With the popularization of a personal computer, a mobile computing device, and cloud computing in recent years, computer security is increasingly becoming a hot topic attracting people's attention. People save a large amount of key data in various devices, including an email, a personal photo, a bank account and password, a social networking account, and the like, which causes that the devices become hacker's attack targets. How to enhance computer security has become an essential problem to be solved.
VMI (Virtual Machine Introspection, virtual machine introspection) is a method that is applied to a virtualization environment to enhance virtual machine security from the outside of a virtual machine by using a VMM (Virtual Machine Monitor, virtual machine monitor). In this technology, by means of operations such as directly scanning a memory and a disk when the virtual machine runs, and monitoring a network behavior, security operations, for example, an antivirus operation and a network firewall operation, can be performed.
Because of an execution isolation capability of a VMM and a virtual machine on a virtualization platform, the VMM runs outside the virtual machine when the virtual machine introspection technology is applied. Security of the VMM, compared with conventional security software that runs inside the virtual machine, does not rely on the virtual machine itself, and therefore, even though the virtual machine is infected by malware, the malware cannot interfere with execution of the VMM. However, the execution isolation capability of the VMM and the virtual machine also brings about a semantic gap (Semantic Gap) problem, that is, the VMM cannot learn internal semantic meaning of the virtual machine, which brings a great challenge to an application in which the virtual machine introspection technology is used to enhance virtual machine security.
VMI system attempts to use different methods to narrow a semantic gap as much as possible, and a relatively important one of various semantic gap problems is how to choose an occasion of triggering virtual machine introspection. Generally, the following manner is mainly used in the VMI system to trigger virtual machine introspection.
By setting a fixed time interval, the VMI system is regularly triggered to perform a security check. An advantage is that this method is easy to implement without a need to trigger the VMI system according to specific semantic information. However, in a regular-check solution, performance and security must be balanced. If a time interval of the check is set extremely long, it may cause that some attacks that should have been detected successfully are missed, or some attacks are detected only after the attacks succeed, and consequently, an irreparable loss may be caused, such as disclosure of confidential data. If a time interval of the check is set extremely short, an additional load of the system may be greatly increased, thereby affecting normal execution and weakening availability of the system.
Therefore, it is imperative to provide a timely and effective security check triggering mechanism in the VMI system.