%0 Journal Article %T 基于虚拟机IO序列与Markov模型的异常行为检测<br>Anomaly detection based on IO sequences in a virtual machine with the Markov mode %A 陈兴蜀 %A 陈佳昕 %A 赵丹丹 %A 金鑫 %J 清华大学学报(自然科学版) %D 2018 %R 10.16511/j.cnki.qhdxxb.2018.25.018 %X 为检测虚拟机内部的IO异常行为,及时发现已知和未知的虚拟机逃逸攻击,基于硬件辅助虚拟化技术,该文提出了一种基于虚拟机IO序列的异常检测方法,包括:提出了一种异步采集技术高效采集虚拟机IO序列;建立了虚拟机IO序列与虚拟机内部进程的映射关联关系,以细粒度描述虚拟机自身IO行为;提出了一种基于双层Hash表的虚拟机IO短序列生成算法,并采用Markov链模型检测异常虚拟机IO序列。在KVM(Kernel-based virtual machine)虚拟化环境下设计并实现原型系统VMDec(virtual machine detecting),通过实验评测了VMDec系统的功能和性能。实验结果表明:VMDec能有效检测出虚拟机内部基于IO的恶意攻击以及已知和未知的虚拟机逃逸攻击,且检测误报率和性能开销在可接受范围内。<br>Abstract:A abnormal IO behavior in virtual machines is monitored to discover known and unknown virtual machine escape attacks. Hardware-assisted virtualization is used here in an anomaly detection method for IO sequences in virtual machines including asynchronous acquisition to efficiently collect the IO sequences of the virtual machine, relating the IO sequences with the processes running in the virtual machine for a fine-grained description of the virtual machine's IO behavior, and an algorithm for generating short IO sequences in virtual machines based on a double-layer hash table and a Markov chain model to detect the IO sequences of malicious virtual machines. A virtual machine detection system was implemented on a Kernel-based virtual machine (KVM) to evaluate the effectiveness of this system. The results show that the system can effectively detect some IO based on security threats and some known and unknown virtual machine escape attacks with an acceptable false alarm rate and performance overhead. %K IO序列 %K 异常检测 %K 虚拟机逃逸 %K Markov链 %K 短序列 %K < %K br> %K IO sequence %K anomaly detection %K virtual machine (VM) escape %K Markov chain %K short sequence %U http://jst.tsinghuajournals.com/CN/Y2018/V58/I4/395