KR101519414B1 - System and method for analysising lifecycle of virtual machine - Google Patents
System and method for analysising lifecycle of virtual machine Download PDFInfo
- Publication number
- KR101519414B1 KR101519414B1 KR1020140050507A KR20140050507A KR101519414B1 KR 101519414 B1 KR101519414 B1 KR 101519414B1 KR 1020140050507 A KR1020140050507 A KR 1020140050507A KR 20140050507 A KR20140050507 A KR 20140050507A KR 101519414 B1 KR101519414 B1 KR 101519414B1
- Authority
- KR
- South Korea
- Prior art keywords
- event
- information
- life cycle
- virtual machine
- continuity
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
A virtual machine life cycle analysis system and method for preventing security incidents such as malicious activity detection in a cloud environment is disclosed. To this end, the present invention provides a system for tracking and analyzing a virtual machine life cycle in a cloud computing environment, the system comprising: a life cycle information collection unit for collecting lifecycle information related to dynamic behavior of a virtual machine; An event continuity tracking unit for tracking event continuity from the life cycle information collected using an API based on XML-PRC; And an event continuity analyzer for calculating whether the event information is identical between the event continuity and the event time.
Thus, the present invention can detect the malicious behavior in the cloud computing environment by knowing through what process the event continuity is tracked from the life cycle information.
Description
The present invention relates to a virtual machine tracking system and method, and more particularly, to a virtual machine life cycle analysis system and method for preventing security incidents such as malicious activity detection in a cloud environment.
Cloud computing is a way of borrowing and paying for computing resources as much as they need it, and providing physically independent resources for use with virtualization technology.
In recent years, however, security incidents are increasing in the above cloud computing environment. Amazon EC2 has been out of order due to the loss of personal information due to "Find My Macbook" that provides functions from Apple, and a power outage caused by a natural disaster (storm), resulting in services such as Instagram, Netflix, Pinterest, .
In addition, there may be threats in the cloud environment, such as the possibility of exposing sensitive information to Amazon Simple Storage Service (Amazon S3) and the threat posed by features provided to cloud users by specific Cloud Service Providers (CSPs) There was an example that could.
First, this is a case where important information can be exposed due to the problem of setting up the cloud users. Amazon S3 allows users to change their account access to a logical group that can be accessed from a predictable URL called 'buckets' when they are made public. When examining 12,328 buckets to check for vulnerabilities, 1,951 buckets were accessible and 10,377 buckets were set to private. Most users are set to private, but about 15% of users have set their account settings to public, meaning they are exposed to sensitive data and company confidential information. The types of information exposed in the test include: personal photos, car sales information, customer information, employee personal information, databases, video game source code, PHP sources with ID / PW, and 126 billion files from 1,951 buckets Could.
The second case occurs in the snapshot function that creates a new virtual machine by storing the virtual machine image that the CSP manages in the service provided by the CSP. Since the snapshot function can be easily used through the web interface and the image creation option can be selected for the other users to open the image, there is a problem that the image can be leaked to another person unlike the user's intention.
To solve this problem, the virtual machine life cycle was traced through log file analysis called xensource.log which occurred in Citrix XenServer environment which is an open source cloud platform.
In this way, life-cycle tracing through log analysis is advantageous in that there is no resource consumption due to additional file creation because XenServer uses logs provided by XenServer. However, since the creation and deletion of virtual machines can not be analyzed, Depending on the version, the format of xensourcee.log can be changed, so it has a strong dependency.
SUMMARY OF THE INVENTION The present invention has been made to solve the above-mentioned problems, and it is an object of the present invention to provide a virtual machine life cycle analysis system and method capable of detecting a malicious behavior of tracking and analyzing a virtual machine life cycle using an API based on XML-PRC in a cloud computing environment The purpose is to provide.
The features of the present invention for achieving the objects of the present invention as described above and performing the characteristic functions of the present invention described below are as follows.
According to an aspect of the present invention, there is provided a system for tracking and analyzing a virtual machine life cycle in a cloud computing environment, the system comprising: a life cycle information collection unit for collecting lifecycle information related to a dynamic behavior of a virtual machine; An event continuity tracking unit for tracking event continuity from the life cycle information collected using an API based on XML-PRC; And an event continuity analyzer for calculating whether or not the event information is identical between the event continuity and the event duration, and an event continuity analyzing unit.
Here, the virtual machine life cycle analysis system according to one aspect of the present invention may further include a life cycle analysis information storage unit for storing life cycle analysis information acquired from the event continuity analysis unit.
In addition, the life cycle information collection unit according to an aspect of the present invention may collect lifecycle information on the dynamic activity including generation, copying, movement, and deletion.
In addition, the event continuity analyzer according to an aspect of the present invention may calculate the identity and the event time of the event information including a class, an operation, an identifier number (uuid), and a name label have.
According to another aspect of the present invention, there is provided a method for tracking and analyzing a virtual machine life cycle in a cloud computing environment, comprising the steps of: (a) collecting lifecycle information related to dynamic behavior of a virtual machine in a life cycle information collecting unit step; (b) tracking event continuity in the event continuity tracking unit from the life cycle information collected using an API based on XML-PRC; And (c) determining, by the event continuity analyzer, whether or not the event information is identical between the event continuations that are tracked, in a virtual machine life cycle analysis method.
Here, the step (a) according to another aspect of the present invention may collect lifecycle information on the dynamic behavior including generation, copying, movement, and deletion in the lifecycle information collection unit.
According to another aspect of the present invention, in the step (c), it is determined whether or not the event information including the class, operation, uuid, and name label is identical .
According to another aspect of the present invention, the step (c) may further include the step of calculating an event time in the event continuity analyzer based on the determination of the identity of the event.
According to another aspect of the present invention, the virtual machine life cycle analysis method further includes the step of (d) storing the life cycle analysis information acquired by the step (c) in the life cycle analysis information storage unit Lt; / RTI >
As described above, according to the present invention, life-cycle tracking using existing log analysis can not detect a specific event and has a great dependency on the change of format. However, it is difficult to use the API based on XML- The real-time tracking analysis enables to know what process is executed through the process, and thus it is possible to detect malicious behavior in the cloud computing environment.
Particularly, the present invention can recognize whether a virtual machine life cycle event continuity and an event information confirmed through the virtual machine life cycle are the same or not, and how a process of an event is executed through an event calculation to more easily detect malicious behavior in a cloud computing environment There is an effect that can be done.
FIG. 1 and FIG. 2 illustrate a virtual machine life
3 is a diagram illustrating a virtual machine life cycle analysis method (SlOO) according to a second embodiment of the present invention.
Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings, so that those skilled in the art can easily carry out the present invention. In the drawings, like reference numerals refer to the same or similar functions throughout the several views.
First Embodiment
FIG. 1 and FIG. 2 illustrate a virtual machine life
As shown in the figure, the virtual machine life
First, life cycle
At this time, the lifecycle information of the collected virtual machines means information related to dynamic actions including generation, copying, movement and deletion. In other words, the lifecycle information of the virtual machine means a series of processes from creation to deletion of the virtual machine. Thus, the form of the life cycle information of the collected virtual machine can be expressed as shown in the following table (1).
VM Rollback
VM Rollback
<Lifecycle (VM Rollback) Repetition>
In the above table (1), a virtual machine image is generated using the function provided by the CSP first as a result of a command issued to the virtual machine by the administrator and a history state of the virtual machine life cycle information according to the security threat scenario, If the image is leaked unintentionally, the hacker attempts to restore the published virtual machine image and continue the rollback command and Brute-Force Attack. Password cracking occurs due to continuous attack because the rollback is performed before the data deletion function is activated more than a certain number of times.
Thus, when the history of the virtual machine life cycle is known, a record of VM Rollback is continuously generated within a predetermined reference time, and in the case of a normal virtual machine, it is determined that the operation is abnormal, Can be used to detect.
Next, the event
The XAPI refers to an API based on XML-PRC that provides a function of accessing the cloud platform XenServer 101 of Citrix developed using the open source Xen Project using HTTPS 443 . It can be managed as if it were connected to a local host on a remote system. The SDK provided by Citrix supports five languages: C, C #, Java, PowerShell, and Python.
In addition, the XAPI is a type of toolstack for configuring and managing the hypervisor Xen 102 and includes a default toolstack of the Xen Cloud Platform (XCP) of the XenServer 101. In addition to the advantages provided by these toolstacks, the XAPI is also compatible with top-level cloud environment management tools such as OpenStack and CloudStack. Therefore, if you use XAPI to track the life cycle, ) Can be obtained.
As shown in Table 2, when event information having event continuity is acquired, it can be divided into processes and events that are different depending on event types but are commonly applied.
For example, a task registered through uuid can be distinguished from tasks that have completed all the procedures and are removed from the task queue. When an event is generated using XenCenter or Console, which is a management tool of GUI environment, the information of virtual machine following the information of task add becomes the subject of event command. If the events occur simultaneously, the intermediate steps of the task procedure can be mixed, but since the uuid value of the task and vm are unique, you will be able to identify the task start and end, and the event subject.
Next, the
Whether the event information is the same or not and the event time can be confirmed through the following Table (3).
That is, Table 3 shows the continuity status between event information including a class, an operation, an identifier number (uuid), and a name label. For example, when the virtual machine called 'VM_Name' If the command is issued, it is classified as the continuity rule identified in Table (2). VM-Name 'through the name of the vm class. In this embodiment, it can be confirmed that the uuid and the name deleting the task are added and deleted, and the event operation time can be calculated by checking the Timestamp.
As a result of analyzing the event information generated using XAPI, we confirmed that event information that could not be analyzed by the existing method of analyzing the log can be additionally analyzed.
Analyzing the problem of virtual machine creation event in log analysis method does not follow the rule of Table (2), but there is no problem in analysis because add operation information of vm class is transmitted.
In addition, since the deletion event of the virtual machine conforms to the rules as shown in Table 2, the virtual machine life cycle can be traced from creation to deletion of the virtual machine. Therefore, the problem of the conventional log analysis method can be solved through the life cycle analysis using XAPI. Since the process of starting and ending the event process and checking the subject of the event is simple, the period of analysis is shortened and the event information can be analyzed in real time.
Lastly, the life cycle analysis
Second Embodiment
3 is a diagram illustrating a virtual machine life cycle analysis method (SlOO) according to a second embodiment of the present invention.
As shown in FIG. 3, the virtual machine life cycle analysis method (S100) according to the second embodiment of the present invention includes steps S110 to S140 for tracking and analyzing the virtual machine life cycle in a cloud computing environment .
First, in step S110 according to the present invention, lifecycle information of a virtual machine from a virtual machine that is in a state such as Created, Running, Down, and Destroyed according to a result of a command such as tart, Stop, Reboot, (110).
At this time, the lifecycle information of the collected virtual machines means information related to dynamic actions including generation, copying, movement and deletion. In other words, the lifecycle information of the virtual machine means a series of processes from creation to deletion of the virtual machine. Thus, the type of lifecycle information of the collected virtual machine can be represented as shown in Table 1 described above.
In the above table (1), a virtual machine image is generated using the function provided by the CSP first as a result of a command issued to the virtual machine by the administrator and a history state of the virtual machine life cycle information according to the security threat scenario, If the image is leaked unintentionally, the hacker attempts to restore the published virtual machine image and continue the rollback command and Brute-Force Attack. Password cracking occurs due to continuous attack because the rollback is performed before the data deletion function is activated more than a certain number of times.
Thus, when the history of the virtual machine life cycle is known, a record of VM Rollback is continuously generated within a predetermined reference time, and in the case of a normal virtual machine, it is determined that the operation is abnormal, Can be used to detect.
Thereafter, in step S120 according to the present invention, the event continuity is traced from the life cycle information collected using the XML-PRC based API to the event
The XAPI refers to an API based on XML-PRC that provides a function to access the open source
In addition, the XAPI is a type of toolstack for configuring and managing the
As shown in Table 2, when event information having event continuity is acquired, it can be divided into processes and events that are different depending on event types but are commonly applied.
For example, a task registered through uuid can be distinguished from tasks that have completed all the procedures and are removed from the task queue. When an event is generated using XenCenter or Console, which is a management tool of GUI environment, the information of virtual machine following the information of task add becomes the subject of event command. If the events occur simultaneously, the intermediate steps of the task procedure can be mixed, but since the uuid value of the task and vm are unique, you will be able to identify the task start and end, and the event subject.
Thereafter, in step S130 according to the present invention, the
Whether or not these event information are identical can be confirmed through the above-mentioned Table (3). That is, Table 3 shows the continuity status between event information including a class, an operation, an identifier number (uuid), and a name label. For example, when the virtual machine called 'VM_Name' If the command is issued, it is classified as the continuity rule identified in Table (2). Accordingly, in this embodiment, it can be confirmed that uuid and name are added to and deleted from Task.
In the step S130 according to the present invention, the
As a result of analyzing the event information generated using XAPI, we confirmed that event information that could not be analyzed by the existing method of analyzing the log can be additionally analyzed.
Analyzing the problem of virtual machine creation event in log analysis method does not follow the rule of Table (2), but there is no problem in analysis because add operation information of vm class is transmitted.
Also, since the deletion event of the virtual machine conforms to the rules as shown in Table 2, the virtual machine life cycle can be traced from creation to deletion of the virtual machine. Therefore, the problem of the conventional log analysis method can be solved through the life cycle analysis using XAPI. Since the process of starting and ending the event process and checking the subject of the event is simple, the period of analysis is shortened and the event information can be analyzed in real time.
Finally, in step S140 according to the present invention, lifecycle analysis information stored in the life cycle analysis
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the exemplary embodiments or constructions. You can understand that you can do it. The embodiments described above are therefore to be considered in all respects as illustrative and not restrictive.
100: Virtual Machine Life Cycle Analysis System
101: Cloud Platform XenServer
102: Hypervisor Xen (Hypervisor Xen)
110: Lifecycle information collection unit
120: Event continuity tracking unit
130: Event continuity analysis unit
140; Life cycle analysis information storage unit
Claims (9)
A life cycle information collection unit for collecting lifecycle information related to a dynamic behavior of a virtual machine;
An event continuity tracking unit for tracking event continuity from the life cycle information collected using an API based on XML-PRC; And
An event continuity analyzer for calculating whether the event information is identical between the event continuity and the event time;
And a virtual machine lifecycle analysis system.
A life cycle analysis information storage unit for storing life cycle analysis information acquired from the event continuity analysis unit;
The virtual machine lifecycle analysis system further comprising:
The life cycle information collecting unit,
And life cycle information for the dynamic action including creation, copying, movement, and deletion is collected.
Wherein the event continuity analyzer comprises:
Wherein the event information includes at least one of event information including a class, an operation, an identifier number, and a name label.
(a) collecting lifecycle information related to dynamic behavior of a virtual machine in a lifecycle information collector;
(b) tracking event continuity in the event continuity tracking unit from the life cycle information collected using an API based on XML-PRC; And
(c) determining, by the event continuity analysis unit, whether or not the event information is identical to the event continuity traced;
The virtual machine life cycle analysis method comprising:
The step (a)
Wherein lifecycle information on the dynamic behavior including generation, copying, movement, and deletion is collected in the lifecycle information collection unit.
The step (c)
The method comprising the steps of: determining whether or not the event information includes a class, an operation, an identifier number (uuid), and a name label.
The step (c)
Calculating an event time on the basis of the determination as the result of the determination as the same as the event time if the event is determined to be the same;
And analyzing the virtual machine lifecycle.
(d) storing lifecycle analysis information obtained by the step (c) in a life cycle analysis information storage unit;
And analyzing the virtual machine lifecycle.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020140050507A KR101519414B1 (en) | 2014-04-28 | 2014-04-28 | System and method for analysising lifecycle of virtual machine |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020140050507A KR101519414B1 (en) | 2014-04-28 | 2014-04-28 | System and method for analysising lifecycle of virtual machine |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101519414B1 true KR101519414B1 (en) | 2015-05-12 |
Family
ID=53394447
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020140050507A KR101519414B1 (en) | 2014-04-28 | 2014-04-28 | System and method for analysising lifecycle of virtual machine |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101519414B1 (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20020022085A (en) * | 1999-07-13 | 2002-03-23 | 썬 마이크로시스템즈, 인코포레이티드 | Methods and apparatus for managing an application according to an application lifecycle |
JP2005269439A (en) * | 2004-03-19 | 2005-09-29 | Ricoh Co Ltd | Image forming apparatus, information processing method, information processing program, and recording medium |
KR101059199B1 (en) * | 2011-01-13 | 2011-08-25 | 주식회사 이글루시큐리티 | A cloud computing enterprise security management system and a method thereof |
KR101343617B1 (en) * | 2011-12-28 | 2013-12-20 | 대전대학교 산학협력단 | Management Method of Service Level Agreement for Guarantee of Quality of Service in Cloud Environment |
-
2014
- 2014-04-28 KR KR1020140050507A patent/KR101519414B1/en active IP Right Grant
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20020022085A (en) * | 1999-07-13 | 2002-03-23 | 썬 마이크로시스템즈, 인코포레이티드 | Methods and apparatus for managing an application according to an application lifecycle |
JP2005269439A (en) * | 2004-03-19 | 2005-09-29 | Ricoh Co Ltd | Image forming apparatus, information processing method, information processing program, and recording medium |
KR101059199B1 (en) * | 2011-01-13 | 2011-08-25 | 주식회사 이글루시큐리티 | A cloud computing enterprise security management system and a method thereof |
KR101343617B1 (en) * | 2011-12-28 | 2013-12-20 | 대전대학교 산학협력단 | Management Method of Service Level Agreement for Guarantee of Quality of Service in Cloud Environment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11113156B2 (en) | Automated ransomware identification and recovery | |
US10936717B1 (en) | Monitoring containers running on container host devices for detection of anomalies in current container behavior | |
US10216607B2 (en) | Dynamic tracing using ranking and rating | |
US9684534B2 (en) | Monitoring and modifying allocated computing resources | |
Almulla et al. | A state-of-the-art review of cloud forensics | |
TWI514283B (en) | Methods, systems and apparatus to capture error conditions in lightweight virtual machine managers | |
US8621282B1 (en) | Crash data handling | |
WO2016082501A1 (en) | Method, apparatus and system for processing cloud application attack behaviours in cloud computing system | |
US10503914B2 (en) | Techniques for security auditing of cloud resources | |
EP3178004B1 (en) | Recovering usability of cloud based service from system failure | |
US20130073704A1 (en) | Methods and apparatus for remediating policy test failures, including promoting changes for compliance review | |
US10956664B2 (en) | Automated form generation and analysis | |
CN105024879A (en) | Virtual machine fault detection and recovery system and virtual machine detection, recovery and starting method | |
CN104216743A (en) | Method and system for maintaining start completeness of configurable virtual machine | |
US9734330B2 (en) | Inspection and recovery method and apparatus for handling virtual machine vulnerability | |
US20190294796A1 (en) | Resolving anomalies for network applications using code injection | |
KR101519414B1 (en) | System and method for analysising lifecycle of virtual machine | |
CN111241547A (en) | Detection method, device and system for unauthorized vulnerability | |
US10997292B2 (en) | Multiplexed—proactive resiliency system | |
CN113467941A (en) | Method and device for sharing information | |
US20200125735A1 (en) | Non-intrusive method of detecting security flaws of a computer program | |
Zhang et al. | VMFDF: a virtualization-based multi-level fault detection framework for high availability computing | |
Upadhyay et al. | Virtual memory introspection framework for cyber threat detection in virtual environment | |
Hubbard III | Data Collection for Cyber Anomaly Event Detection | |
Manacero et al. | AMFC Tool: Auditing and Monitoring for Cloud Computing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant | ||
FPAY | Annual fee payment |
Payment date: 20180509 Year of fee payment: 4 |
|
FPAY | Annual fee payment |
Payment date: 20190502 Year of fee payment: 5 |