Forensic Virtual Machines: Dynamic Defence in the Cloud via Introspection

2014 IEEE International Conference on Cloud Engineering Pub Date : 2014-03-11 DOI:10.1109/IC2E.2014.59

A. Shaw, B. Bordbar, John T. Saxon, K. Harrison, Chris I. Dalton

{"title":"Forensic Virtual Machines: Dynamic Defence in the Cloud via Introspection","authors":"A. Shaw, B. Bordbar, John T. Saxon, K. Harrison, Chris I. Dalton","doi":"10.1109/IC2E.2014.59","DOIUrl":null,"url":null,"abstract":"The Cloud attempts to provide its users with automatically scalable platforms to host many applications and operating systems. To allow for quick deployment, they are often homogenised to a few images, restricting the variations used within the Cloud. An exploitable vulnerability stored within an image means that each instance will suffer from it and as a result, an attacker can be sure of a high pay-off for their time. This makes the Cloud a prime target for malicious activities. There is a clear requirement to develop an automated and computationally-inexpensive method of discovering malicious behaviour as soon as it starts, such that remedial action can be adopted before substantial damage is caused. In this paper we propose the use of Mini-OS, a virtualised operating system that uses minimal resources on the Xen virtualisation platform, for analysing the memory space of other guest virtual machines. These detectors, which we call Forensic Virtual Machines (FVMs), are lightweight such that they are inherently computationally cheap to run. Such a small footprint allows the physical host to run numerous instances to find symptoms of malicious behaviour whilst potentially limiting attack vectors. We describe our experience of developing FVMs and how they can be used to complement existing methods to combat malware. We also evaluate them in terms of performance and the resources that they require.","PeriodicalId":273902,"journal":{"name":"2014 IEEE International Conference on Cloud Engineering","volume":"24 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-03-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"19","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 IEEE International Conference on Cloud Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IC2E.2014.59","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 19

Abstract

The Cloud attempts to provide its users with automatically scalable platforms to host many applications and operating systems. To allow for quick deployment, they are often homogenised to a few images, restricting the variations used within the Cloud. An exploitable vulnerability stored within an image means that each instance will suffer from it and as a result, an attacker can be sure of a high pay-off for their time. This makes the Cloud a prime target for malicious activities. There is a clear requirement to develop an automated and computationally-inexpensive method of discovering malicious behaviour as soon as it starts, such that remedial action can be adopted before substantial damage is caused. In this paper we propose the use of Mini-OS, a virtualised operating system that uses minimal resources on the Xen virtualisation platform, for analysing the memory space of other guest virtual machines. These detectors, which we call Forensic Virtual Machines (FVMs), are lightweight such that they are inherently computationally cheap to run. Such a small footprint allows the physical host to run numerous instances to find symptoms of malicious behaviour whilst potentially limiting attack vectors. We describe our experience of developing FVMs and how they can be used to complement existing methods to combat malware. We also evaluate them in terms of performance and the resources that they require.

查看原文本刊更多论文

取证虚拟机:通过自省在云中的动态防御

云试图为其用户提供可自动伸缩的平台来托管许多应用程序和操作系统。为了允许快速部署，它们通常被同质化到几个映像中，从而限制了在云中使用的变化。存储在映像中的可利用漏洞意味着每个实例都会受到影响，因此，攻击者可以确保他们的时间获得高额回报。这使得云成为恶意活动的主要目标。有一个明确的要求是开发一种自动的、计算成本低廉的方法，在恶意行为开始时就发现它，这样就可以在造成实质性损害之前采取补救措施。在本文中，我们建议使用Mini-OS(一种在Xen虚拟化平台上使用最小资源的虚拟化操作系统)来分析其他来宾虚拟机的内存空间。这些检测器，我们称之为取证虚拟机(fvm)，是轻量级的，因此它们在计算上运行起来很便宜。如此小的内存占用允许物理主机运行多个实例，以查找恶意行为的症状，同时潜在地限制攻击向量。我们描述了我们开发fvm的经验，以及如何使用它们来补充现有的对抗恶意软件的方法。我们也会根据他们的表现和所需的资源来评估他们。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2014 IEEE International Conference on Cloud Engineering

自引率

0.00%

发文量