Loading...
|
Please use this identifier to cite or link to this item:
https://nccur.lib.nccu.edu.tw/handle/140.119/77178
|
| Title: | 用虛擬機內省技術強化OpenStack雲端安全機制
Enhancing OpenStack Cloud Security with Virtual Machine Introspection |
| Authors: | 李彥亨
Lee, Yen Heng |
| Contributors: | 蔡瑞煌
郁方
Tsaih, Rua Huan
Yu, Fang
李彥亨
Lee, Yen Heng |
| Keywords: | 虛擬機內省
雲端安全
惡意程式行為
VMI
Cloud Security
Malware behavior |
| Date: | 2015 |
| Issue Date: | 2015-08-03 13:21:02 (UTC+8) |
| Abstract: | 如今,我們能夠受益於各式各樣的雲端服務(如Google及Amazon)全歸功於虛擬化技術的成熟。隨著雲端服務使用量的劇增,雲端安全的議題也不容忽視。傳統上使用網路型及主機型的入侵防衛系統來作雲端安全防護,但隨著虛擬化技術的發展,虛擬機內省機制為基底的防禦機制有著絕對於傳統入侵防衛系統優越的獨立性及可見度並逐漸成為主流的防禦機制。
我們研究提倡的雲端防禦系統框架(VISO)便是以虛擬機內省機制為基底以及透過行為模式辨識的方式作惡意行為偵測且富有可擴增性,並強調所有的解決方案皆為開源的,也是為何我們以OpenStack作為我們的雲端環境防護系統的實驗環境。
關於我們的實驗研究方法,我們採用監督式與非監督式的神經網路來作惡意程式行為分析。而所有惡意程式皆從官方OWL網站取得,並以防毒軟體作標籤的動作。目的是想要確認是否能夠透過同種類且已知的惡意程式行為模式去辨識出未知的同種類惡意程式行為。
Today, we attributes it to virtualization technology that the application of cloud computing is so well-developed that the world-wide famous company can make use of this technique to reap the profits, just likes Google and Amazon etc. While cloud service bringing kinds of benefit to system vendors and cloud tenants, cloud security is exposed to many threats. Traditionally, two main kinds of intrusion detection system (IDS) are host-based IDS (HIDS) and network-based IDS (NIDS). With virtualization technology development, virtual machine monitor (VMM) based IDS is superior to HIDS and NIDS both on isolation and visibility properties as far as cloud security concerned.
We address a cloud security protection framework, called Virtualization Introspection System for OpenStack (VISO), to strengthen OpenStack security defensive mechanism. VISO has some following characteristics. (1) VMI based monitoring mechanism (2) behavior-based analysis (3) elastic to expand system functionality and easy to operate (4) all apparatuses in VISO are free on Internet that is why we also choose the most famous private cloud solution, OpenStack, to deploying cloud environment.
About our experiment method, we using supervised and unsupervised artificial technology algorithm to analyze behaviors monitored in a sandbox environment. All malwares are downloaded from OWL Taiwan official malware knowledge base and labeled by anti-virus scanner. The purpose is to see how effective the features of behaviors collected by VISO can recognize the same family malwares. Detecting unknown malware variants previously not recognized by commercial anti-virus software by training the same family known malware samples. |
| Reference: | [1] Albayrak, S., Scheel, C., Milosevic, D., & Muller, A. (2005, November). Combining self-organizing map algorithms for robust and scalable intrusion detection. In Computational Intelligence for Modelling, Control and Automation, 2005 and International Conference on Intelligent Agents, Web Technologies and Internet Commerce, International Conference on (Vol. 2, pp. 123-130). IEEE.
[2] Bayer, U., Comparetti, P. M., Hlauschek, C., Kruegel, C., & Kirda, E. (2009, February). Scalable, Behavior-Based Malware Clustering. In NDSS (Vol. 9, pp. 8-11).
[3] Bayer, U., Moser, A., Kruegel, C., & Kirda, E. (2006). Dynamic analysis of malicious code. Journal in Computer Virology, 2(1), 67-77.
[4] Chen, S., & Zhang, Y. Malware Process Detecting Via Hypervisor.
[5] Dinaburg, A., Royal, P., Sharif, M., & Lee, W. (2008, October). Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM conference on Computer and communications security (pp. 51-62). ACM.
[6] Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., & Lee, W. (2011, May). Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Security and Privacy (SP), 2011 IEEE Symposium on (pp. 297-312). IEEE.
[7] Dynamic-link library (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Dynamic-link library
[8] Egele, M., Scholte, T., Kirda, E., & Kruegel, C. (2012). A survey on automated dynamic malware-analysis techniques and tools. ACM Computing Surveys (CSUR), 44(2), 6.
[9] European Union Agency for Network and Information Security (n.d.). Cloud Computing Security Risk Assessment Retrieved March 24, 2015, from http://www.enisa.europa.eu/activities/riskmanagement/files/deliverables/cloud-computing-risk-assessment
[10] Feyereisl, J., & Aickelin, U. (2009). Self-Organising Maps in Computer Security. Computer Security: Intrusion, Detection and Prevention, Ed. Ronald D. Hopkins, Wesley P. Tokere, 1-30.
[11] Fu, Y., & Lin, Z. (2012, May). Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In Security and Privacy (SP), 2012 IEEE Symposium on (pp. 586-600). IEEE.
[12] Garfinkel, T., & Rosenblum, M. (2003, February). A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS (Vol. 3, pp. 191-206).
[13] Growing self-organizing map (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Growing_self-organizing_map
[14] Hofmeyr, S. A., Forrest, S., & Somayaji, A. (1998). Intrusion detection using sequences of system calls. Journal of computer security, 6(3), 151-180.
[15] Hsiao, S. W., Chen, Y. N., Sun, Y. S., & Chen, M. C. (2013, October). A cooperative botnet profiling and detection in virtualized environment. In Communications and Network Security (CNS), 2013 IEEE Conference on (pp. 154-162). IEEE.
[16] Hypervisor (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Hypervisor
[17] Inoue, H., Adelstein, F., Donovan, M., & Brueckner, S. (2011, June). Automatically Bridging the Semantic Gap using C Interpreter. In 6th Annual Symposium on Information Assurance (ASIA’11) (p. 51).
[18] Jiang, X., Wang, X., & Xu, D. (2007, October). Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM conference on Computer and communications security (pp. 128-138). ACM.
[19] Kosoresow, A. P., & Hofmeyr, S. A. (1997). Intrusion detection via system call traces. IEEE software, 14(5), 35-42.
[20] Lee, S. W., & Yu, F. (2014, January). Securing KVM-Based Cloud Systems via Virtualization Introspection. In System Sciences (HICSS), 2014 47th Hawaii International Conference on (pp. 5028-5037). IEEE.
[21] Lengyel, T. K., Neumann, J., Maresca, S., Payne, B. D., & Kiayias, A. (2012, August). Virtual Machine Introspection in a Hybrid Honeypot Architecture. In CSET.
[22] LibVMI (n.d.). LibVMI. Retrieved March 24, 2015, from http://libvmi.com/
[23] Ligh, M. H., Case, A., Levy, J., & Walters, A. (2014). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. John Wiley & Sons.
[24] Macine learning (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Machine_learning
[25] Moser, A., Kruegel, C., & Kirda, E. (2007, December). Limits of static analysis for malware detection. In Computer security applications conference, 2007. ACSAC 2007. Twenty-third annual (pp. 421-430). IEEE.
[26] Mukkamala, S., Janoski, G., & Sung, A. (2002). Intrusion detection using neural networks and support vector machines. In Neural Networks, 2002. IJCNN`02. Proceedings of the 2002 International Joint Conference on (Vol. 2, pp. 1702-1707). IEEE.
[27] Nanavati, M., Colp, P., Aiello, B., & Warfield, A. (2014). Cloud security: A gathering storm. Communications of the ACM, 57(5), 70-79.
[28] Nasab, M. R. (2012). Security functions for virtual machines via introspection.
[29] OpenStack (n.d.). OpenStack Documentation for Havana. Retrieved March 24, 2015, from http://docs.openstack.org/havana/
[30] OpenStack (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/OpenStack
[31] Option Volatility (n.d.). Retrieved March 24, 2015, from http://www.investopedia.com/university/optionvolatility/
[32] Payne, B. D. (2012). Simplifying virtual machine introspection using libvmi. Sandia Report.
[33] Payne, B. D., Carbone, M., Sharif, M., & Lee, W. (2008, May). Lares: An architecture for secure active monitoring using virtualization. In Security and Privacy, 2008. SP 2008. IEEE Symposium on (pp. 233-247). IEEE.
[34] Payne, B. D., De Carbone, M. D. P., & Lee, W. (2007, December). Secure and flexible monitoring of virtual machines. In Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual (pp. 385-397). IEEE.
[35] Pfoh, J., Schneider, C., & Eckert, C. (2009, November). A formal model for virtual machine introspection. In Proceedings of the 1st ACM workshop on Virtual machine security (pp. 1-10). ACM.
[36] Pfoh, J., Schneider, C., & Eckert, C. (2011). Nitro: Hardware-based system call tracing for virtual machines. In Advances in Information and Computer Security (pp. 96-112). Springer Berlin Heidelberg.
[37] Rieck, K., Holz, T., Willems, C., Düssel, P., & Laskov, P. (2008). Learning and classification of malware behavior. In Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 108-125). Springer Berlin Heidelberg.
[38] Rieck, K., Trinius, P., Willems, C., & Holz, T. (2011). Automatic analysis of malware behavior using machine learning. Journal of Computer Security, 19(4), 639-668.
[39] Sahs, J., & Khan, L. (2012, August). A machine learning approach to android malware detection. In Intelligence and Security Informatics Conference (EISIC), 2012 European (pp. 141-147). IEEE.
[40] Schneider, C., Pfoh, J., & Eckert, C. (2011). A universal semantic bridge for virtual machine introspection. In Information Systems Security (pp. 370-373). Springer Berlin Heidelberg.
[41] Sevilla, M. (2012). CMPS223 Final Project Virtual Machine Introspection Techniques.
[42] Sharif, M. I., Lee, W., Cui, W., & Lanzi, A. (2009, November). Secure in-vm monitoring using hardware virtualization. In Proceedings of the 16th ACM conference on Computer and communications security (pp. 477-487). ACM.
[43] Support vector machine (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Support_vector_machine
[44] System call (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/System_call
[45] Virtualization (n.d.). Retrieved March 24, 2015, from http://en.wikipedia.org/wiki/Virtualization
[46] Wu, Y. S., Sun, P. K., Huang, C. C., Lu, S. J., Lai, S. F., & Chen, Y. Y. (2013, June). EagleEye: Towards mandatory security monitoring in virtualized datacenter environment. In Dependable Systems and Networks (DSN), 2013 43rd Annual IEEE/IFIP International Conference on (pp. 1-12). IEEE.
[47] Yoo, I. (2004, October). Visualizing windows executable viruses using self-organizing maps. In Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security (pp. 82-89). ACM.
[48] Yu, F., Huang, S. Y., Chiou, L. C., & Tsaih, R. H. (2013, August). Clustering iOS executable using self-organizing maps. In Neural Networks (IJCNN), The 2013 International Joint Conference on (pp. 1-8). IEEE. |
| Description: | 碩士
國立政治大學
資訊管理研究所
102356044 |
| Source URI: | http://thesis.lib.nccu.edu.tw/record/#G0102356044 |
| Data Type: | thesis |
| Appears in Collections: | [資訊管理學系] 學位論文
|
Files in This Item:
| File |
Size | Format | |
|---|
| 604401.pdf | 7945Kb | Adobe PDF2 | 258 | View/Open |
|
All items in 政大典藏 are protected by copyright, with all rights reserved.
|
