Most existing virtual machine introspection (VMI) technologies analyze the status of a target virtual machine under the assumption that the operating system (OS) version and kernel structure information are known at the hypervisor level. In this paper, we propose a model of virtual machine (VM) security monitoring based on memory introspection. Using a hardware-based approach to acquire the physical memory of the host machine in real time, the security of the host machine and VM can be diagnosed. Furthermore, a novel approach for VM memory forensics based on the virtual machine control structure (VMCS) is put forward. By analyzing the memory of the host machine, the running VMs can be detected and their high-level semantic information can be reconstructed. Then, malicious activity in the VMs can be identified in a timely manner. Moreover, by mutually analyzing the memory content of the host machine and VMs, VM escape may be detected. Compared with previous memory introspection technologies, our solution can automatically reconstruct the comprehensive running state of a target VM without any prior knowledge and is strongly resistant to attacks with high reliability. We developed a prototype system called the VEDefender. Experimental results indicate that our system can handle the VMs of mainstream Linux and Windows OS versions with high efficiency and does not influence the performance of the host machine and VMs.
Software definition networking is a revolutionary network architecture, which realizes the separation of the control plane and data plane of a network. While providing the centralized controllability and the software programmability, the network itself is encountering many security problems. In order to solve the problem of security threats in SDN networks, there are different layers of unique security challenges and the relevant research on SDN security problems. This paper introduces the depth learning technology into the field of security threat detection in SDN, and propose a security threat detection framework based on depth learning. The framework is based on the research on model establishment, abnormal behavior recognition and decision algorithm design. The software system based on physical memory analysis is under development in SDN. The system verifies the feasibility of this framework ,and to finally generate the work plan on SDN infrastructure.
ISCC2017
As the use of virtual machine environments increases, virtual machines forensics is becoming more and more important and emergent. Current forensics solutions to virtualized environments mainly focus on static data analysis, which cannot provide a complete picture of events. In this paper, a novel method used for KVM (Kernelbased Virtual Machine) virtual machine memory forensics has been proposed. By analyzing the memory image of a host machine, active virtual machines can be detected, and a complete picture of the virtual machine's states can be also obtained, such as running processes, loaded modules, network connections, registry, system logs, user accounts, services, hook analysis info and so on. The proposed method has been proved to be more effective in machines with current mainstream CPUs and Fedora version 16-19 for both 32-bit and 64-bit.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.