|
|
- 2017
一种IaaS模式下的实时监控取证方法
|
Abstract:
摘要: 为了保证云中虚拟机的安全和从云中寻找完整可靠的犯罪证据,提出了基于物理内存分析的实时监控取证方法,设计开发了相应的云监控取证系统,并给出了具体的设计及实现。此系统的代理端只需要在物理主机上运行,通过获取分析主机的物理内存,分析提取IaaS基础设施层一台或者多台物理主机上安装的虚拟机系统内的关键信息。最后在KVM/Xen虚拟化环境中进行了信息的分析提取和异常检测,结果表明该方法能够获取到云平台中虚拟机的关键证据信息,能对虚拟机中的异常行为进行检测,可有效防止虚拟主机运行恶意软件、违法犯罪等问题。
Abstract: To ensure the security of virtual machines in the cloud and look for complete and reliable evidence of a crime from the cloud, the paper presented a real-time cloud monitoring forensics method and developed a cloud monitoring forensic system based on physical memory analysis. The specific design and implementation were given. The agent system only needs to run on a physical host. By acquiring and analyzing the host's physical memory, the agent can effectively acquire the important information of virtual machines of the IaaS infrastructure layer. Finally, the paper gives analysis extraction of information and anomaly detection in the KVM/Xen virtualized environment. Results show that the monitoring forensic method can obtain the important information and prevent the virtual hosts running malicious software, illegal crime and other issues
| [1] | ZHANG Ruichao, WANG Lianhai, ZHANG Shuhui. Windows memory analysis based on KPCR[C] // Proceedings of the 5th International Conference on Information Assurance and Security(IAS '09). New York:IEEE, 2009:677-680. |
| [2] | WANG X, HEMBROFF G C, YEDICA R. Using VMware VCenter Lab manager in undergraduate education for system administration and network security[C] // Proccedings of ACM Conference on Information Technology Education. New York:ACM, 2010: 43-51. |
| [3] | Xenserver SDK overview. XenCenter [EB/OL].[2016-05-12]. http://community.citrix.com/display/xs/XenCenter. |
| [4] | 公伟,刘培玉,迟学芝,等. 云取证模型的构建与分析[J]. 计算机工程,2012,38(11):14-16. GONG Wei, LIU Peiyu, CHI Xuezhi, et al. Construction and analysis of cloud forensics model[J].Computer Engineering, 2012, 38(11):14-16. |
| [5] | 武鲁,王连海,顾卫东. 基于云的计算机取证系统研究[J]. 计算机科学,2012,39(5):83-85. WU Lu, WANG Lianhai, GU Weidong. Research on computer forensics system based on cloud computing[J].Computer Science, 2012, 39(5):83-85. |
| [6] | 丁秋峰,孙国梓. 云计算环境下取证技术研究[J]. 信息网络安全,2011,(11):36-38. DING Qiufeng,SUN Guozi. Cloud computing forensics technology[J].Netinfo Security, 2011(11):36-38. |
| [7] | SIMSON L G. Digital forensics research: the next 10 years[J]. Digital Investigation, 2010(7):64-73. |
| [8] | WANG Lianhai. A method on extracting network connection information from 64-bit windows 7 memory images[J]. China Communications, 2010, 7(6):44-51. |
| [9] | XU Lijuan, WANG Lianhai, ZHANG Lei, et al. Acquisition of network connection status information from physical memory on windows vista operating system[J]. China Communications, 2010, 7(6):71-77. |
| [10] | WANG Lianhai, ZHANG Ruichao, ZHANG Shuhui. A model of computer live forensics based on physical memory analysis[C] // Proceedings of the 1st IEEE International Conference on Information Science and Engineering(ICISE'09). Washington:IEEE Computer Society, 2009:4647-4649. |
| [11] | BOLTE M, SIEVERS M, Birkenheuer G, et al. Non-intrusive virtualization management using Libvirt[C] // Proceedings of the Conference on Design, Automation and Test in Europe.[S.l.] :[s.n.] , 2010:574-579. |
| [12] | 丁丽萍,谢亚龙. 一种云计算环境下的取证方法及系统:中国,CN102739774A [P].2012-10-17. DING Liping, XIE Yalong. A forensic method and system in cloud computing environment: China,CN102739774A[P]. 2012-10-17. |
| [13] | 李小勇,杨月华. 基于分布式代理的云资源调度中可信数据获取机制[J]. 中国通信,2011,8(6):108-116. LI Xiaoyong, YANG Yuehua. Trusted data acquisition mechanism for cloud resource scheduling based on distributed agent[J].China Communications, 2011, 8(6):108-116. |
| [14] | 郭永健. 云冲击下的云取证难点及其要解决的问题 [EB/OL].[2016-03-04]. http://www.docin.com/p-336854190.html. |
