一种IaaS模式下的实时监控取证方法

doi:10.6040/j.issn.1671-9352.3.2016.003

山东大学学报（理学版） ›› 2017, Vol. 52 ›› Issue (6): 84-91.doi: 10.6040/j.issn.1671-9352.3.2016.003

一种IaaS模式下的实时监控取证方法

杨淑棉^1,2,王连海^1,2,张淑慧^1,2,徐淑奖^1,2,刘广起^1,2

1. 山东省计算中心(国家超级计算济南中心), 山东济南 250014;2. 山东省计算机网络重点实验室, 山东济南 250014

收稿日期:2016-09-22 出版日期:2017-06-20 发布日期:2017-06-21
作者简介:杨淑棉(1978— ),女,硕士,副研究员,研究方向为计算机取证、网络安全.E-mail:yangshm@sdas.org
基金资助:
山东省自然科学基金资助项目(ZR2014FM003,ZR2015YL018,ZR2016YL011,ZR2016YL014,ZR2013FQ001);山东省优秀中青年科学家科研奖励基金资助项目(BS2014DX007,BS2015DX006);山东省科学院青年基金资助项目(2014QN011,2015QN003);国家自然科学基金资助项目(61602281)

A real-time monitoring and forensics method under the IaaS model

YANG Shu-mian^1,2, WANG Lian-hai^1,2, ZHANG Shu-hui^1,2, XU Shu-jiang^1,2, LIU Guang-qi^1,2

1. Shandong Computer Science Center(National Supercomputer Center in Jinan), Jinan 250014, Shandong, China;
2. Shandong Provincial Key Laboratory of Computer Networks, Jinan 250014, Shandong, China

Received:2016-09-22 Online:2017-06-20 Published:2017-06-21

摘要/Abstract

摘要： 为了保证云中虚拟机的安全和从云中寻找完整可靠的犯罪证据,提出了基于物理内存分析的实时监控取证方法,设计开发了相应的云监控取证系统,并给出了具体的设计及实现。此系统的代理端只需要在物理主机上运行,通过获取分析主机的物理内存,分析提取IaaS基础设施层一台或者多台物理主机上安装的虚拟机系统内的关键信息。最后在KVM/Xen虚拟化环境中进行了信息的分析提取和异常检测,结果表明该方法能够获取到云平台中虚拟机的关键证据信息,能对虚拟机中的异常行为进行检测,可有效防止虚拟主机运行恶意软件、违法犯罪等问题。

关键词: 云安全, 云监控取证, 物理内存分析, 虚拟化

Abstract: To ensure the security of virtual machines in the cloud and look for complete and reliable evidence of a crime from the cloud, the paper presented a real-time cloud monitoring forensics method and developed a cloud monitoring forensic system based on physical memory analysis. The specific design and implementation were given. The agent system only needs to run on a physical host. By acquiring and analyzing the host's physical memory, the agent can effectively acquire the important information of virtual machines of the IaaS infrastructure layer. Finally, the paper gives analysis extraction of information and anomaly detection in the KVM/Xen virtualized environment. Results show that the monitoring forensic method can obtain the important information and prevent the virtual hosts running malicious software, illegal crime and other issues.

Key words: cloud security, virtualization, cloud monitoring forensics, physical memory analysis

中图分类号:

TP309

杨淑棉,王连海,张淑慧,徐淑奖,刘广起. 一种IaaS模式下的实时监控取证方法[J]. 山东大学学报（理学版）, 2017, 52(6): 84-91.

YANG Shu-mian, WANG Lian-hai, ZHANG Shu-hui, XU Shu-jiang, LIU Guang-qi. A real-time monitoring and forensics method under the IaaS model[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2017, 52(6): 84-91.

参考文献

[1] SIMSON L G. Digital forensics research: the next 10 years[J]. Digital Investigation, 2010(7):64-73.
[2] WANG Lianhai. A method on extracting network connection information from 64-bit windows 7 memory images[J]. China Communications, 2010, 7(6):44-51.
[3] XU Lijuan, WANG Lianhai, ZHANG Lei, et al. Acquisition of network connection status information from physical memory on windows vista operating system[J]. China Communications, 2010, 7(6):71-77.
[4] WANG Lianhai, ZHANG Ruichao, ZHANG Shuhui. A model of computer live forensics based on physical memory analysis[C] // Proceedings of the 1st IEEE International Conference on Information Science and Engineering(ICISE'09). Washington:IEEE Computer Society, 2009:4647-4649.
[5] ZHANG Ruichao, WANG Lianhai, ZHANG Shuhui. Windows memory analysis based on KPCR[C] // Proceedings of the 5th International Conference on Information Assurance and Security(IAS '09). New York:IEEE, 2009:677-680.
[6] WANG X, HEMBROFF G C, YEDICA R. Using VMware VCenter Lab manager in undergraduate education for system administration and network security[C] // Proccedings of ACM Conference on Information Technology Education. New York:ACM, 2010: 43-51.
[7] Xenserver SDK overview. XenCenter [EB/OL].[2016-05-12]. http://community.citrix.com/display/xs/XenCenter.
[8] BOLTE M, SIEVERS M, Birkenheuer G, et al. Non-intrusive virtualization management using Libvirt[C] // Proceedings of the Conference on Design, Automation and Test in Europe.[S.l.] :[s.n.] , 2010:574-579.
[9] 丁丽萍,谢亚龙. 一种云计算环境下的取证方法及系统:中国,CN102739774A [P].2012-10-17. DING Liping, XIE Yalong. A forensic method and system in cloud computing environment: China,CN102739774A[P]. 2012-10-17.
[10] 李小勇,杨月华. 基于分布式代理的云资源调度中可信数据获取机制[J]. 中国通信,2011,8(6):108-116. LI Xiaoyong, YANG Yuehua. Trusted data acquisition mechanism for cloud resource scheduling based on distributed agent[J].China Communications, 2011, 8(6):108-116.
[11] 公伟,刘培玉,迟学芝,等. 云取证模型的构建与分析[J]. 计算机工程,2012,38(11):14-16. GONG Wei, LIU Peiyu, CHI Xuezhi, et al. Construction and analysis of cloud forensics model[J].Computer Engineering, 2012, 38(11):14-16.
[12] 武鲁,王连海,顾卫东. 基于云的计算机取证系统研究[J]. 计算机科学,2012,39(5):83-85. WU Lu, WANG Lianhai, GU Weidong. Research on computer forensics system based on cloud computing[J].Computer Science, 2012, 39(5):83-85.
[13] 丁秋峰,孙国梓. 云计算环境下取证技术研究[J]. 信息网络安全,2011,(11):36-38. DING Qiufeng,SUN Guozi. Cloud computing forensics technology[J].Netinfo Security, 2011(11):36-38.
[14] 郭永健. 云冲击下的云取证难点及其要解决的问题 [EB/OL].[2016-03-04]. http://www.docin.com/p-336854190.html.

多维度评价

Viewed

Full text

Abstract

Cited

Shared

Discussed

一种IaaS模式下的实时监控取证方法

A real-time monitoring and forensics method under the IaaS model

PDF (PC)

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 4

多维度评价

本文评价

推荐阅读 0

[1]	阮树骅,瓮俊昊,毛麾,陈雪莲. 云安全风险评估度量模型[J]. 山东大学学报（理学版）, 2018, 53(3): 71-76.
[2]	吴頔,王丽娜,余荣威,章鑫,徐来. 面向云平台安全监控多维数据的离群节点自识别可视化技术[J]. 山东大学学报（理学版）, 2017, 52(6): 56-63.
[3]	陈广瑞,陈兴蜀,王毅桐,葛龙. 一种IaaS多租户环境下虚拟机软件更新服务机制[J]. 山东大学学报（理学版）, 2017, 52(3): 60-67.
[4]	邹德清, 杨凯, 张晓旭, 苑博阳, 冯明路. 虚拟域内访问控制系统的保护机制研究[J]. 山东大学学报（理学版）, 2014, 49(09): 135-141.