虚拟机横向移动攻击检测技术研究综述

张坤; 许洋; 李晨; 涂碧波

引用本文：

张坤,许洋,李晨,涂碧波.虚拟机横向移动攻击检测技术研究综述[J].信息安全学报,已采用 [点击复制]
zhangkun,xuyang,lichen,tubibo.Review on Detection Technology of VM Lateral Movement Attacks[J].Journal of Cyber Security,Accept [点击复制]

本文已被：浏览 3342次下载 56次
虚拟机横向移动攻击检测技术研究综述
张坤, 许洋, 李晨, 涂碧波
0 字体:加大+\|默认\|缩小-
(中国科学院信息工程研究所)

摘要:

云计算以虚拟化技术为基础，提供了一种弹性伸缩、多租户集中共享计算、存储、网络等物理资源的服务模式。云计算这种资源集中化的特点不仅意味着业务和数据的集中，也意味着原本分散于独立物理节点的安全威胁也集中到了云计算环境中。因此，由于虚拟机的同驻共享底层物理资源和流量以“东西”向网络流量交互为主的新特性，云环境容易引发新的安全威胁-虚拟机横向移动攻击。本文通过分析云环境下的新特点暴露出的虚拟机横向移动攻击的隐患，对虚拟机横向移动攻击进行了归纳总结，深入探讨了虚拟机横向移动攻击的成因，并提出了虚拟机横向移动攻击的威胁模型；针对威胁模型将虚拟机横向移动攻击分为虚拟机侧信道攻击(Cross-VM Side Channel Attack, SCA)、虚拟机分布式拒绝服务（VM Distributed Denial of Service, DDoS）攻击和虚拟机逃逸攻击三大类，然后对这三大类横向移动攻击检测技术进行了归纳总结，总结指出当前虚拟机横向移动攻击的种类多，攻击手段不断变化，而检测技术仍然存在诸多不足。如何有效应对这些攻击，从而保障云计算安全，是当前亟需解决的问题。在云环境中，需要不断研究新的技术手段，探索更加先进的检测方法，并不断完善现有的检测防御措施，以实现更加全面、高效、精准的检测虚拟机横向移动攻击。结合虚拟机横向移动攻击检测技术存在的技术挑战，本文对虚拟机横向移动攻击检测技术未来研究方向进行了探讨，针对如何实现虚拟机松耦合、体系化的云入侵检测系统提出了研究展望，以便更好的保证云环境的安全。

关键词: 云环境虚拟机横向移动攻击检测

DOI：10.19363/J.cnki.cn10-1380/tn.2025.04.02

投稿时间：2023-04-19修订日期：2023-07-19

基金项目:

Review on Detection Technology of VM Lateral Movement Attacks

zhangkun, xuyang, lichen, tubibo

(Institute of Information Engineering, Chinese Academy of Sciences)

Abstract:

Cloud computing, built on virtualization technology, offers a service model that enables flexible scalability and central-ized sharing of physical resources such as computing, storage, and networking among multiple tenants. While the central-ization of cloud computing consolidates business operations and data, it also concentrates security threats that were pre-viously distributed across independent physical nodes. Consequently, the unique characteristics of cloud environments, including the co-location of virtual machines (VMs) sharing underlying physical resources and the predominant flow of "east-west" network traffic, give rise to a new security threat known as virtual machine lateral movement attacks. This paper analyzes the vulnerabilities of virtual machine lateral movement attacks exposed by the new characteristics of cloud environments and provides a comprehensive summary of virtual machine lateral movement attacks. It delves into the root causes of virtual machine lateral movement attacks and proposes a threat model for virtual machine lateral movement attacks. Based on the threat model, virtual machine lateral movement attacks are categorized into three clas-ses: Cross-VM Side Channel Attacks (SCA), VM Distributed Denial of Service (DDoS) Attacks, and Virtual Machine Es-cape Attacks. Then a summary was made of the detection techniques for these three classes of lateral movement attacks. The summary points out that there are multiple types of lateral movement attacks in the current virtual machine envi-ronment, with constantly evolving attack methods, while the detection techniques still have many shortcomings. Effec-tively addressing these attacks to ensure cloud computing security is a pressing issue that needs to be resolved. In the cloud environment, continuous research into new technological means, exploration of more advanced detection methods, and constant improvement of existing detection and defense measures are necessary to achieve more comprehensive, efficient, and accurate detection of lateral movement attacks in virtual machines. Considering the technical challenges associated with the detection techniques for lateral movement attacks in virtual machines, this paper discusses the future research directions for the detection techniques of lateral movement attacks in virtual machines. This paper presents re-search prospects for achieving a loosely-coupled and systematic intrusion detection system for virtual machines in order to better ensure the security of cloud environments.

Key words: cloud environment VM lateral movement attack detection