基于虚拟化技术的有效提高系统可用性的方法

doi:10.11772/j.issn.1001-9081.2017.04.0986

计算机应用 ›› 2017, Vol. 37 ›› Issue (4): 986-992.DOI: 10.11772/j.issn.1001-9081.2017.04.0986

基于虚拟化技术的有效提高系统可用性的方法

李津津^1,2, 贾晓启^1,3, 杜海超¹, 王利朋¹

1. 网络安全防护技术北京市重点实验室(中国科学院信息工程研究所), 北京 100195;
2. 中国科学院大学计算机与控制学院, 北京 100049;
3. 中国科学院大学网络空间安全学院, 北京 100049

收稿日期:2016-09-14 修回日期:2016-12-24 出版日期:2017-04-10 发布日期:2017-04-19
通讯作者: 杜海超
作者简介:李津津(1992-),女,陕西西安人,硕士研究生,主要研究方向:虚拟化、信息安全;贾晓启(1982-),男,北京人,研究员,博士,CCF会员,主要研究方向:虚拟化、网络安全、操作系统安全;杜海超(1989-),女,北京人,硕士,CCF会员,主要研究方向:系统安全、恶意代码检测;王利朋(1987-),男,河南新乡人,硕士,主要研究方向:系统安全、虚拟化。
基金资助:
国家自然科学基金资助项目（61100228）；国家863计划项目（2012AA013101）；中国科学院战略性先导专项（XDA06030601，XDA06010701）。

Efficient virtualization-based approach to improve system availability

LI Jinjin^1,2, JIA Xiaoqi^1,3, DU Haichao¹, WANG Lipeng¹

1. Beijing Key Laboratory of Network Security and Protection Technology(Institute of Information Engineering, Chinese Academy of Sciences), Beijing 100195, China;
2. School of Computer and Control Engineering, University of Chinese Academy of Sciences, Beijing 100049, China;
3. School of Cyber Space Security, University of Chinese Academy of Sciences, Beijing 100049, China

Received:2016-09-14 Revised:2016-12-24 Online:2017-04-10 Published:2017-04-19
Supported by:
This work is partially supported by the National Natural Science Foundation of China (61100228), the National High Technology Research and Development Program (863 Program) of China (2012AA013101), the Strategic Priority Research Program of Chinese Academy of Sciences(XDA06030601, XDA06010701).

摘要/Abstract

摘要： 针对安全攸关的客户机在安全工具发生警报时往往会进行暂停、检测、恢复等操作，而安全工具误报（虚报、漏报）的发生和发现存在延迟，从而对客户机造成可用性影响的问题，提出一种基于虚拟化技术的有效解决方案。在误报发生时，首先正确控制可疑进程行为，避免该进程对系统造成实质性影响。其次记录可疑进程行为，并根据其与系统其他进程的交互行为形成进程间依赖关系。当误报被发现时，以记录的进程行为及进程间依赖关系为依据，对可疑进程及与其存在依赖关系的相关进程采取恢复进程行为、杀死相关进程等措施，使系统快速达到正确运行状态。实验结果表明，所提方案能够在安全工具发生误报时，避免回滚、恢复等操作带来的时间开销，相对于未采取措施的情况，所提方案将误报存在时的处理时间减少20%~50%。所提方案能够有效降低安全工具误报对客户机可用性造成的影响，可应用在安全攸关的客户机所在的云平台之上。

关键词: 虚拟化, 可用性, 安全技术, 云平台, 系统调用

Abstract: In terms of the problem that a safety-critical system will be paused, detected and resumed when security tools alert, and the delay between the occurrence and discovery of the false alarms (false positive or false negative) results in an effect on the availability of the guest Operating System (OS), a scheme based on virtualization was proposed. When a false alarm occurred, the operations of the suspicious application were quarantined correctly to avoid substantial system-wide damages. Then the operations of the suspicious application were logged and application inter-dependency information was generated according to its interactions with other applications. When the false alarm was determined, measures such as resuming the application's operations and killing the relevant applications according to the operation logs and inter-dependency information were taken so that the guest OS could reach the correct operating status quickly. The experimental results show that the scheme can reduce the overhead caused by rollback and recovery when a false alarm occurs. Compared to the situation without the proposed scheme, the overhead of handling the false alarm is reduced by 20%-50%. The proposed scheme can effectively reduce the effect of false alarm on the availability of clients, and can be applied in the cloud platform which provides services to safety-critical clients.

Key words: virtualization, availability, security technology, cloud platform, system call

中图分类号:

TP309.3

李津津, 贾晓启, 杜海超, 王利朋. 基于虚拟化技术的有效提高系统可用性的方法[J]. 计算机应用, 2017, 37(4): 986-992.

LI Jinjin, JIA Xiaoqi, DU Haichao, WANG Lipeng. Efficient virtualization-based approach to improve system availability[J]. Journal of Computer Applications, 2017, 37(4): 986-992.

参考文献

[1] LAUREANO M, MAZIERO C, JAMHOUR E. Protecting host-based intrusion detectors through virtual machines[J]. Computer Networks, 2007, 51(5): 1275-1283.
[2] 项国富, 金海, 邹德清, 等. 基于虚拟化的安全监控[J]. 软件学报, 2012, 23(8): 2173-2187.(XIANG G F, JIN H, ZOU D Q, et al. Virtualization-based security monitoring[J]. Journal of Software, 2012, 23(8): 2173-2187.)
[3] JIANG X, WANG X, XU D. Stealthy malware detection through VMM-based out-of-the-box semantic view reconstruction[C]//Proceedings of the 14th ACM Conference on Computer and Communications Security. New York: ACM, 2007: 128-138.
[4] DINABURG A, ROYAL P, SHARIF M, et al. Ether: malware analysis via hardware virtualization extensions[C]//Proceedings of the 15th ACM Conference on Computer and Communications Security. New York: ACM, 2008: 51-62.
[5] LANZI A, SHARIF M I, LEE W. K-Tracer: a system for extracting kernel malware behavior[EB/OL].[2016-03-10]. https://www.isoc.org/isoc/conferences/ndss/09/pdf/12.pdf.
[6] XUAN C, COPELAND J, BEYAH R. Toward revealing kernel malware behavior in virtual execution environments[C]//RAID 2009: Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection. Berlin: Springer, 2009: 304-325.
[7] SESHADRI A, LUK M, QU N, et al. SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes[C]//SOSP 2007: Proceedings of Twenty-first ACM SIGOPS Symposium on Operating Systems Principles. New York: ACM, 2007: 335-350.
[8] PAYNE B D, LEINHOS M. LibVMI[EB/OL].[2016-08-29]. http://libvmi.com.
[9] PAYNE B D, CARBONE M, SHARIF M, et al. Lares: an architecture for secure active monitoring using virtualization[C]//SP 2008: Proceedings of the 2008 IEEE Symposium on Security and Privacy. Piscataway, NJ: IEEE, 2008: 233-247.
[10] ZHANG X, LI Q, QING S, et al. VNIDA: building an IDS architecture using VMM-based non-intrusive approach[C]//WKDD 2008: Proceedings of the First International Workshop on Knowledge Discovery and Data Mining. Piscataway, NJ: IEEE, 2008: 594-600.
[11] SHARIF M I, LEE W, CUI W, et al. Secure in-VM monitoring using hardware virtualization[C]//Proceedings of the 16th ACM Conference on Computer and Communications Security. New York: ACM, 2009: 477-487.
[12] XI X, JIA X, LIU P. SHELF: preserving business continuity and availability in an intrusion recovery system[C]//ACSAC 2009: Proceedings of the 2009 Annual Computer Security Applications Conference. Piscataway, NJ: IEEE, 2009: 484-493.
[13] WU R, CHEN P, LIU P, et al. System call redirection: a practical approach to meeting real-world virtual machine introspection needs[C]//Proceedings of the 201444th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. Piscataway, NJ: IEEE, 2014: 574-585.

[1]	李卓, 宋子晖, 沈鑫, 陈昕. 边缘计算支持下的移动群智感知本地差分隐私保护机制[J]. 计算机应用, 2021, 41(9): 2678-2686.
[2]	刘向宇, 夏国平, 夏秀峰, 宗传玉, 朱睿, 李佳佳. 个性化时空数据隐私保护[J]. 计算机应用, 2021, 41(3): 643-650.
[3]	陈港, 孟相如, 康巧燕, 阳勇. 基于拓扑分割与聚类分析的虚拟软件定义网络映射算法[J]. 《计算机应用》唯一官方网站, 2021, 41(11): 3309-3318.
[4]	赵季红, 吴豆豆, 曲桦, 殷振宇. 基于软件定义网络的可靠性虚拟网络映射保障机制[J]. 计算机应用, 2020, 40(3): 770-776.
[5]	许英鑫, 孙磊, 赵建成, 郭松辉. 基于蚁群优化算法的虚拟现场可编程门阵列部署策略[J]. 计算机应用, 2020, 40(3): 747-752.
[6]	刘向宇, 陈金梅, 夏秀峰, Manish Singh, 宗传玉, 朱睿. 防止暴露位置攻击的轨迹隐私保护[J]. 计算机应用, 2020, 40(2): 479-485.
[7]	韩妍妍, 张齐, 闫晓璇, 刘培鹤, 徐鹏格. 基于区块链的电子文件流转设计与实现[J]. 计算机应用, 2020, 40(11): 3357-3365.
[8]	杨哂哂, 吴慧珍, 庄黎丽, 吕宏武. 基于Markov过程的IaaS系统可用性建模与分析方法[J]. 计算机应用, 2020, 40(10): 3013-3018.
[9]	范宏伟, 胡宇翔, 兰巨龙. 两段式虚拟网络功能硬件加速资源部署机制[J]. 计算机应用, 2018, 38(9): 2575-2580.
[10]	路子聪, 徐开勇, 郭松, 肖警续. 基于ARM虚拟化扩展的Android内核动态度量方法[J]. 计算机应用, 2018, 38(9): 2644-2649.
[11]	李帅, 孙磊, 郭松辉. 减少上下文切换的虚拟密码设备中断路径优化方法[J]. 计算机应用, 2018, 38(7): 1946-1950.
[12]	杨宏宇, 宁宇光. 云平台访问控制自适应风险评估指标权重分配方法[J]. 计算机应用, 2018, 38(6): 1614-1619.
[13]	柳春懿, 张晓, 覃源淞, 芦尚奇. 基于云平台的任务性能采集和分类方法[J]. 计算机应用, 2018, 38(6): 1665-1669.
[14]	张佳辰, 刘晓光, 王刚. 多种存储环境下压缩数据库的缓存优化[J]. 计算机应用, 2018, 38(5): 1404-1409.
[15]	吴文燕, 姜鑫, 王晓锋, 刘渊. 虚拟化与数字仿真融合的多尺度网络复现技术[J]. 计算机应用, 2018, 38(3): 746-752.

基于虚拟化技术的有效提高系统可用性的方法

Efficient virtualization-based approach to improve system availability

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics