基于动态策略学习的关键内存数据访问监控
|
摘要
在基于虚拟机监控器(virtual machine monitor, VMM)的系统监控中,通常需要截获关键内存访问事件和关键指令执行从而监控细粒度的内存访问行为.然而利用VMM截获内存访问行为使得CPU控制权频繁陷入VMM中,导致性能开销巨大.当前已有的研究为了解决该问题,在内核编译阶段修改内核源码或者直接修改内核二进制文件,将安全关键数据重定向到单独的区域以减小陷入VMM的频率.然而这些方法必须修改被监控系统本身,并且被监控的区域在系统运行阶段不能修改,很大程度上影响了它们的应用场景,并且不够灵活.为了解决以上问题,提出了一种运行时动态调整需要监控的安全关键内存数据的方法DynMon,该方法对被监控的系统透明且不需要修改被监控系统.首先,通过对历史数据的收集和分析,自动学习系统运行状态和安全关键数据访问行为间的关系,将其作为安全关键数据监控策略的依据.然后,对系统运行状态实时监控,根据安全关键数据的监控策略,实时动态调整需要监控的内存访问区域,以减小不必要的监控带来的性能开销.实验结果表明:与没有动态监控策略的方法相比,该方法减小了22.23%的额外性能开销,并且在加大内存监控规模时,并不会过大增加系统的性能开销.
VMM-based approaches have been widely adopted to monitor fine-grained memory accessing behavior through intercepting safety-critical memory accessing and critical instructions executing. However, intercepting memory accessing operations lead to significant performance overhead as CPU control travels to VMM frequently. Some existing approaches have been proposed to resolve the performance problem by centralizing safety critical data to given memory regions. However, these approaches need to modify the source code or binary file of the monitored system, and cannot change monitoring strategies during runtime. As a result, the application scenarios are limited. To reduce the performance overhead of monitoring memory access in this paper, we propose an approach, named DynMon, which controls safety-critical data access monitoring dynamically according to system runtime states. It does not dependent on source code and need not to modify binary file of the monitored systems. DynMon obtains dynamic monitor strategies by learning from historical data automatically. With system runtime status and monitor strategies, DynMon decides memory access monitoring region dynamically at runtime. As a result, DynMon can alleviate system performance burden by reducing safety irrelevant region monitoring. The evaluations prove that it can alleviate 22.23% performance cost compared with no dynamic monitor strategy. Besides, the performance overhead will not increase significantly with large numbers of monitored data.
VMM-based approaches have been widely adopted to monitor fine-grained memory accessing behavior through intercepting safety-critical memory accessing and critical instructions executing. However, intercepting memory accessing operations lead to significant performance overhead as CPU control travels to VMM frequently. Some existing approaches have been proposed to resolve the performance problem by centralizing safety critical data to given memory regions. However, these approaches need to modify the source code or binary file of the monitored system, and cannot change monitoring strategies during runtime. As a result, the application scenarios are limited. To reduce the performance overhead of monitoring memory access in this paper, we propose an approach, named DynMon, which controls safety-critical data access monitoring dynamically according to system runtime states. It does not dependent on source code and need not to modify binary file of the monitored systems. DynMon obtains dynamic monitor strategies by learning from historical data automatically. With system runtime status and monitor strategies, DynMon decides memory access monitoring region dynamically at runtime. As a result, DynMon can alleviate system performance burden by reducing safety irrelevant region monitoring. The evaluations prove that it can alleviate 22.23% performance cost compared with no dynamic monitor strategy. Besides, the performance overhead will not increase significantly with large numbers of monitored data.
引文
[1]Pham C,Estrada Z,Cao P,et al.Reliability and security monitoring of virtual machines using hardware architectural invariants[C] //Proc of the 44th Annual IEEE/IFIP Int Conf on Dependable Systems and Networks.Piscataway,NJ:IEEE,2014:13- 24
[2]Li Xun,Huang Hao.Approach of kernel integrity monitoring using hardware virtualization[J].Computer Science,2011,38(12):68- 72 (in Chinese)(李珣,黄皓.一个基于硬件虚拟化的内核完整性监控方法[J].计算机科学,2011,38(12):68- 72)
[3]Intel Corporation.Intel Xeon processor E7 V2 family technical overview[OL].(2014-02-18)[2018-08-08].https://software.intel.com/en-us/articles/intel-xeon-processor-e7-v2-family-technical-overview
[4]Wang Zhi,Jiang Xuxian,Cui Weidong,et al.Countering kernel rootkits with lightweight hook protection[C] //Proc of the 16th ACM Conf on Computer and Communications Security.New York:ACM,2009:545- 554
[5]Srivastava A,Giffin J.Efficient protection of kernel data structures via object partitioning[C] //Proc of the 28th Annual Computer Security Applications Conf.New York:ACM,2012:429- 438
[6]Lu Kai,Zhang Wenzhe,Wang Xiaoping,et al.Flexible page-level memory access monitoring based on virtualization hardware[C] //Proc of the 13th ACM SIGPLAN/SIGOPS Int Conf on Virtual Execution Environments.New York:ACM,2017:201- 213
[7]Li Jinku,Wang Zhi,Bletsch T,et al.Comprehensive and efficient protection of kernel control data[J].IEEE Transactions on Information Forensics and Security,2011,6(4):1404- 1417
[8]Maggi F,Matteucci M,Zanero S.Detecting intrusions through system call sequence and argument analysis[J].IEEE Transactions on Dependable and Secure Computing,2010,7(4):381- 395
[9]Kolbitsch C,Milani C P,Kruegel C,et al.Effective and efficient malware detection at the end host[C] //Proc of the 18th Conf on USENIX Security Symp.Berkeley,CA:USENIX Association,2009:351- 366
[10]Rhee J,Lin Zhiqiang,Xu Dongyan.Characterizing kernel malware behavior with kernel data access patterns[C] //Proc of the 6th ACM Symp on Information,Computer and Communications Security.New York:ACM,2011:207- 216
[11]Mao Weixuan,Cai Zhongmin,Guan Xiaohong,et al.Centrality metrics of importance in access behaviors and malware detections[C] //Proc of the 30th Annual Computer Security Applications Conf (ACSAC'14).New York:ACM,2014:376- 385
[12]Xu Zhixing,Ray S,Subramanyan P,et al.Malware detection using machine learning based analysis of virtual memory access patterns[C] //Proc of the 20th Conf on Design,Automation & Test in Europe.Leuven,Belgium:European Design and Automation Association,2017:169- 174
[13]Pan Shengyi,Morris T,Adhikari U.Developing a hybrid intrusion detection system using data mining for power systems[J].IEEE Transactions on Smart Grid,2015,6(6):3104- 3113
[14]Lee W,Stolfo S.A framework for constructing features and models for intrusion detection systems[J].ACM Transac-tions on Information and System Security,2000,3(4):227- 261
[15]Srivastava A,Sural S,Majumdar A.Database intrusion detection using weighted sequence mining[J].Journal of Computers,2006,1(4):8- 17
[16]Uhlig R,Neiger G,Rodgers D,et al.Intel virtualization technology[J].Computer,2005,38(5):48- 56
[17]Huang Xiao,Deng Liang,Sun Hao,et al.Secure and efficient kernel monitoring model based on hardware virtualization[J].Journal of Software,2016,27(2):481- 494 (in Chinese) (黄啸,邓良,孙浩,等.基于硬件虚拟化的安全高效内核监控模型[J].软件学报,2016,27(2):481- 494)
[18]Agrawal R,Srikant R.Mining sequential patterns[C] //Proc of the 11th Int Conf on Data Engineering.Piscataway,NJ:IEEE,1995:3- 14
[19]Srikant R,Agrawal R.Mining sequential patterns:Generalizations and performance improvements[C] //Proc of the 10th Int Conf on Extending Database Technology.Berlin:Springer,1996:1- 17
[20]Zaki M J.SPADE:An efficient algorithm for mining frequent sequences[J].Machine Learning 2001,42(1/2):31- 60
[21]Ayres J,Flannick J,Gehrke J,et al.Sequential pattern mining using a bitmap representation[C] //Proc of the 8th ACM SIGKDD Int Conf on Knowledge Discovery and Data Mining.New York:ACM,2002:429- 435
[22]Han Jiawei,Pei Jian,Mortazavi-Asl B,et al.FreeSpan:Frequent pattern-projected sequential pattern mining[C] //Proc of the 6th ACM SIGKDD Int Conf on Knowledge Discovery and Data Mining.New York:ACM,2000:355- 359
[23]Pei Jian,Han Jiawei,Mortazavi-Asl B,et al.Mining sequential patterns by pattern-growth:The prefixspan approach[J].IEEE Transactions on Knowledge & Data Engineering,2004,16(11):1424- 1440
[24]Fumarola F,Lanotte P F,Ceci M,et al.CloFAST:Closed sequential pattern mining using sparse and vertical id-lists[J].Knowledge and Information Systems,2016,48(2):429- 463
[25]McCalpin J D.Stream:Sustainable memory bandwidth and machine balance in current high performance computers[OL].(2016-07-28)[2018-08-15].http://www.cs.virginia.edu/stream/
[26]Iozone Project.IOzone filesystem benchmark[OL].(2016-01-23)[2019-01-01].http://www.iozone.org/
[27]Cruvolo.RAMspeed/SMP,a cache and memory benchmarking tool[OL].(2018-07-12)[2019-01-01].https://github.com/cruvolo/ramspeed-smp
[28]Gandhi J,Basu A,Hill M D,et al.Efficient memory virtualization:Reducing dimensionality of nested page walks[C] //Proc of the 47th Annual IEEE/ACM Int Symp on Microarchitecture (MICRO-47).New York:ACM,2014:178- 189
[29]Feng Xinyue,Yang Qiusong,Shi Lin,et al.BehaviorKI:Behavior pattern based runtime integrity checking for operating system kernel[C] //Proc of IEEE Int Conf on Software Quality,Reliability and Security.Piscataway,NJ:IEEE,2018:13- 24
[30]Cui Chaoyuan,Li Yonggang,Wu Yun,et al.A memory forensic method based on hidden event trigger mechanism[J].Journal of Computer Research and Development,2018,55(10):2278- 2290 (in Chinese)(崔超远,李勇钢,乌云,等.一种基于隐藏事件触发机制的内存取证方法[J].计算机研究与发展,2018,55(10):2278- 2290)
[2]Li Xun,Huang Hao.Approach of kernel integrity monitoring using hardware virtualization[J].Computer Science,2011,38(12):68- 72 (in Chinese)(李珣,黄皓.一个基于硬件虚拟化的内核完整性监控方法[J].计算机科学,2011,38(12):68- 72)
[3]Intel Corporation.Intel Xeon processor E7 V2 family technical overview[OL].(2014-02-18)[2018-08-08].https://software.intel.com/en-us/articles/intel-xeon-processor-e7-v2-family-technical-overview
[4]Wang Zhi,Jiang Xuxian,Cui Weidong,et al.Countering kernel rootkits with lightweight hook protection[C] //Proc of the 16th ACM Conf on Computer and Communications Security.New York:ACM,2009:545- 554
[5]Srivastava A,Giffin J.Efficient protection of kernel data structures via object partitioning[C] //Proc of the 28th Annual Computer Security Applications Conf.New York:ACM,2012:429- 438
[6]Lu Kai,Zhang Wenzhe,Wang Xiaoping,et al.Flexible page-level memory access monitoring based on virtualization hardware[C] //Proc of the 13th ACM SIGPLAN/SIGOPS Int Conf on Virtual Execution Environments.New York:ACM,2017:201- 213
[7]Li Jinku,Wang Zhi,Bletsch T,et al.Comprehensive and efficient protection of kernel control data[J].IEEE Transactions on Information Forensics and Security,2011,6(4):1404- 1417
[8]Maggi F,Matteucci M,Zanero S.Detecting intrusions through system call sequence and argument analysis[J].IEEE Transactions on Dependable and Secure Computing,2010,7(4):381- 395
[9]Kolbitsch C,Milani C P,Kruegel C,et al.Effective and efficient malware detection at the end host[C] //Proc of the 18th Conf on USENIX Security Symp.Berkeley,CA:USENIX Association,2009:351- 366
[10]Rhee J,Lin Zhiqiang,Xu Dongyan.Characterizing kernel malware behavior with kernel data access patterns[C] //Proc of the 6th ACM Symp on Information,Computer and Communications Security.New York:ACM,2011:207- 216
[11]Mao Weixuan,Cai Zhongmin,Guan Xiaohong,et al.Centrality metrics of importance in access behaviors and malware detections[C] //Proc of the 30th Annual Computer Security Applications Conf (ACSAC'14).New York:ACM,2014:376- 385
[12]Xu Zhixing,Ray S,Subramanyan P,et al.Malware detection using machine learning based analysis of virtual memory access patterns[C] //Proc of the 20th Conf on Design,Automation & Test in Europe.Leuven,Belgium:European Design and Automation Association,2017:169- 174
[13]Pan Shengyi,Morris T,Adhikari U.Developing a hybrid intrusion detection system using data mining for power systems[J].IEEE Transactions on Smart Grid,2015,6(6):3104- 3113
[14]Lee W,Stolfo S.A framework for constructing features and models for intrusion detection systems[J].ACM Transac-tions on Information and System Security,2000,3(4):227- 261
[15]Srivastava A,Sural S,Majumdar A.Database intrusion detection using weighted sequence mining[J].Journal of Computers,2006,1(4):8- 17
[16]Uhlig R,Neiger G,Rodgers D,et al.Intel virtualization technology[J].Computer,2005,38(5):48- 56
[17]Huang Xiao,Deng Liang,Sun Hao,et al.Secure and efficient kernel monitoring model based on hardware virtualization[J].Journal of Software,2016,27(2):481- 494 (in Chinese) (黄啸,邓良,孙浩,等.基于硬件虚拟化的安全高效内核监控模型[J].软件学报,2016,27(2):481- 494)
[18]Agrawal R,Srikant R.Mining sequential patterns[C] //Proc of the 11th Int Conf on Data Engineering.Piscataway,NJ:IEEE,1995:3- 14
[19]Srikant R,Agrawal R.Mining sequential patterns:Generalizations and performance improvements[C] //Proc of the 10th Int Conf on Extending Database Technology.Berlin:Springer,1996:1- 17
[20]Zaki M J.SPADE:An efficient algorithm for mining frequent sequences[J].Machine Learning 2001,42(1/2):31- 60
[21]Ayres J,Flannick J,Gehrke J,et al.Sequential pattern mining using a bitmap representation[C] //Proc of the 8th ACM SIGKDD Int Conf on Knowledge Discovery and Data Mining.New York:ACM,2002:429- 435
[22]Han Jiawei,Pei Jian,Mortazavi-Asl B,et al.FreeSpan:Frequent pattern-projected sequential pattern mining[C] //Proc of the 6th ACM SIGKDD Int Conf on Knowledge Discovery and Data Mining.New York:ACM,2000:355- 359
[23]Pei Jian,Han Jiawei,Mortazavi-Asl B,et al.Mining sequential patterns by pattern-growth:The prefixspan approach[J].IEEE Transactions on Knowledge & Data Engineering,2004,16(11):1424- 1440
[24]Fumarola F,Lanotte P F,Ceci M,et al.CloFAST:Closed sequential pattern mining using sparse and vertical id-lists[J].Knowledge and Information Systems,2016,48(2):429- 463
[25]McCalpin J D.Stream:Sustainable memory bandwidth and machine balance in current high performance computers[OL].(2016-07-28)[2018-08-15].http://www.cs.virginia.edu/stream/
[26]Iozone Project.IOzone filesystem benchmark[OL].(2016-01-23)[2019-01-01].http://www.iozone.org/
[27]Cruvolo.RAMspeed/SMP,a cache and memory benchmarking tool[OL].(2018-07-12)[2019-01-01].https://github.com/cruvolo/ramspeed-smp
[28]Gandhi J,Basu A,Hill M D,et al.Efficient memory virtualization:Reducing dimensionality of nested page walks[C] //Proc of the 47th Annual IEEE/ACM Int Symp on Microarchitecture (MICRO-47).New York:ACM,2014:178- 189
[29]Feng Xinyue,Yang Qiusong,Shi Lin,et al.BehaviorKI:Behavior pattern based runtime integrity checking for operating system kernel[C] //Proc of IEEE Int Conf on Software Quality,Reliability and Security.Piscataway,NJ:IEEE,2018:13- 24
[30]Cui Chaoyuan,Li Yonggang,Wu Yun,et al.A memory forensic method based on hidden event trigger mechanism[J].Journal of Computer Research and Development,2018,55(10):2278- 2290 (in Chinese)(崔超远,李勇钢,乌云,等.一种基于隐藏事件触发机制的内存取证方法[J].计算机研究与发展,2018,55(10):2278- 2290)