CN116208412A - Malicious traffic identification and monitoring method based on virtual machine - Google Patents

Malicious traffic identification and monitoring method based on virtual machine Download PDF

Info

Publication number
CN116208412A
CN116208412A CN202310187487.8A CN202310187487A CN116208412A CN 116208412 A CN116208412 A CN 116208412A CN 202310187487 A CN202310187487 A CN 202310187487A CN 116208412 A CN116208412 A CN 116208412A
Authority
CN
China
Prior art keywords
virtual machine
data packet
target data
time
data packets
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310187487.8A
Other languages
Chinese (zh)
Inventor
张海宾
胡应宽
王煜鑫
李航
刘志宏
李晓军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN202310187487.8A priority Critical patent/CN116208412A/en
Publication of CN116208412A publication Critical patent/CN116208412A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention discloses a malicious traffic identification and monitoring method based on a virtual machine, which comprises the following steps: the virtual machine acquires data packet information sent to the client in the network in real time; the virtual machine runs on the host machine and provides a virtualized hardware environment for the client machine; the virtual machine analyzes the data packet according to the data packet information, and when the analysis result is that the data packet is the received first target data packet, the virtual machine acquires the arrival time of the first target data packet; taking the arrival time as the starting time of a preset time window, and starting to record the number of the target data packets acquired in the preset window time; when the number of the recorded target data packets does not reach a preset threshold, the virtual machine updates the starting time of the preset window time to be the current time, and recommends recording; when the number of the recorded target data packets reaches a preset threshold, the virtual machine discards the target data packets exceeding the preset threshold. The invention realizes the identification and the resistance of the flooding flow in the virtualized hardware environment.

Description

Malicious traffic identification and monitoring method based on virtual machine
Technical Field
The invention belongs to the technical field of virtualization security, and particularly relates to a malicious traffic identification and monitoring method based on a virtual machine.
Background
Virtualization technology is a widely used technology in computer science, for example, it is largely applied to cloud products. And the safety reliability of the virtualization technology is a hot spot for research.
The virtual network is an important component in the technical assembly of the virtual machine, is a medium for data interaction between the virtual machine and the outside, and is an essential ring for realizing the complete function of the virtual machine. Virtualized networks, acting as the contributors to virtual machine system data communications, must have good security and robustness to provide a trusted network communication environment.
In a network, a relatively ubiquitous malicious flow is flooding flow, and the malicious flow refers to that an attacker sends a large number of meaningless flood messages to an attacked party in a short time, so that the attacker is busy in coping with useless messages and exhausts software and hardware resources, and network service is paralyzed. Flooding traffic is one way of DDos attack (i.e., denial of service attack). DDos attacks break down the attacked host network by various means, resulting in its inability to provide normal services to the outside. The attack hazard is huge, particularly in a cloud environment, as shown in fig. 1, since various services are deployed in virtual machines in a cloud, and the virtual machines are in a virtualized network environment, traditional firewalls and intrusion detection tools can only monitor and block malicious traffic from outside the boundary of a virtual network, but cannot monitor malicious traffic among virtual machine instances because of being deployed outside the virtual network environment. Once a malicious user sends malicious traffic to other tenants in the same virtual network environment by using the identity of the cloud tenant, the flooding attack is not victimized. Therefore, how to ensure the security of the network environment of the virtual machine is a major concern in the field of virtualization technology and in the field of cloud computing.
If the conventional intrusion detection tool is deployed in the client operating system, the deployment of the intrusion detection tool in each client is a time-consuming and labor-consuming task due to the huge number of virtual machines in the cloud computing, and the performance of the whole cloud platform is affected. However, the related art has not solved the above problems.
Disclosure of Invention
In order to solve the problems in the related art, the invention provides a malicious traffic identification and monitoring method based on a virtual machine. The technical problems to be solved by the invention are realized by the following technical scheme:
the invention provides a malicious traffic identification and monitoring method based on a virtual machine, which comprises the following steps:
the virtual machine acquires data packet information sent to the client in the network in real time; the virtual machine runs on the host machine and provides a virtualized hardware environment for the client machine;
the virtual machine analyzes the data packet according to the data packet information, and obtains the arrival time of the first target data packet when the data packet is the received first target data packet as a result of the analysis;
taking the arrival time as the starting time of a preset time window, and starting to record the number of the target data packets acquired in the preset window time;
when the number of the recorded target data packets does not reach a preset threshold, the virtual machine updates the starting time of the preset window time to be the current time, and recommends recording;
and when the recorded number of the target data packets reaches the preset threshold, discarding the target data packets exceeding the preset threshold by the virtual machine.
In some embodiments, the packet information comprises: protocol type of data packet, source IP address of data packet; the virtual machine analyzes the data packet according to the data packet information, and comprises the following steps:
the virtual machine determines whether the protocol type and the source IP address of the obtained data packet are the same as those of the data packet received in history, and when the protocol type and the source IP address are different, and the protocol type is a target protocol, the data packet is the first received target data packet and is used as the analysis result.
In some embodiments, the method further comprises:
when the number of the recorded target data packets reaches the preset threshold value, the virtual machine generates alarm information; the alarm information comprises: the source IP address of the target data packet, the protocol type of the target data packet, and the arrival time of the first target data packet;
and displaying the alarm information on a current display interface of the host.
In some embodiments, the beginning of recording the number of the target data packets received in the preset window time includes:
setting a counter, and adding 1 to the count of the counter when one target data packet is acquired, until the preset window time is over, and taking the count value of the counter as the number of the target data packets received in the preset window time.
In some embodiments, the obtaining the arrival time of the first target packet includes:
and acquiring the arrival time of the first target data packet through a get_ms_time function in the Linux system.
In some embodiments, the target protocol comprises ICMP protocol.
In some embodiments, the virtual machine is a QEMU virtual machine, and the virtual machine is configured to bridge a network mode.
The invention has the following beneficial technical effects: because the malicious flow identification and monitoring method is executed by the virtual machine, the method is transparent to the upper client, and the client can run on the safer virtual machine without any modification, so that the receiving and transmitting flow of the virtualized network data packet is safer and has higher efficiency than the traditional defense mode; the functions of the virtualized network are expanded, and a new thread is not introduced, so that extra performance cost is not caused; because the malicious traffic identification and monitoring method is executed by the virtual machine (i.e. implemented at the virtualized hardware level), the method works outside the operating system of the host machine, so that the method is difficult to detect, destroy or bypass by malicious programs running in the operating system of the host machine, thereby realizing the technology of identifying and resisting flooding traffic in the virtualized hardware environment, and having high usability.
The present invention will be described in further detail with reference to the accompanying drawings and examples.
Drawings
FIG. 1 is a virtualized network topology among multiple virtual machines in an exemplary cloud environment provided by an embodiment of the present invention;
FIG. 2 is a flowchart of a method for identifying and monitoring malicious traffic based on a virtual machine according to an embodiment of the present invention;
FIG. 3 is a topology diagram of an exemplary QEMU bridge mode virtualized network model provided by an embodiment of the invention;
fig. 4 is another flowchart of a malicious traffic identifying and monitoring method based on a virtual machine according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to specific examples, but embodiments of the present invention are not limited thereto.
In the description of the present invention, the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. In the description of the present invention, the meaning of "a plurality" is two or more, unless explicitly defined otherwise.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Further, one skilled in the art can engage and combine the different embodiments or examples described in this specification.
Although the invention is described herein in connection with various embodiments, other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed invention, from a study of the drawings, the disclosure, and the appended claims. In the claims, the word "comprising" does not exclude other elements or steps, and the "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
The inventor finds that a better scheme is to insert a malicious traffic identification and monitoring module into the source code of the virtual machine, and complete identification and blocking of malicious traffic from the virtualized hardware level, so that the scheme has higher execution efficiency and is transparent to an operating system, and more importantly, the scheme can carry out different traffic detection and monitoring mechanisms according to different security domains where the virtual machine is located. QEMU (Quick Emulator) is taken as open source virtual machine software, and has higher research value and application value. It is widely used in cloud computing. In the process of receiving and transmitting the virtualized network data packet realized by the QEMU, a flow monitoring module and a data packet safety checking mechanism are not available, and a certain potential safety hazard exists in the network communication link. If the QEMU source code is modified and a customized flow identification and monitoring module is inserted, the network security barrier of the QEMU source code in the cloud environment can be reinforced, and the overall security of the virtual network is improved.
Fig. 2 is a flowchart of a malicious traffic identifying and monitoring method based on a virtual machine according to an embodiment of the present invention, as shown in fig. 2, the method includes the following steps:
s101, a virtual machine acquires data packet information sent to a client in a network in real time; wherein the virtual machine runs on the host machine and provides a virtualized hardware environment for the client machine.
In the embodiment of the invention, the client is an operating system running in a hardware environment virtualized by the virtual machine, the virtual machine is a QEMU virtual machine, and the QEMU virtual machine is configured in a bridge network mode. QEMU has two main network modes. One is the slirp mode, also known as NAT (Network Address Translation) mode, which requires virtual machine software to implement a set of network protocol stacks to complete the translation of the client IP address to the host IP address. The slirp mode has lower performance and is more complex to implement. Another network mode is a bridge mode, which requires that a tap device is first created on a host, and then the IP address of the tap device and the IP address of a client are configured in the same network segment, so that the host and the client can ping each other. the tap device is a virtual network card device provided by Linux and is used for communication between a Linux kernel and a program in a user space. And only the tap device can only realize the communication between the host and the client, if the client accesses an external network, a bridge device is created on the host, the bridge device is a virtual bridge device provided by Linux, and then both the physical network card of the host and the tap device are added to the bridge, so that the connection is established between the host and the client. The client can communicate with the host kernel through the tap device, further connect to the host's physical network card via the bridge device, and then communicate with the external network. The network topology diagram of the bridge network mode after the configuration is completed is shown in fig. 3, where the virtual network card device may be a virtual network card e1000, and the arrow indicates the flow direction of the data packet, and as shown in fig. 3, the data packet sent by the virtual network bridge to the client is the data packet sent by the virtual network bridge to the virtual network card e 1000.
S102, the virtual machine analyzes the data packet according to the data packet information, and when the data packet is the received first target data packet as a result of the analysis, the virtual machine obtains the arrival time of the first target data packet.
Here, the packet information includes: the protocol type of the data packet, the source IP address of the data packet. The virtual machine can determine whether the protocol type and the source IP address of the obtained data packet are the same as those of the data packet received in history, and when the protocol type and the source IP address are different and the protocol type is the target protocol, the obtained data packet is the first received target data packet, and the obtained data packet is used as an analysis result and the arrival time of the first target data packet is obtained.
Illustratively, the virtual machine may obtain the arrival time of the first target packet through a get_ms_time function in the Linux system.
Here, the target protocol may be any protocol, for example, a control message protocol (Internet Control Message Protocol, ICMP), which is not limited.
S103, taking the arrival time as the starting time of a preset time window, and starting to record the number of the acquired target data packets in the preset window time.
Here, the virtual machine may set the arrival time as the start time of the current preset time window, set a counter, and increment the count of the counter by 1 when receiving one of the target data packets until the current preset window time is over, and set the count value of the counter as the number of target data packets received in the current preset window time.
Here, the preset time window may be set arbitrarily according to actual needs, for example, may be 1 second, 2 seconds, or the like, which is not limited in the embodiment of the present invention.
And S104, when the number of the recorded target data packets does not reach a preset threshold, the virtual machine updates the starting time of the preset window time to be the current time, and recommends recording.
When the number of the target data packets received in the current preset window time does not reach the preset threshold, the current preset window time is not attacked maliciously, at this time, the ending time of the current preset window time is taken as the starting time of the next preset time window, the counter is reset, and the number of the target data packets in the next preset time window is continuously recorded through the counter.
Here, the preset threshold may be set arbitrarily according to actual needs, for example, may be 10, 15, etc., which is not limited in the embodiment of the present invention.
S105, when the number of the recorded target data packets reaches a preset threshold, the virtual machine discards the target data packets exceeding the preset threshold.
Here, when the number of target data packets received in the current preset window time reaches the preset threshold, it indicates that the target data packets are maliciously attacked in the current preset window time, and at this time, the target data packets received subsequently may be discarded.
In some embodiments, as shown in fig. 4, the method further comprises:
s106, when the number of the recorded target data packets reaches a preset threshold value, the virtual machine generates alarm information; the alarm information comprises: the source IP address of the destination packet, the protocol type of the destination packet, the arrival time of the first destination packet.
Here, the alarm information may be some alarm text information, or may be an alarm log file stored at a preset location of the client or the host, which is not limited.
And S107, displaying the alarm information on a current display interface of the host.
In some embodiments, the alert information may also be displayed on the client's current display interface.
In the embodiment of the invention, the malicious flow identification and monitoring method based on the virtual machine can be realized by running a flow identification and monitoring software module, and the software module can be added into a virtual network card packet receiving and transmitting function in a source code of the virtual machine.
The above method is illustrated by a specific example.
Step 1: the method comprises the steps that received data packet information (the data packet is in the form of an Ethernet frame) is obtained from a virtual network card receiving data packet function e1000_receiver_ iov of QEMU source codes, and source IP of the data packet and the protocol type of the data packet, such as ICMP protocol, are obtained; recording the time when the first ICMP data packet arrives, and taking the time as the starting time of a time window (1 second), wherein the time is acquired by using a get_ms_time function in a Linux system;
step 2: setting a counter, and during the 1 second, increasing 1 to count each time an ICMP data packet from the source IP in the step 1 is received, so as to monitor the number of ICMP data packets in real time;
step 3: judging whether the number of ICMP data packets of the source IP in the step 1 received in the 1 second exceeds 10; if yes, judging that the ICMP flooding attack is received; if not, resetting the counter to 0, and continuously recording the number of received ICMP data packets of the source IP in the step 1 within 1 second by taking the current time as the starting time;
step 4: if the ICMP flooding attack is judged in the step 3, the ICMP data packet exceeding the threshold value is discarded, so that malicious traffic is blocked from entering the client system, and alarm information is printed out.
By means of the method and the device, malicious traffic which faces ICMP flooding attacks (ICMP flooding attacks refer to that an attacker makes a large number of meaningless ICMP data packets to send to a target host, and the target host consumes software and hardware resources of the target host due to busy handling ICMP flooding messages, so that the target host cannot normally provide services) is identified and blocked at the QEMU virtual machine level.
The invention has the following beneficial effects:
transparent to the client system: the flow identification monitoring software module inserted in the QEMU virtual machine is transparent to an upper-layer client operating system, the client operating system does not need to care about identification and blocking of malicious data packets, and the client operating system can run on a safer virtual machine without any modification; the realization is simple: the received data packet function of the QEMU source code is directly modified, so that the security policy of the virtual machine network is further customized; the execution efficiency is high: the functions of the virtualized network are expanded, new threads are not introduced, and extra performance cost is not caused; stronger security: since the above-described monitoring method works outside the operating system of the host machine, it is difficult to detect and destroy by a malicious program running in the operating system of the host machine.
The foregoing is a further detailed description of the invention in connection with the preferred embodiments, and it is not intended that the invention be limited to the specific embodiments described. It will be apparent to those skilled in the art that several simple deductions or substitutions may be made without departing from the spirit of the invention, and these should be considered to be within the scope of the invention.

Claims (7)

1. A malicious traffic identification and monitoring method based on a virtual machine is characterized by comprising the following steps:
the virtual machine acquires data packet information sent to the client in the network in real time; the virtual machine runs on the host machine and provides a virtualized hardware environment for the client machine;
the virtual machine analyzes the data packet according to the data packet information, and obtains the arrival time of the first target data packet when the data packet is the received first target data packet as a result of the analysis;
taking the arrival time as the starting time of a preset time window, and starting to record the number of the target data packets acquired in the preset window time;
when the number of the recorded target data packets does not reach a preset threshold, the virtual machine updates the starting time of the preset window time to be the current time, and recommends recording;
and when the recorded number of the target data packets reaches the preset threshold, discarding the target data packets exceeding the preset threshold by the virtual machine.
2. The virtual machine-based malicious traffic identification and monitoring method of claim 1, wherein the packet information comprises: protocol type of data packet, source IP address of data packet; the virtual machine analyzes the data packet according to the data packet information, and comprises the following steps:
the virtual machine determines whether the protocol type and the source IP address of the obtained data packet are the same as those of the data packet received in history, and when the protocol type and the source IP address are different, and the protocol type is a target protocol, the data packet is the first received target data packet and is used as the analysis result.
3. The virtual machine-based malicious traffic identification and monitoring method of claim 2, further comprising:
when the number of the recorded target data packets reaches the preset threshold value, the virtual machine generates alarm information; the alarm information comprises: the source IP address of the target data packet, the protocol type of the target data packet, and the arrival time of the first target data packet;
and displaying the alarm information on a current display interface of the host.
4. The method for identifying and monitoring malicious traffic based on a virtual machine according to claim 1, wherein the starting recording the number of the target data packets received in the preset window time includes:
setting a counter, and adding 1 to the count of the counter when one target data packet is acquired, until the preset window time is over, and taking the count value of the counter as the number of the target data packets received in the preset window time.
5. The method for identifying and monitoring malicious traffic based on a virtual machine according to claim 1, wherein the obtaining the arrival time of the first target packet comprises:
and acquiring the arrival time of the first target data packet through a get_ms_time function in the Linux system.
6. The virtual machine-based malicious traffic identification and monitoring method of claim 2, wherein the target protocol comprises ICMP protocol.
7. The virtual machine-based malicious traffic identification and monitoring method of claim 1, wherein the virtual machine is a QEMU virtual machine and the virtual machine is configured as a bridged network mode.
CN202310187487.8A 2023-03-01 2023-03-01 Malicious traffic identification and monitoring method based on virtual machine Pending CN116208412A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310187487.8A CN116208412A (en) 2023-03-01 2023-03-01 Malicious traffic identification and monitoring method based on virtual machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310187487.8A CN116208412A (en) 2023-03-01 2023-03-01 Malicious traffic identification and monitoring method based on virtual machine

Publications (1)

Publication Number Publication Date
CN116208412A true CN116208412A (en) 2023-06-02

Family

ID=86509207

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310187487.8A Pending CN116208412A (en) 2023-03-01 2023-03-01 Malicious traffic identification and monitoring method based on virtual machine

Country Status (1)

Country Link
CN (1) CN116208412A (en)

Similar Documents

Publication Publication Date Title
CN110445770B (en) Network attack source positioning and protecting method, electronic equipment and computer storage medium
US10432650B2 (en) System and method to protect a webserver against application exploits and attacks
EP3171572B1 (en) Network security protection method and device
JP4545647B2 (en) Attack detection / protection system
US9203802B2 (en) Secure layered iterative gateway
EP2106085B1 (en) System and method for securing a network from zero-day vulnerability exploits
US7509681B2 (en) Interoperability of vulnerability and intrusion detection systems
CN110071929B (en) Method for defending massive bait capture attack sources based on virtualization platform
US20060203815A1 (en) Compliance verification and OSI layer 2 connection of device using said compliance verification
CN108270722B (en) Attack behavior detection method and device
US10397225B2 (en) System and method for network access control
Mehmood et al. Distributed intrusion detection system using mobile agents in cloud computing environment
CN112583845A (en) Access detection method and device, electronic equipment and computer storage medium
Song et al. Cooperation of intelligent honeypots to detect unknown malicious codes
CN115695031A (en) Host computer sink-loss detection method, device and equipment
Rahman et al. Holistic approach to arp poisoning and countermeasures by using practical examples and paradigm
CN113328976B (en) Security threat event identification method, device and equipment
CN116208412A (en) Malicious traffic identification and monitoring method based on virtual machine
US8087083B1 (en) Systems and methods for detecting a network sniffer
CN111683063B (en) Message processing method, system, device, storage medium and processor
JP4753264B2 (en) Method, apparatus, and computer program for detecting network attacks (network attack detection)
CN115208596B (en) Network intrusion prevention method, device and storage medium
US20240146762A1 (en) Intelligent manipulation of denial-of-service attack traffic
CN112671783B (en) Host IP scanning prevention method based on VLAN user group
CN109684831B (en) Method and device for detecting computer network virus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination