implemented in a Virtio paravirtualized driver (such as virtio-blk, virtio-net, etc.) in the virtual machine. Among them, the Virtio paravirtualized driver is the kernel framework (or called kernel space or kernel layer) of the virtual machine. Therefore, the detection module in the virtual machine can use the kernel framework of the operating system of the virtual machine to perform intrusion detection when the virtual machine is running. Among them, Virtio is an abstract application programming interface (Application Programming Interface, API) interface on the hypervisor, so that the virtual machine knows that it is running in a virtualized environment, so as to cooperate with the hypervisor according to the virtio standard, so that the virtual machine can achieve better performance performance, such as input/output port (Input/Output, I/O) performance.

计算节点(或称为物理宿主机)还包括后端处理模块1013,后端处理模块1013是在QEMU程序中实现的,后端处理模块即为Virtio半虚拟化设备模拟程序。其中,Virtio半虚拟化驱动相较于后端处理模块1013也可以称为是前端驱动。QEMU/KVM提供了全虚拟化环境,可以让虚拟机不经过任何修改就能运行在KVM环境中,KVM是必须使用硬件虚拟化辅助技术(如Intel VT-x、AMD-V)的hypervisor。The computing node (or referred to as a physical host) further includes a back-end processing module 1013. The back-end processing module 1013 is implemented in a QEMU program, and the back-end processing module is a Virtio paravirtualized device simulation program. Wherein, the Virtio paravirtualized driver can also be called a front-end driver compared with the back-end processing module 1013 . QEMU/KVM provides a fully virtualized environment that allows virtual machines to run in a KVM environment without any modification. KVM is a hypervisor that must use hardware virtualization assist technologies (such as Intel VT-x, AMD-V).

进一步,在检测模块和后端处理模块1013之间通过半虚拟化通道来支持检测模块和后端处理模块1013之间的通信。也可以理解为,通过半虚拟化通道来实现虚拟机与物理宿主机的通信。Virtio半虚拟化驱动可以使用0个或多个队列,具体数量取决于需求。例如,Virtio半虚拟化驱动使用两个虚拟队列(一个用于接收,称为上行队列,另一个用于发送,称为下行队列)。需要说明的是,上行和下行是相对定义的,本发明实施例对此不作限定。Further, communication between the detection module and the back-end processing module 1013 is supported through a paravirtualized channel between the detection module and the back-end processing module 1013 . It can also be understood that the communication between the virtual machine and the physical host is implemented through a paravirtualized channel. The Virtio paravirtualized driver can use zero or more queues, depending on requirements. For example, the Virtio paravirtualized driver uses two virtual queues (one for receive, called the upstream queue, and one for transmit, called the downstream queue). It should be noted that the uplink and the downlink are relatively defined, which are not limited in this embodiment of the present invention.

在一种可能的实现方式中,物理宿主机还可包括virtio-ring层,以实现了环形缓冲区(ring buffer),用于保存检测模块和后端处理模块1013执行的信息,并且它可以一次性保存检测模块的多次I/O请求,并且交由后端处理模块1013批量处理,最后实际调用物理宿主机101中设备驱动实现物理上的I/O操作,这样可以根据约定实现批量处理而不是虚拟机中每次I/O请求都需要处理一次,从而可提高虚拟机与hypervisor信息交换的效率。In a possible implementation manner, the physical host may further include a virtio-ring layer to implement a ring buffer, which is used to save the information executed by the detection module and the back-end processing module 1013, and it can be used once The multiple I/O requests of the detection module are stored and processed in batches by the back-end processing module 1013. Finally, the device driver in the physical host 101 is actually called to implement the physical I/O operation, so that batch processing can be realized according to the agreement. Not every I/O request in the virtual machine needs to be processed once, which can improve the efficiency of information exchange between the virtual machine and the hypervisor.

需要说明的是,在物理宿主机中启动虚拟机后,虚拟机中的检测模块自动生效,即开始进行防御、入侵检测和检测数据上报。It should be noted that after the virtual machine is started in the physical host, the detection module in the virtual machine automatically takes effect, that is, defense, intrusion detection, and detection data reporting begin.

如背景所述介绍,现有技术是通过在用户层运行安全代理程序或临时脚本,从而需要占用用户层资源,在实际运行时可能会存在误检的可能性。而且,安全代理对虚拟机系统的内核空间检测时,需要部署内核模块并与内核空间通信,复杂度较高。而且,安全代理或临时脚本进行事件上报时,需要依赖用户网络资源。As described in the background, in the prior art, by running a security agent program or a temporary script in the user layer, resources of the user layer need to be occupied, and there may be a possibility of false detection during actual operation. Moreover, when the security agent detects the kernel space of the virtual machine system, it needs to deploy the kernel module and communicate with the kernel space, which is more complicated. Moreover, when a security agent or a temporary script reports events, it needs to rely on user network resources.

鉴于此,本发明实施例提供了一种虚拟机的入侵检测方法。该方法可以避免误检、且有助于减低入侵检测的复杂度,而且不需要依赖用户网络。In view of this, embodiments of the present invention provide an intrusion detection method for a virtual machine. This method can avoid false detection and help reduce the complexity of intrusion detection, and does not need to rely on the user network.

基于上述内容,如图2所示,为本发明实施例提供的一种虚拟机的入侵检测方法。该方法应用于第一物理宿主机,所述第一物理宿主机虚拟出至少一个虚拟机,所述至少一个虚拟机部署有Virtio半虚拟化驱动。如下以第一虚拟机为例,该方法包括以下步骤:Based on the above content, as shown in FIG. 2 , an intrusion detection method for a virtual machine provided by an embodiment of the present invention is provided. The method is applied to a first physical host, where the first physical host virtualizes at least one virtual machine, and the at least one virtual machine is deployed with a Virtio paravirtualized driver. Taking the first virtual machine as an example below, the method includes the following steps:

步骤201,第一虚拟机的检测模块获取检测数据。Step 201, the detection module of the first virtual machine acquires detection data.

其中,第一虚拟机为第一物理宿主机虚拟出的至少一个虚拟机中的任一个。结合上述图1,第一物理宿主机可以是上述图1中的物理宿主机101,第一虚拟机可以为虚拟机1011,也可以为虚拟机1012。The first virtual machine is any one of at least one virtual machine virtualized by the first physical host machine. 1 , the first physical host may be the physical host 101 in the foregoing FIG. 1 , and the first virtual machine may be the virtual machine 1011 or the virtual machine 1012 .

在一种可能的实现方式中,第一虚拟机中的检测模块通过内核驱动技术来实现检测,可以作为第一虚拟机内核的设备驱动加载运行。具体的,第一虚拟机中的检测模块主要用于使用第一虚拟机的操作系统的内核框架(Linux/Windows)对第一虚拟机运行时进行入侵检测,从而获得检测数据。基于此,可以对用户更加透明的运行,不容易被误操作导致检测失效,即不容易发生误检。In a possible implementation manner, the detection module in the first virtual machine implements detection through a kernel driving technology, and can be loaded and run as a device driver of the kernel of the first virtual machine. Specifically, the detection module in the first virtual machine is mainly used to perform intrusion detection on the runtime of the first virtual machine by using the kernel framework (Linux/Windows) of the operating system of the first virtual machine, so as to obtain detection data. Based on this, the operation can be more transparent to the user, and it is not easy to cause detection failure due to misoperation, that is, false detection is not easy to occur.

步骤202,第一虚拟机的检测模块通过半虚拟化通道,向所述第一宿主机的后端处理模块发送所述检测数据。Step 202, the detection module of the first virtual machine sends the detection data to the back-end processing module of the first host through a paravirtualized channel.

在一种可能的实现方式中,第一虚拟机部署有Virtio半虚拟化驱动,第一虚拟机的检测模块和第一物理宿主机的后端处理模块之间形成半虚拟化通道。此处,半虚拟化通道也可称为Virtio半虚拟化设备的数据队列,检测模块向后端处理模块发送数据的队列可称为该Virtio半虚拟化设备的数据的上行队列。In a possible implementation manner, the first virtual machine is deployed with a Virtio paravirtualized driver, and a paravirtualized channel is formed between the detection module of the first virtual machine and the back-end processing module of the first physical host. Here, the paravirtualized channel may also be referred to as a data queue of the Virtio paravirtualized device, and the queue in which the detection module sends data to the back-end processing module may be referred to as an upstream queue of data of the Virtio paravirtualized device.

也可以理解为,第一虚拟机的检测模块可以使用QEMU-KVM的Virtio半虚拟化设备的数据队列,向所述第一宿主机的后端处理模块发送所述检测数据。It can also be understood that the detection module of the first virtual machine may use the data queue of the Virtio paravirtualized device of QEMU-KVM to send the detection data to the back-end processing module of the first host.

步骤203,第一宿主机的后端处理模块向所述第二物理宿主机发送所述检测数据。Step 203, the back-end processing module of the first host sends the detection data to the second physical host.

结合上述图1,第一物理宿主机可以为上述图1中的物理宿主机101,第二物理宿主机可以为上述图1中的物理宿主机102。1 , the first physical host may be the physical host 101 shown in FIG. 1 , and the second physical host may be the physical host 102 shown in FIG. 1 .

在一种可能的实现方式中,第一物理宿主机的后端处理模块可基于QEMU-KVM虚拟化技术开发,实现了一种Virtio半虚拟化设备的程序,可作为第一宿主机的后端的虚拟机程序的一部分来运行。In a possible implementation manner, the back-end processing module of the first physical host can be developed based on the QEMU-KVM virtualization technology to implement a program of a Virtio paravirtualized device, which can be used as the back-end of the first host. part of the virtual machine program to run.

示例性地,第一物理宿主机的后端处理模块可以是字符设备等。其中,字符设备是指在I/O传输过程中以字符为单位进行传输的设备。在LUNIX系统中,字符设备以特别文件方式在文件目录树中占据位置并拥有相应的结点。字符设备可以使用与普通文件相同的文件操作命令对字符设备文件进行操作,例如打开、关闭、读、写等。Exemplarily, the back-end processing module of the first physical host may be a character device or the like. Among them, the character device refers to the device that transmits in units of characters during the I/O transmission process. In the LUNIX system, character devices occupy positions in the file directory tree as special files and have corresponding nodes. Character devices can use the same file operation commands as ordinary files to operate on character device files, such as open, close, read, write, etc.

在一种可能的实现方式中,第二物理宿主机中部署有入侵检测管理服务。其中,第一宿主机的后端处理模块与部署有入侵检测管理服务的数据可以通过第一物理宿主机与第二物理宿主机之间的网络进行交互。具体的,第一物理宿主机与第二物理宿主机之间的网络可以包括但不限于:移动通信网络(例如2G/3G/4G/5G/未来6G等网络)、或无线局域网络(wireless local area networks,WLAN)、或无线保真(wireless fidelity,Wi-Fi)网络。In a possible implementation manner, an intrusion detection management service is deployed in the second physical host. Wherein, the back-end processing module of the first host and the data deployed with the intrusion detection management service can interact through the network between the first physical host and the second physical host. Specifically, the network between the first physical host and the second physical host may include, but is not limited to, a mobile communication network (such as a 2G/3G/4G/5G/future 6G network), or a wireless local area network (wireless local area network). area networks, WLAN), or wireless fidelity (wireless fidelity, Wi-Fi) networks.

通过上述步骤201至步骤203,通过第一虚拟机中的检测模块使用第一虚拟机的操作系统的内核框架(Linux/Windows)对第一虚拟机运行时进行入侵检测,可以使得对用户更加透明的运行,不容易被误操作导致误检。而且,可以基于半虚拟化通道实现虚拟机中的检测模块和处理后端模块进行检测数据的交互,也就是说,基于半虚拟化通道实现了虚拟机与物理宿主机的数据交互。进一步,通过两个物理宿主机(即第一物理宿主机和第二物理宿主机)之间的网络进行数据交互,可以实现不依赖于用户网络资源,从而减少对用户网络环境的打扰,并不会受到用户网络运维的干扰,提高数据交互的稳定性和时效性。Through the above steps 201 to 203, the detection module in the first virtual machine uses the kernel framework (Linux/Windows) of the operating system of the first virtual machine to perform intrusion detection on the runtime of the first virtual machine, which can make it more transparent to users It is not easy to be misused and cause false detection. Moreover, the detection module in the virtual machine and the processing back-end module can interact with detection data based on the paravirtualized channel, that is, the data interaction between the virtual machine and the physical host is realized based on the paravirtualized channel. Further, data interaction is carried out through the network between the two physical hosts (ie, the first physical host and the second physical host), which can achieve independence from user network resources, thereby reducing disturbance to the user's network environment, and does not depend on user network resources. It will be interfered by user network operation and maintenance, which improves the stability and timeliness of data interaction.

在一种可能的实现方式中检测模块可以与宿主机的入侵检测组件统一运营,提高物理宿主机入侵检测的效率。In a possible implementation manner, the detection module can be operated in a unified manner with the intrusion detection component of the host, so as to improve the efficiency of the intrusion detection of the physical host.

在一种可能的实现方式中,入侵检测管理服务可以通过任一种应用服务框架实现。其中,应用服务框架可以包括但不限于视图、模型、控制器(Model View Controller,MVC)框架、远程过程调用(Remote Procedure Call,RPC)框架、或面向服务的架构(Service-Oriented Architecture,SOA)等。入侵检测管理服务主要用于对虚拟机的入侵检测进行管理,可以包括但不限于:检测数据的存储、分析、告警等。进一步,入侵检测管理服务还可用于检测模块的配置管理,例如,下发配置信息以更新检测模块。In a possible implementation manner, the intrusion detection management service can be implemented through any application service framework. The application service framework may include, but is not limited to, a view, model, and controller (Model View Controller, MVC) framework, a remote procedure call (Remote Procedure Call, RPC) framework, or a service-oriented architecture (Service-Oriented Architecture, SOA) Wait. The intrusion detection management service is mainly used to manage the intrusion detection of virtual machines, which may include, but is not limited to, storage, analysis, and alarming of detection data. Further, the intrusion detection management service can also be used for configuration management of the detection module, for example, to deliver configuration information to update the detection module.

当入侵检测管理服务需要向第一虚拟机发送的配置信息时,可通过第一物理宿主机与第二物理宿主机之间的网络发送。具体的,入侵检测管理服务可通过第一物理宿主机与第二物理宿主机之间的网络向第一物理宿主机的后端处理模块发送配置信息。关于物理宿主机与第二物理宿主机之间的网络可参见前述相关介绍,此处不再赘述。When the intrusion detection management service needs to send the configuration information to the first virtual machine, it can be sent through the network between the first physical host and the second physical host. Specifically, the intrusion detection management service may send configuration information to the back-end processing module of the first physical host through the network between the first physical host and the second physical host. For the network between the physical host and the second physical host, reference may be made to the foregoing related introduction, which will not be repeated here.

进一步,可选的,第一物理宿主机中的后端处理模块在向第一虚拟机中的检测模块发送配置信息时,也可以通过上述步骤202中的半虚拟化通道,或称为Virtio半虚拟化设备的数据队列。此处,该Virtio半虚拟化设备的数据队列可称为下行队列。具体的,第一物理宿主机中的后端处理模块通过半虚拟化通道向第一虚拟机中的检测模块发送配置信息。Further, optionally, when the back-end processing module in the first physical host sends configuration information to the detection module in the first virtual machine, it can also pass the paravirtualized channel in the above step 202, or called the Virtio paravirtualization channel. Data queues for virtualized devices. Here, the data queue of the Virtio paravirtualized device may be referred to as a downstream queue. Specifically, the back-end processing module in the first physical host sends configuration information to the detection module in the first virtual machine through the paravirtualized channel.

进一步,可选的,第一虚拟机中的检测模块可根据接收到的配置信息,更新检测模块。Further, optionally, the detection module in the first virtual machine may update the detection module according to the received configuration information.

基于上述内容,为了进一步说明本发明实施例提供的虚拟机的入侵检测方法,如下给出了另一种虚拟机的入侵检测方法。该虚拟机入侵检测方法可从检测数据的数据流向详细介绍虚拟机的入侵检测方法。该方法包括以下步骤:Based on the above content, in order to further illustrate the intrusion detection method for a virtual machine provided by the embodiment of the present invention, another intrusion detection method for a virtual machine is given as follows. The virtual machine intrusion detection method can introduce the intrusion detection method of the virtual machine in detail from the data flow of the detection data. The method includes the following steps:

步骤301,第一虚拟机启动,第一虚拟机中的Virtio半虚拟化驱动包括的检测模块开始入侵检测。Step 301, the first virtual machine is started, and the detection module included in the Virtio paravirtualized driver in the first virtual machine starts intrusion detection.

步骤302,检测模块采集检测数据。Step 302, the detection module collects detection data.

该步骤302可参见上述步骤201的介绍,此处不再赘述。For this step 302, reference may be made to the introduction of the above-mentioned step 201, and details are not repeated here.

步骤303,检测模块向Virtio半虚拟化驱动发送检测数据。相应的,Virtio半虚拟化驱动接收来自检测模块的检测数据。Step 303, the detection module sends detection data to the Virtio paravirtualized driver. Correspondingly, the Virtio paravirtualized driver receives the detection data from the detection module.

步骤304,Virtio半虚拟化驱动通过Virtio半虚拟化设备的数据的上行队列向后端处理模块发送检测数据。相应的,后端处理模块接收来自Virtio半虚拟化驱动的检测数据。Step 304, the Virtio paravirtualized driver sends the detection data to the back-end processing module through the upstream queue of the data of the Virtio paravirtualized device. Correspondingly, the back-end processing module receives detection data from the Virtio paravirtualized driver.

该步骤304可参见前述步骤202的介绍,此处不再赘述。For this step 304, reference may be made to the introduction of the foregoing step 202, and details are not repeated here.

步骤305,后端处理模块向入侵检测管理服务发送检测数据。相应地,入侵检测管理服务接收来自后端处理模块的检测数据。Step 305, the back-end processing module sends detection data to the intrusion detection management service. Accordingly, the intrusion detection management service receives detection data from the back-end processing module.

该步骤305可参见上述步骤203的介绍,此处不再赘述。For this step 305, reference may be made to the introduction of the above-mentioned step 203, which will not be repeated here.

需要说明的是,在上述步骤301之前,可在第一虚拟机的配置文件中,添加Virtio半虚拟化设备的相关配置。具体的,可在第一虚拟机的基础镜像中添加半虚拟化设备驱动并配置启动加载。It should be noted that, before the above step 301, the relevant configuration of the Virtio paravirtualized device may be added to the configuration file of the first virtual machine. Specifically, a paravirtualized device driver may be added to the basic image of the first virtual machine and boot loading may be configured.

通过上述步骤301至步骤305,可以实现检测模块向入侵检测管理服务上报检测数据。Through the above steps 301 to 305, the detection module can report detection data to the intrusion detection management service.

基于上述内容,为了进一步说明本发明实施例提供的虚拟机的入侵检测方法,如下给出了又一种虚拟机的入侵检测方法。该虚拟机入侵检测方法可从配置信息的流向详细介绍虚拟机的入侵检测方法。该方法包括以下步骤:Based on the above content, in order to further illustrate the intrusion detection method for a virtual machine provided by the embodiment of the present invention, another intrusion detection method for a virtual machine is given as follows. The virtual machine intrusion detection method can introduce the intrusion detection method of the virtual machine in detail from the flow of configuration information. The method includes the following steps:

步骤401,入侵检测管理服务向后端处理模块发送配置信息。相应的,后端处理模块接收来自入侵检测管理服务的配置信息。Step 401, the intrusion detection management service sends configuration information to the back-end processing module. Correspondingly, the back-end processing module receives the configuration information from the intrusion detection management service.

在一种可能的实现方式中,入侵检测管理服务可通过第一物理宿主机与第二物理宿主机之间的网络向第一物理宿主机的后端处理模块发送配置信息。In a possible implementation manner, the intrusion detection management service may send configuration information to the backend processing module of the first physical host through the network between the first physical host and the second physical host.

步骤402,后端处理模块通过Virtio半虚拟化设备的数据的下行队列向Virtio半虚拟化驱动发送配置信息。相应的,Virtio半虚拟化驱动接收来自后端处理模块的配置信息。Step 402, the back-end processing module sends configuration information to the Virtio paravirtualized driver through the downlink queue of data of the Virtio paravirtualized device. Correspondingly, the Virtio paravirtualized driver receives configuration information from the back-end processing module.

步骤403,Virtio半虚拟化驱动向检测模块注入配置信息。Step 403, the Virtio paravirtualized driver injects configuration information into the detection module.

步骤404,检测模块根据注入的配置信息进行更新。Step 404, the detection module is updated according to the injected configuration information.

通过上述步骤401至步骤404,可以实现入侵检测管理服务向检测模块发送配置信息,以实现检测模块的更新。Through the above steps 401 to 404, the intrusion detection management service can send configuration information to the detection module, so as to update the detection module.

可以理解的是,为了实现上述实施例中功能,检测装置包括了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本申请中所公开的实施例描述的各示例的模块及方法步骤,本申请能够以硬件或硬件和计算机软件相结合的形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用场景和设计约束条件。It can be understood that, in order to realize the functions in the above-mentioned embodiments, the detection apparatus includes corresponding hardware structures and/or software modules for performing each function. Those skilled in the art should easily realize that the modules and method steps of each example described in conjunction with the embodiments disclosed in the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a function is performed by hardware or computer software-driven hardware depends on the specific application scenarios and design constraints of the technical solution.

基于上述相同的技术构思,本发明实施例还提供了一种检测装置。参见图5,为本发明实施例提供的检测装置的结构示意图。所述检测装置可以用于执行上述方法实施例中的物理宿主机的功能,因此也能实现上述方法实施例所具备的有益效果。Based on the same technical concept described above, an embodiment of the present invention further provides a detection device. Referring to FIG. 5 , it is a schematic structural diagram of a detection apparatus provided by an embodiment of the present invention. The detection device can be used to perform the function of the physical host in the above method embodiments, so the beneficial effects of the above method embodiments can also be achieved.

如图5所示,该检测装置500包括获检测模块501和后端处理模块502。所述检测装置500可以用于执行图2或图3或图4所示的方法。As shown in FIG. 5 , the detection device 500 includes a detection module 501 and a back-end processing module 502 . The detection device 500 can be used to execute the method shown in FIG. 2 or FIG. 3 or FIG. 4 .

当检测装置500用于实现上述图2所示的方法实施例时,检测模块501用于获取检测数据;以及通过半虚拟化通道,向所述第一物理宿主机的后端处理模块502发送所述检测数据;后端处理模块502用于向所述第二物理宿主机发送所述检测数据。When the detection apparatus 500 is used to implement the method embodiment shown in FIG. 2, the detection module 501 is used to acquire detection data; and send the detected data to the back-end processing module 502 of the first physical host through a para-virtualized channel. the detection data; the back-end processing module 502 is configured to send the detection data to the second physical host.

在一种可能的实现方式中,所述半虚拟化通道为Virtio半虚拟化设备的数据队列。In a possible implementation manner, the paravirtualized channel is a data queue of a Virtio paravirtualized device.

在一种可能的实现方式中,检测模块501用于通过所述第一虚拟机的内核框架,进行入侵检测,获得所述检测数据。In a possible implementation manner, the detection module 501 is configured to perform intrusion detection through the kernel framework of the first virtual machine to obtain the detection data.

在一种可能的实现方式中,后端处理模块502还用于接收来自第二物理宿主机的配置信息,所述第二物理宿主机部署有入侵检测管理服务;以及通过所述半虚拟化通道,向所述第一虚拟机的所述检测模块501发送所述配置信息;所述检测模块501用于根据所述配置信息,更新所述检测模块501。In a possible implementation manner, the back-end processing module 502 is further configured to receive configuration information from a second physical host, where the second physical host is deployed with an intrusion detection management service; and pass the paravirtualized channel , sending the configuration information to the detection module 501 of the first virtual machine; the detection module 501 is configured to update the detection module 501 according to the configuration information.

在一种可能的实现方式中,所述物理宿主机的后端处理模块502为Virtio半虚拟化设备的程序。In a possible implementation manner, the back-end processing module 502 of the physical host is a program of a Virtio paravirtualized device.

在一种可能的实现方式中,后端处理模块502具体用于:基于所述第一物理宿主机与所述第二物理宿主机之间的网络,接收来自所述第二物理宿主机的所述配置信息。In a possible implementation manner, the back-end processing module 502 is specifically configured to: receive all data from the second physical host based on the network between the first physical host and the second physical host configuration information.

在一种可能的实现方式中,后端处理模块502基于所述第一物理宿主机与所述第二物理宿主机之间的网络,向所述第二物理宿主机发送所述检测数据。In a possible implementation manner, the back-end processing module 502 sends the detection data to the second physical host based on the network between the first physical host and the second physical host.

有关上述检测模块501和后端处理模块502更详细的描述可以参考图2所示的方法实施例中相关描述直接得到,此处不再一一赘述。More detailed descriptions of the detection module 501 and the back-end processing module 502 can be obtained directly by referring to the relevant descriptions in the method embodiment shown in FIG. 2 , and details are not repeated here.

基于相同的技术构思,本申请实施例还提供了一种检测设备,如图6所示,包括至少一个处理器601和通信接口602,以及与至少一个处理器连接的存储器603,本申请实施例中不限定处理器601与存储器603之间的具体连接介质,图6中处理器601和存储器603之间通过总线连接为例。总线可以分为地址总线、数据总线、控制总线等。Based on the same technical concept, an embodiment of the present application also provides a detection device, as shown in FIG. 6 , including at least one processor 601 and a communication interface 602, and a memory 603 connected to the at least one processor. The embodiment of the present application The specific connection medium between the processor 601 and the memory 603 is not limited herein, and the connection between the processor 601 and the memory 603 is taken as an example in FIG. 6 through a bus. The bus can be divided into address bus, data bus, control bus and so on.

在本申请实施例中,存储器603存储有可被至少一个处理器601执行的指令,至少一个处理器601通过执行存储器603存储的指令,可以执行前述的虚拟机的入侵方法中所包括的步骤。In this embodiment of the present application, the memory 603 stores instructions that can be executed by at least one processor 601 , and the at least one processor 601 can execute the steps included in the foregoing virtual machine intrusion method by executing the instructions stored in the memory 603 .

其中,处理器601是检测装置的控制中心,可以利用各种接口和线路连接检测装置的各个部分,通过运行或执行存储在存储器603内的指令以及调用存储在存储器603内的数据,从而实现数据处理。可选的,处理器601可包括一个或多个处理单元,处理器601可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作系统、用户界面和应用程序等,调制解调处理器主要处理下发指令。可以理解的是,上述调制解调处理器也可以不集成到处理器601中。在一些实施例中,处理器601和存储器603可以在同一芯片上实现,在一些实施例中,它们也可以在独立的芯片上分别实现。Among them, the processor 601 is the control center of the detection device, and can use various interfaces and lines to connect various parts of the detection device, and realize the data by running or executing the instructions stored in the memory 603 and calling the data stored in the memory 603. deal with. Optionally, the processor 601 may include one or more processing units, and the processor 601 may integrate an application processor and a modem processor, wherein the application processor mainly processes the operating system, user interface, and application programs, etc., and the modem The calling processor mainly deals with issuing instructions. It can be understood that, the above-mentioned modulation and demodulation processor may not be integrated into the processor 601. In some embodiments, the processor 601 and the memory 603 may be implemented on the same chip, and in some embodiments, they may be implemented separately on separate chips.

处理器601可以是通用处理器,例如中央处理器(CPU)、数字信号处理器、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件,可以实现或者执行本申请实施例中公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合虚拟机的入侵方法实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。The processor 601 may be a general-purpose processor, such as a central processing unit (CPU), a digital signal processor, an application specific integrated circuit (ASIC), a field programmable gate array or other programmable logic devices, discrete gates or transistors Logic devices and discrete hardware components can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of this application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the intrusion method in combination with a virtual machine can be directly embodied as executed by a hardware processor, or executed by a combination of hardware and software modules in the processor.

存储器603作为一种非易失性计算机可读存储介质,可用于存储非易失性软件程序、非易失性计算机可执行程序以及模块。存储器603可以包括至少一种类型的存储介质,例如可以包括闪存、硬盘、多媒体卡、卡型存储器、随机访问存储器(Random AccessMemory,RAM)、静态随机访问存储器(Static Random Access Memory,SRAM)、可编程只读存储器(Programmable Read Only Memory,PROM)、只读存储器(Read Only Memory,ROM)、带电可擦除可编程只读存储器(Electrically Erasable Programmable Read-Only Memory,EEPROM)、磁性存储器、磁盘、光盘等等。存储器603是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。本申请实施例中的存储器603还可以是电路或者其它任意能够实现存储功能的装置,用于存储程序指令和/或数据。As a non-volatile computer-readable storage medium, the memory 603 can be used to store non-volatile software programs, non-volatile computer-executable programs and modules. The memory 603 may include at least one type of storage medium, for example, may include a flash memory, a hard disk, a multimedia card, a card-type memory, a random access memory (Random Access Memory, RAM), a static random access memory (Static Random Access Memory, SRAM), a Programmable Read Only Memory (PROM), Read Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Magnetic Memory, Disk, CD and so on. Memory 603 is, but is not limited to, any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 603 in this embodiment of the present application may also be a circuit or any other device capable of implementing a storage function, for storing program instructions and/or data.

基于相同的技术构思,本申请实施例还提供了一种计算机可读存储介质,其存储有可由检测装置执行的计算机程序,当所述程序在所述检测装置上运行时,使得所述检测装置执行上述虚拟机的入侵方法的步骤。Based on the same technical concept, an embodiment of the present application also provides a computer-readable storage medium, which stores a computer program executable by a detection device, and when the program runs on the detection device, makes the detection device Perform the steps of the intrusion method of the above virtual machine.

本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。As will be appreciated by those skilled in the art, the embodiments of the present application may be provided as a method, a system, or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本申请是参照根据本申请的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the present application. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.

显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present application without departing from the spirit and scope of the present application. Thus, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to include these modifications and variations.

Claims (10)

1. The intrusion detection method of the virtual machine is applied to a first physical host machine, the first physical host machine virtualizes at least one virtual machine, the at least one virtual machine comprises a Virtio paravirtualization driver, the Virtio paravirtualization driver comprises a detection module, and the method comprises the following steps:
a detection module of a first virtual machine acquires detection data, wherein the first virtual machine is any one of the at least one virtual machine;
the detection module of the first virtual machine sends the detection data to a back-end processing module of the first physical host machine through a paravirtualized channel;
and the back-end processing module of the first host machine sends the detection data to the second physical host machine.
2. The method of claim 1, wherein the paravirtualized channel is a data queue of a Virtio paravirtualized device.
3. The method of claim 1, wherein the detection module of the first virtual machine obtains detection data comprising:
and the detection module of the first virtual machine carries out intrusion detection through the kernel framework of the first virtual machine to obtain the detection data.
4. The method of claim 1 or 2, wherein the method further comprises:
a back-end processing module of the first physical host machine receives configuration information from a second physical host machine, and the second physical host machine is deployed with an intrusion detection management service;
the back-end processing module of the first virtual machine sends the configuration information to the detection module of the first virtual machine through the paravirtualization channel;
and the detection module of the first virtual machine updates the detection module according to the configuration information.
5. The method of claim 4, wherein the back-end processing module of the physical host is a program of a Virtio para-virtualization device.
6. The method of claim 5, wherein the back-end processing module of the first physical host receives configuration information from the second physical host, comprising:
the back-end processing module of the first physical host receives the configuration information from the second physical host based on a network between the first physical host and the second physical host.
7. The method of claim 1, wherein the back-end processing module of the first physical host sending the detection data to the second physical host comprises:
and the back-end processing module of the first physical host machine sends the detection data to the second physical host machine based on the network between the first physical host machine and the second physical host machine.
8. A detection apparatus applied to a first physical host machine, wherein the first physical host machine virtualizes at least one virtual machine, the at least one virtual machine includes a Virtio paravirtualization driver, the Virtio paravirtualization driver includes a detection module, and the detection apparatus includes:
the detection module is used for acquiring detection data; sending the detection data to a back-end processing module through a paravirtualized channel; and the back-end processing module is used for sending the detection data to the second physical host.
9. A detection apparatus, comprising a processor coupled to a memory for storing a computer program and a transceiver for executing the computer program stored in the memory to cause the detection apparatus to perform the method of any one of claims 1 to 7.
10. A computer-readable storage medium, having stored thereon a computer program or instructions which, when executed by a detection apparatus, cause the detection apparatus to perform the method of any one of claims 1 to 7.
CN202111583496.6A 2021-12-22 2021-12-22 Intrusion detection method and device for virtual machine Active CN114499945B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111583496.6A CN114499945B (en) 2021-12-22 2021-12-22 Intrusion detection method and device for virtual machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111583496.6A CN114499945B (en) 2021-12-22 2021-12-22 Intrusion detection method and device for virtual machine

Publications (2)

Publication Number Publication Date
CN114499945A true CN114499945A (en) 2022-05-13
CN114499945B CN114499945B (en) 2023-08-04

Family

ID=81493729

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111583496.6A Active CN114499945B (en) 2021-12-22 2021-12-22 Intrusion detection method and device for virtual machine

Country Status (1)

Country Link
CN (1) CN114499945B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114710366A (en) * 2022-05-31 2022-07-05 阿里巴巴(中国)有限公司 Cross-safe-area resource access method in cloud computing system and electronic equipment
CN117389694A (en) * 2023-12-13 2024-01-12 麒麟软件有限公司 Virtual storage IO performance improving method based on virtio-blk technology
CN117407092A (en) * 2023-12-13 2024-01-16 苏州元脑智能科技有限公司 Device configuration changing method and device, electronic device and storage medium

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160004863A1 (en) * 2013-03-01 2016-01-07 Orange Method for detecting attacks on virtual machines
CN106572047A (en) * 2015-10-09 2017-04-19 东软集团股份有限公司 Physical network safety device and control method thereof
US20180139215A1 (en) * 2016-11-16 2018-05-17 Microsoft Technology Licensing, Llc Systems and methods for detecting an attack on an auto-generated website by a virtual machine
CN108897604A (en) * 2018-07-03 2018-11-27 北京思空科技有限公司 A kind of intruding detection system, device and method, computer readable storage medium
CN109189559A (en) * 2018-09-12 2019-01-11 郑州云海信息技术有限公司 A kind of secure virtual machine communication means, device, equipment and storage medium
CN109324873A (en) * 2018-09-21 2019-02-12 郑州云海信息技术有限公司 The equipment and storage medium for virtualizing method for managing security, running kernel-driven
CN109495422A (en) * 2017-09-11 2019-03-19 中国电信股份有限公司 Configuration method, device and the computer readable storage medium of virtual firewall
CN109597675A (en) * 2018-10-25 2019-04-09 中国科学院信息工程研究所 Virtual machine Malware behavioral value method and system
CN111625826A (en) * 2020-05-28 2020-09-04 浪潮电子信息产业股份有限公司 Malicious software detection method and device in cloud server and readable storage medium
CN111897626A (en) * 2020-07-07 2020-11-06 烽火通信科技股份有限公司 Cloud computing scene-oriented virtual machine high-reliability system and implementation method
US20200356401A1 (en) * 2018-03-23 2020-11-12 Huawei Technologies Co., Ltd. Method for Accessing Remote Acceleration Device by Virtual Machine, and System
CN111988230A (en) * 2020-08-19 2020-11-24 海光信息技术有限公司 Virtual machine communication method, device and system and electronic equipment
CN112445568A (en) * 2019-09-02 2021-03-05 阿里巴巴集团控股有限公司 Data processing method, device and system based on hardware acceleration

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160004863A1 (en) * 2013-03-01 2016-01-07 Orange Method for detecting attacks on virtual machines
CN106572047A (en) * 2015-10-09 2017-04-19 东软集团股份有限公司 Physical network safety device and control method thereof
US20180139215A1 (en) * 2016-11-16 2018-05-17 Microsoft Technology Licensing, Llc Systems and methods for detecting an attack on an auto-generated website by a virtual machine
CN109495422A (en) * 2017-09-11 2019-03-19 中国电信股份有限公司 Configuration method, device and the computer readable storage medium of virtual firewall
US20200356401A1 (en) * 2018-03-23 2020-11-12 Huawei Technologies Co., Ltd. Method for Accessing Remote Acceleration Device by Virtual Machine, and System
CN108897604A (en) * 2018-07-03 2018-11-27 北京思空科技有限公司 A kind of intruding detection system, device and method, computer readable storage medium
CN109189559A (en) * 2018-09-12 2019-01-11 郑州云海信息技术有限公司 A kind of secure virtual machine communication means, device, equipment and storage medium
CN109324873A (en) * 2018-09-21 2019-02-12 郑州云海信息技术有限公司 The equipment and storage medium for virtualizing method for managing security, running kernel-driven
CN109597675A (en) * 2018-10-25 2019-04-09 中国科学院信息工程研究所 Virtual machine Malware behavioral value method and system
CN112445568A (en) * 2019-09-02 2021-03-05 阿里巴巴集团控股有限公司 Data processing method, device and system based on hardware acceleration
CN111625826A (en) * 2020-05-28 2020-09-04 浪潮电子信息产业股份有限公司 Malicious software detection method and device in cloud server and readable storage medium
CN111897626A (en) * 2020-07-07 2020-11-06 烽火通信科技股份有限公司 Cloud computing scene-oriented virtual machine high-reliability system and implementation method
CN111988230A (en) * 2020-08-19 2020-11-24 海光信息技术有限公司 Virtual machine communication method, device and system and electronic equipment

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
GARFINKEL TAL; MENDEL ROSENBLUM: "A virtual machine introspection based architecture for intrusion detection", 《NDSS》, vol. 3 *
SUAAD S. ALARIFI; STEPHEN D. WOLTHUSEN: "Detecting anomalies in IaaS environments through virtual machine host system call analysis", 《2012 INTERNATIONAL CONFERENCE FOR INTERNET TECHNOLOGY AND SECURED TRANSACTIONS》 *
于佳耕; 周鹏; 武延军; 赵琛: "虚拟机确定性执行重放的模型分析和实现方法", 《软件学报》, vol. 23, no. 06 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114710366A (en) * 2022-05-31 2022-07-05 阿里巴巴(中国)有限公司 Cross-safe-area resource access method in cloud computing system and electronic equipment
CN117389694A (en) * 2023-12-13 2024-01-12 麒麟软件有限公司 Virtual storage IO performance improving method based on virtio-blk technology
CN117407092A (en) * 2023-12-13 2024-01-16 苏州元脑智能科技有限公司 Device configuration changing method and device, electronic device and storage medium
CN117407092B (en) * 2023-12-13 2024-03-12 苏州元脑智能科技有限公司 Device configuration changing method and device, electronic device and storage medium
CN117389694B (en) * 2023-12-13 2024-04-05 麒麟软件有限公司 Virtual storage IO performance improving method based on virtio-blk technology

Also Published As

Publication number Publication date
CN114499945B (en) 2023-08-04

Similar Documents

Publication Publication Date Title
US10871980B2 (en) Execution of a script based on properties of a virtual device associated with a virtual machine
CN114499945B (en) Intrusion detection method and device for virtual machine
US8707417B1 (en) Driver domain as security monitor in virtualization environment
US8875129B2 (en) Systems and methods for monitoring and alerting events that virtual machine software produces in a virtual infrastructure
US12013939B2 (en) Analysis system, analysis method, analysis device, and storage medium for analyzing operation of a program executed in an analysis environment
US8566823B2 (en) Systems and methods for triggering scripts based upon an alert within a virtual infrastructure
US8612633B2 (en) Virtual machine fast emulation assist
US10592434B2 (en) Hypervisor-enforced self encrypting memory in computing fabric
KR101823888B1 (en) Multinode hubs for trusted computing
US10942757B2 (en) Virtual machine security through guest-side emulation
US20190026143A1 (en) Guest controlled virtual device packet filtering
US8793688B1 (en) Systems and methods for double hulled virtualization operations
US9721091B2 (en) Guest-driven host execution
US10185548B2 (en) Configuring dependent services associated with a software package on a host system
US11163597B2 (en) Persistent guest and software-defined storage in computing fabric
CN107423619A (en) A kind of method during the structure intelligent terminal WEB operations based on virtualization technology
US20130125115A1 (en) Policy enforcement by hypervisor paravirtualized ring copying
US12204925B2 (en) Securing virtual machines in computer systems
US11042399B2 (en) Managing virtual computing instances and physical servers
CN113312140A (en) Virtual trusted platform module
US20180336085A1 (en) Crash dump extraction of guest failure
US20230205560A1 (en) Selective memory deduplication for virtualized computer systems
US10318343B2 (en) Migration methods and apparatuses for migrating virtual machine including locally stored and shared data
CN114238236A (en) Shared file access method, electronic device and computer readable storage medium
CN102622245B (en) Virtual machine automatic-starting control method under sun4v architecture

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20220513

Assignee: Dbappsecurity Co.,Ltd.

Assignor: Tianyiyun Technology Co.,Ltd.

Contract record no.: X2024990000089

Denomination of invention: A Virtual Machine Intrusion Detection Method and Device

Granted publication date: 20230804

License type: Common License

Record date: 20240308

EE01 Entry into force of recordation of patent licensing contract