云计算环境下可信虚拟机管理模型

为了解决云计算环境下虚拟机管理存在的管理域特权过于集中和用户策略易被恶意篡改等问题,提出了一种可信虚拟机管理模型。模型首先对虚拟机管理域进行了细粒度的划分,赋予管理员和用户不同的管理特权,防止管理员随意访问用户的数据;利用可信计算技术建立可信通道分发用户策略,防止管理员恶意篡改用户策略。安全性分析与实验测试表明,该模型可以有效保护用户数据和用户策略的安全性。     

Virtual machine co-residency method on cloud computing platform

If the attacker wants to compromise a target virtual machine on a cloud platform,the malicious virtual machine must be co-resident with the target.Based on this,a virtual machine co-residency method was proposed.The method combined a co-residency detection scheme based on covert channel construction and an automatic virtual machine flooding strategy,and was evaluated on a well-known domestic cloud platform.Experiment shows that the adaptive covert channel can achieve accuracies of 95%,the proposed detection scheme has strong robustness whose false positive rate is less than 5 ‰,the proposed method is versatile and keeps the virtualization isolation barrier intact,which has great potential threat and should be paid great attention and precaution.     

DIV:一种针对虚拟机云服务的动态、实时完整性验证框架(英文)

with the increasing popularity of cloud services,attacks on the cloud infrastructure also increase dramatically.Especially,how to monitor the integrity of cloud execution environments is still a difficult task.In this paper,a real-time dynamic integrity validation(DIV) framework is proposed to monitor the integrity of virtual machine based execution environments in the cloud.DIV can detect the integrity of the whole architecture stack from the cloud servers up to the VM OS by extending the current trusted chain into virtual machine's architecture stack.DIV introduces a trusted third party(TTP) to collect the integrity information and detect remotely the integrity violations on VMs periodically to avoid the heavy involvement of cloud tenants and unnecessary information leakage of the cloud providers.To evaluate the effectiveness and efficiency of DIV framework,a prototype on KVM/QEMU is implemented,and extensive analysis and experimental evaluation are performed.Experimental results show that the DIV can efficiently validate the integrity of files and loaded programs in real-time,with minor performance overhead.     

Java虚拟机内存管理与优化策略

多年以来,人们使用工具来完成任务,直到最近我们的工具才开始变得越来越聪明,并且互相连接起来。微处理器已经出现在很多日常使用的物品中,并且越来越多地和网络有了联系。J2ME目标是在具有16位或32位处理器和总量不少于约128KB的存储器的微型设备上运行JAvA程序。但由于硬件和软件方面的限制,为了给应用程序尽可能的空间和资源,让应用程序在虚拟机上流畅、稳定地运行,因而需要对这类嵌入式JAVA虚拟机进行优化处理,以提高其性能。对于JVW中代的划分、根集的确定和堆空间的分配、回收的新算法无疑能够优化虚拟机,提高其效率。     

基于模糊识别和支持向量机的联合Rootkit动态检测技术研究

 针对Rootkit恶意代码动态检测技术进行研究.总结出典型Rootkit恶意程序动态行为所调用的系统API函数.实时统计API调用序列生成元并形成特征向量,通过模糊隶属函数和模糊权向量,采用加权平均法得到模糊识别的评估结果;基于层次的多属性支持向量机分析法构建子任务;基于各个动态行为属性的汉明距离定位Rootkit的类型.提出的动态检测技术提高了自动检测Rootkit的准确率,也可以用于检测未知类型恶意代码.     

一种高效的面向虚拟桌面恶意代码检测机制简

 与传统的恶意代码检测方式相比,面向虚拟桌面的恶意代码检测方法面临着性能方面的挑战,同一物理服务器上多个虚拟桌面同时开展恶意代码检测使得磁盘等硬件成为严重的IO性能瓶颈.本文提出了一种高效的虚拟桌面恶意代码检测方案,基于母本克隆技术的虚拟桌面恶意代码检测机制（MCIDS）,MCIDS根据虚拟桌面系统的特点,通过系统映像网络存储克隆技术以及部署在网络存储系统中的恶意代码引擎减少虚拟桌面系统中的恶意代码检测范围,有效减少恶意代码检测所需的磁盘IO开销;同时MCIDS还克服了传统“Out-of-the-Box”安全检测机制存在的语义差别问题,改善了系统的安全性能.在原型系统上的实验显示该方法在技术上是可行的,与现有方法相比MCIDS具有较好的性能优势.     

Physical Memory Collection and Analysis in Smart Grid Embedded System

Unlike the existing electric grid, the smart grid has a variety of functions that enable electric utility suppliers and consumers to perform dual exchanges of real-time information by adding IT technology. Therefore, the systems of smart grid suppliers and those of users are always connected through a network, which means that the systems related to the smart grid could become targets of malicious attackers. The various smart grid systems could have different hardware configuration from those of general systems, but their fundamental operating mechanism is the same as that of the general computer system. When a system is operating, its information and the data used by a program are loaded into the system’s memory. In this paper, we studied the method of physical memory collection and analysis in smart grid embedded systems in order to help investigate crimes related to smart grids. In addition, we verify the method studied in this paper through the collection and analysis of physical memory in the virtual Linux environment using a virtual machine.     

New extension method of trusted certificate chain in virtual platform environment

When using trusted computing technology to build a trusted virtual platform environment,it is a hot problem that how to reasonably extend the underlying physical TPM certificate chain to the virtual machine environment.At present,the certificate trust expansion schemes are not perfect,either there is a violation of the TCG specifications,or TPM and vTPM certificate results inconsistent,either the presence of key redundancy,or privacy CA performance burden,some project cannot even extend the certificate trust.Based on this,a new extension method of trusted certificate chain was proposed.Firstly,a new class of certificate called VMEK (virtual machine extension key) was added in TPM,and the management mechanism of certificate VMEK was constructed,the main feature of which was that its key was not transferable and could be used to sign and encrypt the data inside and outside of TPM.Secondly,it used certificate VMEK to sign vTPM’s vEK to build the trust relationship between the underlying TPM and virtual machine,and realized extension of trusted certificate chain in virtual machine.Finally,in Xen,VMEK certificate and its management mechanism,and certificate trust extension based on VMEK were realized.The experiment results show that the proposed scheme can effectively realize the remote attestation function of virtual platform.     

基于虚拟机自省的运行时内存泄漏检测模型

云计算及数据中心领域中已广泛采用虚拟化技术来尽可能消除虚拟计算环境中的内存泄漏是提高其可靠性的一种重要途径。提出了一种基于虚拟机自省机制的运行时内存泄漏的信息流检测模型与内存泄漏的判定方法,设计并实现了该模型的原型系统。通过对原型系统的有效性与性能评估实验分析,结果表明,该模型方法能有效地检测出运行时内存泄漏,并且具有较好的性能。     

抗侧信道攻击的服务功能链部署方法

侧信道攻击是当前云计算环境下多租户间信息泄露的主要途径,针对现有服务功能链(SFC)部署方法未充分考虑多租户环境下虚拟网络功能(VNF)面临的侧信道攻击问题,该文提出一种抗侧信道攻击的服务功能链部署方法。引入基于时间均值的租户分类策略以及结合历史信息的部署策略,在满足服务功能链资源约束条件下,以最小化租户所能覆盖的服务器数量为目标建立相应的优化模型,并设计了基于贪婪选择的部署算法。实验结果表明,与其他部署方法相比,该方法显著提高了恶意租户实现共存的难度与代价,降低了租户面临的侧信道攻击风险。     

A method for preventing online games hacking using memory monitoring

Several methods exist for detecting hacking programs operating within online games. However, a significant amount of computational power is required to detect the illegal access of a hacking program in game clients. In this study, we propose a novel detection method that analyzes the protected memory area and the hacking program's process in real time. Our proposed method is composed of a three-step process: the collection of information from each PC, separation of the collected information according to OS and version, and analysis of the separated memory information. As a result, we successfully detect malicious injected dynamic link libraries in the normal memory space.     

基于虚拟机的僵尸网络仿真系统可扩展性优化

僵尸网络仿真是僵尸网络研究领域的一门新兴技术,近年来日益得到广泛的关注。现有研究中基于虚拟机的大规模僵尸网络实用仿真系统比较缺乏,现有系统缺乏对虚拟机集群的快速部署、多虚拟化（尤其是对轻量级虚拟化）、僵尸网络特性（如僵尸网络的昼夜随机关机开机）模拟、高可扩展性功能的支持。通过对僵尸网络仿真特性的分析,提出了一种基于虚拟机的僵尸网络仿真系统及适用于僵尸网络仿真系统的可扩展性优化技术。实验表明,所提出的基于内存性能优化和CPU性能优化的技术,可以使每个虚拟机的常驻内存比优化前减少77%以上,同一台物理机所能开启的最大虚拟机数量由15台增加到43台,当限制虚拟机的vCPU占用率到100 000时,主机CPU占用率在同样情况下能从100%降低到20%,优化效果显著。     

Optimization strategy of virtual machine online migration with awareness of application characteristics and network bandwidth migration

Firstly the experiments to verify the relationship between the number of dirty memory pages and application characteristics which exist in virtual machine migration was conducted.Then,different virtual machine application characteristics were perceived,with which the number of dirty memory pages produced during the migrations was predicted by the use of GM(1,N) grey prediction model.At the same time,using residual correction to adjust error makes results more reliable.According to the prediction of memory dirty pages,network bandwidth was adjusted and reserved.Compared with the traditional pre-copy strategy,the given experiments show that the optimized strategy proposed can improve the performance of network and reduce migratory cost for the memory-intensive and network-intensive applications.     

一种虚拟路由冗余协议负载均衡技术实现机制

标准VRRP（虚拟路由器冗余协议）解决在配置默认网关环境下消除网络单点故障问题,其协议自身不够灵活,即虚拟路由器中只有主设备进行流量转发,其他备用设备均作为备份不进行流量转发,无法负载分担,不能最大程度提高带宽和设备利用率。针对该局限,在此基于与某公司的合作项目,论述了一种虚拟路由冗余协议负载均衡实现机制,在标准VRRP协议分析研究基础上引入虚拟转发器和转发状态机,实现一个虚拟IP对应多个虚拟MAC的机制,无需配置多个备份组就能同时实现路由冗余备份和流量负载均衡,使局域网内用户能够通过每台虚拟转发器与外界通信,极大地提高资源利用率,最后以实验验证了设计可行性。     

Cloud outsourcing secret sharing scheme against covert adversaries

In order to make computationally weak cloud tenants can reconstruct a secret with efficiency and fairness,a cloud outsourcing secret sharing scheme was proposed,which combined cloud outsourcing computation with secret sharing scheme.In the process of outsourcing secret sharing,cloud tenants just need a small amount of decryption and validation operations,while outsource expensive cryptographic operations to cloud service provider (CSP).The scheme,without complex interactive augment or zero-knowledge proof,could detect malicious behaviors of cloud tenants or cloud service providers.And the scheme was secure against covert adversaries.Finally,every cloud tenant was able to obtain the secret fairly and correctly.Security analysis and performance comparison show that scheme is safe and effective.     

云计算虚拟机部署方案的研究

提出了一种虚拟机部署方案,该方案的目的是减少主机上的资源碎片。对不同规格的虚拟机在下一时间段内的增量进行了预测,根据预测结果对资源池中主机上的可用中央处理器（CPU）和内存（memory）进行动态规划。该方案考虑了用户的行为习惯,预先确定了资源的分配规则,当用户申请虚拟机时,直接将虚拟机部署到指定的主机上。最后在CloudStack平台上对该方案进行了实验验证,实验结果表明该方案能够有效地减少资源碎片。     

基于遗传算法的恶意代码对抗样本生成方法

机器学习已经广泛应用于恶意代码检测中,并在恶意代码检测产品中发挥重要作用。构建针对恶意代码检测机器学习模型的对抗样本,是发掘恶意代码检测模型缺陷,评估和完善恶意代码检测系统的关键。该文提出一种基于遗传算法的恶意代码对抗样本生成方法,生成的样本在有效对抗基于机器学习的恶意代码检测模型的同时,确保了恶意代码样本的可执行和恶意行为的一致性,有效提升了生成对抗样本的真实性和模型对抗评估的准确性。实验表明,该文提出的对抗样本生成方法使MalConv恶意代码检测模型的检测准确率下降了14.65%;并可直接对VirusTotal中4款基于机器学习的恶意代码检测商用引擎形成有效的干扰,其中,Cylance的检测准确率只有53.55%。     

基于改进型循环神经网络的恶意代码分类检测

近年来,随着恶意代码检测技术的提升,网络攻击者开始倾向构建能自重写和重新排序的恶意代码,以避开安全软件的检测。传统的机器学习方法是基于安全人员自主设计的特征向量来判别恶意代码,对这种新型恶意代码缺乏检测能力。为此,文中提出了一种新的基于代码时序行为的检测模型,并采用回声状态网络、最大池化和半帧结构等方式对神经网络进行优化。与传统的检测模型相比,改进后的模型对恶意代码的检测率有大幅提升。     

一种超额认购虚拟数据中心的嵌入算法

多租户数据中心环境下,保证云应用性能的一个重要因素是为租户应用提供可保证的通信带宽,这可以通过为每个租户提供一个独占的虚拟数据中心(VDC)来实现.研究了在物理数据中心网络中超额认购数据中心的嵌入问题.相对于一般虚拟数据中心,超额认购虚拟数据中虚拟机之间的流量模式更加复杂,因此首先利用线性规划方程阐述了流量模型及嵌入问题.对于虚拟机嵌入问题,提出了一种具有较低时间复杂度的启发式算法——分组扰动算法.最后,通过仿真实验将分组扰动算法和先前工作中提出的算法以及著名的first-fit进行了比较,实验表明所提算法在降低算法复杂度的同时提高了嵌入成功率.     

一种基于深度学习的强对抗性Android恶意代码检测方法

针对现有Android恶意代码检测方法容易被绕过的问题,提出了一种强对抗性的Android恶意代码检测方法.首先设计实现了动静态分析相结合的移动应用行为分析方法,该方法能够破除多种反分析技术的干扰,稳定可靠地提取移动应用的权限信息、防护信息和行为信息.然后,从上述信息中提取出能够抵御模拟攻击的能力特征和行为特征,并利用一个基于长短时记忆网络（Long Short-Term Memory,LSTM）的神经网络模型实现恶意代码检测.最后通过实验证明了本文所提出方法的可靠性和先进性.