使用虛擬化偵察以強化核心虛擬機器的雲端平台

Publications-Theses

Article View/Open

pdf(620)

Publication Export

Google Scholar^TM

題名	使用虛擬化偵察以強化核心虛擬機器的雲端平台 Securing KVM-based Cloud Systems via Virtualization Introspection
作者	李聖瑋 Lee, Sheng Wei
貢獻者	郁方 Yu, Fang 李聖瑋 Lee, Sheng Wei
關鍵詞	雲端運算資訊安全虛擬化惡意行為偵測 Cloud Computing Cybersecurity Virtualization Malicious behavior detection
日期	2015
上傳時間	27-Jul-2015 11:23:26 (UTC+8)
摘要	Linux 核心虛擬機器 (KVM) 在雲端運算生態系統內的基礎建設即為服務平台(Infrastructure as a Service) 上是最熱門的虛擬化管理程序 (Hypervisor)。Linux 核心虛擬機器提供了全虛擬化的環境，包含虛擬化的 CPU，網路卡及主機板上的晶片，在 Linux 核心虛擬機器上面可以安裝異質的作業系統在虛擬主機裡面。我們提出了新的虛擬化偵察系統 (Virtualization Introspection System)，可以保護虛擬主機以及運作虛擬化管理程序的實體主機，儘管虛擬主機是運作在各種不同的虛擬化管理程序，虛擬化偵察系統可以保護虛擬主機與實體主機不被惡意的駭客攻擊。虛擬化偵察系統蒐集虛擬主機的動態及靜態資料來偵測及攔截惡意攻擊。我們使用了虛擬主機重現了各種不同的惡意攻擊，然後使用非監督的人工智慧學習技術來產生偵測規則。我們的虛擬化偵察系統也整合了雲端運算系統平台像是 OpenStack 和 OpenNebula。 Linux Kernel Virtual Machine (KVM) is one of the most commonly deployed hypervisor drivers in the Infrastructure as a Service (IaaS) layer of cloud computing ecosystems. The KVM hypervisor provides a full-virtualized environment that virtualizes as much hardware as possible, including CPUs, network interfaces and chipsets with KVM, where heterogeneous operating systems can be installed by Virtual Machines (VMs) in an homogeneous environment. We have proposed a new Virtualization Introspection System (VIS) to protect the host as well as VMs running on various hypervisors of cloud computing structure from malicious attacks. VIS detects and intercepts attacks from VMs by collecting their static and dynamic status. We then replay the attacks on VMs and utilize artificial intelligence derived from unsupervised learning techniques to derive effective decision rules. VIS can be further integrated with common cloud middleware, such as OpenStack and OpenNebula.
參考文獻	[ 1] Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., ... & Zaharia, M. (2010). A view of cloud computing. Communications of the ACM, 53(4), 50-58. [ 2] Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., ... & Xu, D. (2010, October). Dksm: Subverting virtual machine introspection for fun and profit. In Reliable Distributed Systems, 2010 29th IEEE Symposium on (pp. 82-91). IEEE. [ 3] Bartholomew, D. (2006). Qemu a multihost multitarget emulator. Linux Journal, 2006(145), 3. [ 4] Bellard, F. (2005, April). QEMU, a Fast and Portable Dynamic Translator. In USENIX Annual Technical Conference, FREENIX Track (pp. 41-46). [ 5] Biermann, A. W., & Feldman, J. A. (1972). On the synthesis of finite-state machines from samples of their behavior. Computers, IEEE Transactions on, 100(6), 592-597. [ 6] Caron, E., Desprez, F., Loureiro, D., & Muresan, A. (2009, September). Cloud computing resource management through a grid middleware: A case study with DIET and eucalyptus. In Cloud Computing, 2009. CLOUD`09. IEEE International Conference on (pp. 151-154). IEEE. [ 7] Catteddu, D. (2010). Cloud Computing: benefits, risks and recommendations for information security. In Web Application Security (pp. 17-17). Springer Berlin Heidelberg. [ 8] Elhage, N. (2011). Virtunoid: A KVM Guest-> Host privilege escalation exploit. Black Hat USA, 2011. [ 9] Ernst, M. D., Cockrell, J., Griswold, W. G., & Notkin, D. (2001). Dynamically discovering likely program invariants to support program evolution. Software Engineering, IEEE Transactions on, 27(2), 99-123. [ 10] Fox, A., Griffith, R., Joseph, A., Katz, R., Konwinski, A., Lee, G., ... & Stoica, I. (2009). Above the clouds: A Berkeley view of cloud computing. Dept. Electrical Eng. and Comput. Sciences, University of California, Berkeley, Rep. UCB/EECS, 28, 13. [ 11] Garfinkel, T., & Rosenblum, M. (2003, February). A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS (Vol. 3, pp. 191-206). [ 12] GHSOM. Retrieved March, 2012, from http://www.ifs.tuwien.ac.at/~andi/ghsom/. [ 13] Hartigan, J. A., & Wong, M. A. (1979). Algorithm AS 136: A k-means clustering algorithm.70 Applied statistics, 100-108. [ 14] Hsiao, S. W., Chen, Y. N., Sun, Y. S., & Chen, M. C. (2013, October). A cooperative botnet profiling and detection in virtualized environment. In Communications and Network Security (CNS), 2013 IEEE Conference on (pp. 154-162). IEEE. [ 15] Kruegel, C., Kirda, E., & Bayer, U. (2006, April). TTAnalyze: A tool for analyzing malware. In Proceedings of the 15th European Institute for Computer Antivirus Research Annual Conference (EICAR). [ 16] Lee, S. W., & Yu, F. (2014, January). Securing KVM-Based Cloud Systems via Virtualization Introspection. In System Sciences (HICSS), 2014 47th Hawaii International Conference on (pp. 5028-5037). IEEE. [ 17] Lee, S. W., Tsai, D. B.(2006, December). A Guide to Having Fun with the Next Generation Linux, Ubuntu, ISBN: 9867199979, Taipei, Taiwan, , GrandTech Press. [ 18] libvirt: The virtualization API, Retrieved March, 2012, from http://libvirt.org. [ 19] Lo, D., & Khoo, S. C. (2008). Mining patterns and rules for software specification discovery. Proceedings of the VLDB Endowment, 1(2), 1609-1616. [ 20] Lombardi, F., & Di Pietro, R. (2009, March). KvmSec: a security extension for Linux kernel virtual machines. In Proceedings of the 2009 ACM symposium on Applied Computing (pp. 2029-2034). ACM. [ 21] Lombardi, F., & Di Pietro, R. (2010). CUDACS: securing the cloud with CUDA-enabled secure virtualization. In Information and Communications Security (pp. 92-106). Springer Berlin Heidelberg. [ 22] Lombardi, F., & Di Pietro, R. (2011). Secure virtualization for cloud computing. Journal of Network and Computer Applications, 34(4), 1113-1122. [ 23] Metasploit, Retrieved March, 2012, from. http://www.metasploit/, 2013. [ 24] Milojičić, D., Llorente, I. M., & Montero, R. S. (2011). Opennebula: A cloud management tool. IEEE Internet Computing, (2), 11-14. [ 25] Openecp, Retrieved March, 2012, from http://www.openecp.org. [ 26] Payne, B. D., Carbone, M., Sharif, M., & Lee, W. (2008, May). Lares: An architecture for secure active monitoring using virtualization. In Security and Privacy, 2008. SP 2008. IEEE Symposium on (pp. 233-247). IEEE. [ 27] Peter, M., Schild, H., Lackorzynski, A., & Warg, A. (2009, March). Virtual machines jailed: 71 virtualization in systems with small trusted computing bases. In Proceedings of the 1st EuroSys Workshop on Virtualization Technology for Dependable Systems (pp. 18-23). ACM. [ 28] Pfoh, J., Schneider, C., & Eckert, C. (2011). Nitro: Hardware-based system call tracing for virtual machines. In Advances in Information and Computer Security (pp. 96-112). Springer Berlin Heidelberg. [ 29] Rieck, K., Holz, T., Willems, C., Düssel, P., & Laskov, P. (2008). Learning and classification of malware behavior. In Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 108-125). Springer Berlin Heidelberg. [ 30] Santos, I., Brezo, F., Ugarte-Pedrero, X., & Bringas, P. G. (2013). Opcode sequences as representation of executables for data-mining-based unknown malware detection. Information Sciences, 231, 64-82. [ 31] Sefraoui, O., Aissaoui, M., & Eleuldj, M. (2012). OpenStack: toward an open-source solution for cloud computing. International Journal of Computer Applications, 55(3), 38-42. [ 32] Seshadri, A., Luk, M., Qu, N., & Perrig, A. (2007). SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. ACM SIGOPS Operating Systems Review, 41(6), 335-350. [ 33] Siebenlist, F. (2009, June). Challenges and opportunities for virtualized security in the clouds. In Proceedings of the 14th ACM symposium on Access control models and technologies (pp. 1-2). ACM. [ 34] Somorovsky, J., Heiderich, M., Jensen, M., Schwenk, J., Gruschka, N., & Lo Iacono, L. (2011, October). All your clouds are belong to us: security analysis of cloud management interfaces. In Proceedings of the 3rd ACM workshop on Cloud computing security workshop (pp. 3-14). ACM. [ 35] Sung, A. H., Xu, J., Chavez, P., & Mukkamala, S. (2004, December). Static analyzer of vicious executables (save). In Computer Security Applications Conference, 2004. 20th Annual (pp. 326-334). IEEE. [ 36] Wu, Y. S., Sun, P. K., Huang, C. C., Lu, S. J., Lai, S. F., & Chen, Y. Y. (2013, June). EagleEye: Towards mandatory security monitoring in virtualized datacenter environment. In Dependable Systems and Networks (DSN), 2013 43rd Annual IEEE/IFIP International Conference on (pp. 1-12). IEEE. [ 37] Zissis, D., & Lekkas, D. (2012). Addressing cloud computing security issues. Future 72 Generation computer systems, 28(3), 583-592.
描述	碩士國立政治大學資訊管理研究所 100356010
資料來源	http://thesis.lib.nccu.edu.tw/record/#G1003560102
資料類型	thesis

dc.contributor.advisor	郁方	zh_TW
dc.contributor.advisor	Yu, Fang	en_US
dc.contributor.author (Authors)	李聖瑋	zh_TW
dc.contributor.author (Authors)	Lee, Sheng Wei	en_US
dc.creator (作者)	李聖瑋	zh_TW
dc.creator (作者)	Lee, Sheng Wei	en_US
dc.date (日期)	2015	en_US
dc.date.accessioned	27-Jul-2015 11:23:26 (UTC+8)	-
dc.date.available	27-Jul-2015 11:23:26 (UTC+8)	-
dc.date.issued (上傳時間)	27-Jul-2015 11:23:26 (UTC+8)	-
dc.identifier (Other Identifiers)	G1003560102	en_US
dc.identifier.uri (URI)	http://nccur.lib.nccu.edu.tw/handle/140.119/76870	-
dc.description (描述)	碩士	zh_TW
dc.description (描述)	國立政治大學	zh_TW
dc.description (描述)	資訊管理研究所	zh_TW
dc.description (描述)	100356010	zh_TW
dc.description.abstract (摘要)	Linux 核心虛擬機器 (KVM) 在雲端運算生態系統內的基礎建設即為服務平台(Infrastructure as a Service) 上是最熱門的虛擬化管理程序 (Hypervisor)。Linux 核心虛擬機器提供了全虛擬化的環境，包含虛擬化的 CPU，網路卡及主機板上的晶片，在 Linux 核心虛擬機器上面可以安裝異質的作業系統在虛擬主機裡面。我們提出了新的虛擬化偵察系統 (Virtualization Introspection System)，可以保護虛擬主機以及運作虛擬化管理程序的實體主機，儘管虛擬主機是運作在各種不同的虛擬化管理程序，虛擬化偵察系統可以保護虛擬主機與實體主機不被惡意的駭客攻擊。虛擬化偵察系統蒐集虛擬主機的動態及靜態資料來偵測及攔截惡意攻擊。我們使用了虛擬主機重現了各種不同的惡意攻擊，然後使用非監督的人工智慧學習技術來產生偵測規則。我們的虛擬化偵察系統也整合了雲端運算系統平台像是 OpenStack 和 OpenNebula。	zh_TW
dc.description.abstract (摘要)	Linux Kernel Virtual Machine (KVM) is one of the most commonly deployed hypervisor drivers in the Infrastructure as a Service (IaaS) layer of cloud computing ecosystems. The KVM hypervisor provides a full-virtualized environment that virtualizes as much hardware as possible, including CPUs, network interfaces and chipsets with KVM, where heterogeneous operating systems can be installed by Virtual Machines (VMs) in an homogeneous environment. We have proposed a new Virtualization Introspection System (VIS) to protect the host as well as VMs running on various hypervisors of cloud computing structure from malicious attacks. VIS detects and intercepts attacks from VMs by collecting their static and dynamic status. We then replay the attacks on VMs and utilize artificial intelligence derived from unsupervised learning techniques to derive effective decision rules. VIS can be further integrated with common cloud middleware, such as OpenStack and OpenNebula.	en_US
dc.description.tableofcontents	摘要 I ABSTRACT II CHAPTER 1. INTRODUCTION 1 1.1 NEW ATTACK THREAT IN THE CLOUD COMPUTING PLATFORMS 2 1.2 TRADITIONAL ATTACKS 3 1.3 OBJECTIVE OF VIS 12 CHAPTER 2. RELATED WORK 13 2.1 CLOUDBURST ATTACK BY VIRTUNOID – ATTACKING THE HYPERVISOR 13 2.2 MALICIOUS BEHAVIOR DETECTION 13 2.3 VIRTUALIZATION INTROSPECTION 14 CHAPTER 3. VIS ARCHITECTURE 18 3.1 VIS ARCHITECTURE 18 3.2 VIS INTEGRATED WITH CLOUD HYPERVISORS 21 3.3 MONITORING VM’S STATUS 28 3.4 VIS DEFENSE OPERATION 29 CHAPTER 4. EVALUATION 34 4.1 THE EXPERIMENTAL TRADITIONAL ATTACK 34 4.2 EXECUTING AND RESULT OF THE EXPERIMENT 39 4.3 DRIVING DEFENSE AND RECOVERY RULES BY USING CLUSTERING TECHNIQUES 45 4.4 DECTECTION 57 4.5 DETECTING A CLOUDBURST ATTACK 64 4.6 THE EXPERIMENT OF A CLOUDBURST ATTACK 66 CHAPTER 5. CONCLUSION 68 5.1 CONCLUSION 68 5.2 LIMITATIONS 68 REFERENCES 69	zh_TW
dc.format.extent	4530748 bytes	-
dc.format.mimetype	application/pdf	-
dc.source.uri (資料來源)	http://thesis.lib.nccu.edu.tw/record/#G1003560102	en_US
dc.subject (關鍵詞)	雲端運算	zh_TW
dc.subject (關鍵詞)	資訊安全	zh_TW
dc.subject (關鍵詞)	虛擬化	zh_TW
dc.subject (關鍵詞)	惡意行為偵測	zh_TW
dc.subject (關鍵詞)	Cloud Computing	en_US
dc.subject (關鍵詞)	Cybersecurity	en_US
dc.subject (關鍵詞)	Virtualization	en_US
dc.subject (關鍵詞)	Malicious behavior detection	en_US
dc.title (題名)	使用虛擬化偵察以強化核心虛擬機器的雲端平台	zh_TW
dc.title (題名)	Securing KVM-based Cloud Systems via Virtualization Introspection	en_US
dc.type (資料類型)	thesis	en
dc.relation.reference (參考文獻)	[ 1] Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., ... & Zaharia, M. (2010). A view of cloud computing. Communications of the ACM, 53(4), 50-58. [ 2] Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., ... & Xu, D. (2010, October). Dksm: Subverting virtual machine introspection for fun and profit. In Reliable Distributed Systems, 2010 29th IEEE Symposium on (pp. 82-91). IEEE. [ 3] Bartholomew, D. (2006). Qemu a multihost multitarget emulator. Linux Journal, 2006(145), 3. [ 4] Bellard, F. (2005, April). QEMU, a Fast and Portable Dynamic Translator. In USENIX Annual Technical Conference, FREENIX Track (pp. 41-46). [ 5] Biermann, A. W., & Feldman, J. A. (1972). On the synthesis of finite-state machines from samples of their behavior. Computers, IEEE Transactions on, 100(6), 592-597. [ 6] Caron, E., Desprez, F., Loureiro, D., & Muresan, A. (2009, September). Cloud computing resource management through a grid middleware: A case study with DIET and eucalyptus. In Cloud Computing, 2009. CLOUD`09. IEEE International Conference on (pp. 151-154). IEEE. [ 7] Catteddu, D. (2010). Cloud Computing: benefits, risks and recommendations for information security. In Web Application Security (pp. 17-17). Springer Berlin Heidelberg. [ 8] Elhage, N. (2011). Virtunoid: A KVM Guest-> Host privilege escalation exploit. Black Hat USA, 2011. [ 9] Ernst, M. D., Cockrell, J., Griswold, W. G., & Notkin, D. (2001). Dynamically discovering likely program invariants to support program evolution. Software Engineering, IEEE Transactions on, 27(2), 99-123. [ 10] Fox, A., Griffith, R., Joseph, A., Katz, R., Konwinski, A., Lee, G., ... & Stoica, I. (2009). Above the clouds: A Berkeley view of cloud computing. Dept. Electrical Eng. and Comput. Sciences, University of California, Berkeley, Rep. UCB/EECS, 28, 13. [ 11] Garfinkel, T., & Rosenblum, M. (2003, February). A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS (Vol. 3, pp. 191-206). [ 12] GHSOM. Retrieved March, 2012, from http://www.ifs.tuwien.ac.at/~andi/ghsom/. [ 13] Hartigan, J. A., & Wong, M. A. (1979). Algorithm AS 136: A k-means clustering algorithm.70 Applied statistics, 100-108. [ 14] Hsiao, S. W., Chen, Y. N., Sun, Y. S., & Chen, M. C. (2013, October). A cooperative botnet profiling and detection in virtualized environment. In Communications and Network Security (CNS), 2013 IEEE Conference on (pp. 154-162). IEEE. [ 15] Kruegel, C., Kirda, E., & Bayer, U. (2006, April). TTAnalyze: A tool for analyzing malware. In Proceedings of the 15th European Institute for Computer Antivirus Research Annual Conference (EICAR). [ 16] Lee, S. W., & Yu, F. (2014, January). Securing KVM-Based Cloud Systems via Virtualization Introspection. In System Sciences (HICSS), 2014 47th Hawaii International Conference on (pp. 5028-5037). IEEE. [ 17] Lee, S. W., Tsai, D. B.(2006, December). A Guide to Having Fun with the Next Generation Linux, Ubuntu, ISBN: 9867199979, Taipei, Taiwan, , GrandTech Press. [ 18] libvirt: The virtualization API, Retrieved March, 2012, from http://libvirt.org. [ 19] Lo, D., & Khoo, S. C. (2008). Mining patterns and rules for software specification discovery. Proceedings of the VLDB Endowment, 1(2), 1609-1616. [ 20] Lombardi, F., & Di Pietro, R. (2009, March). KvmSec: a security extension for Linux kernel virtual machines. In Proceedings of the 2009 ACM symposium on Applied Computing (pp. 2029-2034). ACM. [ 21] Lombardi, F., & Di Pietro, R. (2010). CUDACS: securing the cloud with CUDA-enabled secure virtualization. In Information and Communications Security (pp. 92-106). Springer Berlin Heidelberg. [ 22] Lombardi, F., & Di Pietro, R. (2011). Secure virtualization for cloud computing. Journal of Network and Computer Applications, 34(4), 1113-1122. [ 23] Metasploit, Retrieved March, 2012, from. http://www.metasploit/, 2013. [ 24] Milojičić, D., Llorente, I. M., & Montero, R. S. (2011). Opennebula: A cloud management tool. IEEE Internet Computing, (2), 11-14. [ 25] Openecp, Retrieved March, 2012, from http://www.openecp.org. [ 26] Payne, B. D., Carbone, M., Sharif, M., & Lee, W. (2008, May). Lares: An architecture for secure active monitoring using virtualization. In Security and Privacy, 2008. SP 2008. IEEE Symposium on (pp. 233-247). IEEE. [ 27] Peter, M., Schild, H., Lackorzynski, A., & Warg, A. (2009, March). Virtual machines jailed: 71 virtualization in systems with small trusted computing bases. In Proceedings of the 1st EuroSys Workshop on Virtualization Technology for Dependable Systems (pp. 18-23). ACM. [ 28] Pfoh, J., Schneider, C., & Eckert, C. (2011). Nitro: Hardware-based system call tracing for virtual machines. In Advances in Information and Computer Security (pp. 96-112). Springer Berlin Heidelberg. [ 29] Rieck, K., Holz, T., Willems, C., Düssel, P., & Laskov, P. (2008). Learning and classification of malware behavior. In Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 108-125). Springer Berlin Heidelberg. [ 30] Santos, I., Brezo, F., Ugarte-Pedrero, X., & Bringas, P. G. (2013). Opcode sequences as representation of executables for data-mining-based unknown malware detection. Information Sciences, 231, 64-82. [ 31] Sefraoui, O., Aissaoui, M., & Eleuldj, M. (2012). OpenStack: toward an open-source solution for cloud computing. International Journal of Computer Applications, 55(3), 38-42. [ 32] Seshadri, A., Luk, M., Qu, N., & Perrig, A. (2007). SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. ACM SIGOPS Operating Systems Review, 41(6), 335-350. [ 33] Siebenlist, F. (2009, June). Challenges and opportunities for virtualized security in the clouds. In Proceedings of the 14th ACM symposium on Access control models and technologies (pp. 1-2). ACM. [ 34] Somorovsky, J., Heiderich, M., Jensen, M., Schwenk, J., Gruschka, N., & Lo Iacono, L. (2011, October). All your clouds are belong to us: security analysis of cloud management interfaces. In Proceedings of the 3rd ACM workshop on Cloud computing security workshop (pp. 3-14). ACM. [ 35] Sung, A. H., Xu, J., Chavez, P., & Mukkamala, S. (2004, December). Static analyzer of vicious executables (save). In Computer Security Applications Conference, 2004. 20th Annual (pp. 326-334). IEEE. [ 36] Wu, Y. S., Sun, P. K., Huang, C. C., Lu, S. J., Lai, S. F., & Chen, Y. Y. (2013, June). EagleEye: Towards mandatory security monitoring in virtualized datacenter environment. In Dependable Systems and Networks (DSN), 2013 43rd Annual IEEE/IFIP International Conference on (pp. 1-12). IEEE. [ 37] Zissis, D., & Lekkas, D. (2012). Addressing cloud computing security issues. Future 72 Generation computer systems, 28(3), 583-592.	zh_TW

Publications-Theses

Article View/Open

Publication Export

Google ScholarTM

NCCU Library

Citation Infomation

Related Publications in TAIR

Google Scholar^TM