Guofu Xiang

A VMM-based intrusion prevention system in cloud computing environment

With the development of information technology, cloud computing becomes a new direction of grid computing. Cloud computing is user-centric, and provides end users with leasing service. Guaranteeing the security of user data needs careful consideration before cloud computing is widely applied in business. Virtualization provides a new approach to solve the traditional security problems and can be taken as the underlying infrastructure of cloud computing. In this paper, we propose an intrusion prevention system, VMFence, in a virtualization-based cloud computing environment, which is used to monitor network flow and file integrity in real time, and provide a network defense and file integrity protection as well. Due to the dynamicity of the virtual machine, the detection process varies with the state of the virtual machine. The state transition of the virtual machine is described via Definite Finite Automata (DFA). We have implemented VMFence on an open-source virtual machine monitor platform—Xen. The experimental results show our proposed method is effective and it brings acceptable overhead.

VMDriver: A Driver-Based Monitoring Mechanism for Virtualization

Monitoring virtual machine (VM) is an essential function for virtualized platforms. Existing solutions are either coarse-grained – monitoring in granularity of VM level, or not general – only support specific monitoring functions for particular guest operating system (OS). Thus they do not satisfy the monitoring requirement in large-scale server cluster such as data center and public cloud platform, where each physical platform runs hundreds of VMs with different guest OSes. In this paper, we propose VMDriver, a general and fine-grained approach for virtualization monitoring. The novel design of VMDriver is the separation of event interception point in VMM level and rich guest OS semantic reconstructions in management domain. With this design, variant monitoring drivers in management domain can mask the differences of guest OSes. We implement VMDriver on Xen and our experimental study shows that it introduces very small performance overhead. We demonstrate its generality by inspecting four aspects information about the target virtual machines with different guest OSes. The unified interface of VMDriver brings convenience to develop complex monitoring tools for distributed virtualization environment.

VMFence: a customized intrusion prevention system in distributed virtual computing environment

Intrusion Prevention System (IPS) has been an effective tool to detect and prevent unwanted attempts, which are mainly through network and system vulnerabilities, at accessing and manipulating computer systems. Intrusion detection and prevention are two main functions of IPS. As attacks are becoming massive and complex, the traditional centralized IPSes are incapable of detecting all those attempts. The existing distributed IPSes, mainly based on mobile agent, have some serious problems, such as weak security of mobile agents, response latency, large code size. In this paper, we propose a customized intrusion prevention system, VMFence, in distributed virtual computing environment to simplify the complexity of the management. In VMFence, the states of detection processes vary with those of Virtual Machines (VMs), which are described by Deterministic Finite Automata (DFA). The detection processes, each of which detects one virtual machine, reside in a privileged virtual machine. The processes run synchronously and outside of VMs in order to achieve high performance and security. The experimental results also show VMFence has higher detection efficiency than traditional intrusion detection systems and little impact on the performance of the monitored VMs.

A guest-transparent file integrity monitoring method in virtualization environment

The file system becomes the usual target of malicious attacks because it contains lots of sensitive data, such as executable programs, configuration and authorization information. File integrity monitoring is an effective approach to discover aggressive behavior by detecting modification actions on these sensitive files. Traditional real-time integrity monitoring tools, which insert hooks into the OS kernel, are easily controlled and disabled by malicious software. Such existing methods, which insert kernel module into OS, are hard to be compatible because of the diversity of OS. In this paper, we present a non-intrusive real-time file integrity monitoring method in virtual machine-based computing environment, which is transparent to the monitored system. The monitor is isolated from the monitored system, since it observes the state of the monitored system from the outside. This method brings two benefits: detecting file operations in real time and being invisible to malicious attackers in the monitored system. Furthermore, a kind of file classification algorithm based on file security level is proposed to improve efficiency in this paper. The proposed file integrity monitoring method is implemented in the full-virtualization mode supported by the Xen platform. The experimental results show that the method is effective with acceptable overhead.

VRFPS: A Novel Virtual Machine-Based Real-time File Protection System

With the development of virtualization technology, file protection in virtual machine, especially in guest OS, becomes more and more important. Traditional host-based file protection system resides the critical modules in monitored system, which is easily explored and destroyed by malwares. Moreover, in order to protect the multiple operation systems running on the same platform, it is necessary to install independent file protection system for each of them, which greatly wastes computing resources and brings serious performance overhead. In this paper, a novel VM-based real-time file protection system, named VRFPS, is proposed to solve these problems. First, virtual machine monitor introspects all file operations of guest OS. Then, semantic gap between disk block and logic files is narrowed by blktap. Finally, a virtual sandbox is implemented in privileged domain to prevent protected files in guest domain from modifying illegally. Our approach is highly isolated, transparent and without modification on virtual machine monitor and guest OS. The experimental results show that the presented system is validate and of low performance overhead.

Building dynamic integrity protection for multiple independent authorities in virtualization-based infrastructure

In grid and cloud computing infrastructures, the integrity of a computing platform is a critical security requirement in order to provide secure and honest computing environments to service providers and resource consumers. However, due to the fact that software components running on a single platform are usually provided and maintained by different authorities which are potentially untrusted to each other, the problem to monitor and protect runtime system integrity become very challenging and has not been well addressed yet. In this paper, we present a virtualization based dynamic integrity protection method which ensures that only appropriate authorities can control over their components without interfering with other component providers or authorities. In our solution, integrity requirements defined by the authorities of upper components (e.g., service middleware and applications) are respected by preventing the underlying components (e.g., operating system) from exposing their sensitive data, which can be caused by update of the underlying components or other malicious actions. We implement our solution on Xen-based platform, and our evaluation results show that the solution is effective for integrity protection with acceptable performance overhead.

A comprehensive monitoring framework for virtual computing environment

Virtualization can divide or aggregate the underlying resource flexibly, and it attracts attention from both academic and industry in recent years. Guest operating systems in virtual machines can be various, and the states of virtual machines changes all the time. Due to the complexity of virtual computing environment, it brings tremendous challenges for security monitoring. Existing monitoring mechanism can not adapt to the dynamic and diversity of virtual machines. Therefore, a comprehensive monitoring framework, named ComMon, is proposed in this paper, which implements comprehensive monitoring from three aspects: network, process, and file. It has the characteristics of real-time, transparency and generality.

RAPn: Network Attack Prediction Using Ranking Access Petri Net

Exploits sequencing is a typical way by which an attacker breaks into a network. In such a scenario, each exploit lays as an atomic proposition for subsequent exploits. An attack path is seen as a succession of exploits which take an attacker right to his/her final goal. The set of all possible attack paths form an attack graph. Researchers have proposed a multitude of techniques to generate attack graph which grows exponentially in the size of the network. Hence it is preferable to optimize the choice of solutions which avoid the cost of scalability and cumbersome. In this paper, we propose a comprehensive approach to network vulnerability analysis by ranking access Petri net graph and utilizing a penetration testers perspective of maximal level of access possible on a host. Our approach has the following benefits: it provides a simple model in which an analyst can work, its algorithmic complexity is polynomial in the size of the network, and has the ability of scaling well to large size networks. Nevertheless, it has some drawback as in place of all possible attack paths, we seek only good attack paths. An analyst may make suboptimal choices when repairing the network.

Autonomous agent based intrusion detection in virtual computing environment

One of the motivations for virtualization technology is the desire to develop new services to enhance system security without trusting both the applications and the operating systems. An intrusion detection system is an example of such service that can help to isolate users from malicious attacks. In this paper, we propose hybrid-based intrusion detection architecture in virtual computing environment to detect and isolate harmful behaviors by real-time monitoring and alarming. In contrast to monolithic intrusion detection system, we introduce autonomous agents, acting independently of each other, to monitor the system. The agents are deployed in virtual machines to analyze actions occurring on the network and inside the hosts to determine whether they are potential security violations or not. Our architecture is implemented based on Xen, and the detection management center is deployed in a secure virtual machine.