CN-122020670-A - Virtual machine peripheral safe mounting method based on depth fingerprint and dynamic risk control

Abstract

The invention discloses a virtual machine peripheral safe mounting method based on depth fingerprint and dynamic risk control, which is applied to a host virtual machine environment. Triggering daemon to obtain VID/PID, descriptor, class specific function information and instruction response time sequence after the peripheral is accessed, constructing depth fingerprint and inquiring policy library, dividing the peripheral into white list, black list or unknown device, automatically mounting the white list, preventing mounting the black list and recording event, calculating comprehensive risk value R for the unknown device, comparing with threshold value, and executing automatic mounting, secondary authentication or preventing mounting. And continuously monitoring I/O behaviors after mounting, extracting throughput, access modes, burst time sequences and file semantic features to perform anomaly detection, and suspending transmission, alarming and disconnection treatment during anomaly to realize full life cycle safety management and control.

Inventors

• LIANG JINGWEI
• LIU CHENG
• HE YANG

Assignees

• 晟为数科(深圳)科技有限公司

Dates

Publication Date

20260512

Application Date

20260212

Claims (10)

1. 1. The virtual machine peripheral equipment safe mounting method based on the depth fingerprint and the dynamic risk control is characterized by being applied to a virtual machine environment running on a host machine, and comprising the following steps: Triggering a peripheral safe mounting process when the host detects a peripheral access event; The method comprises the steps of obtaining a depth fingerprint of a peripheral, wherein the depth fingerprint at least comprises basic identification information of the peripheral, equipment descriptor information and physical behavior characteristics, and the physical behavior characteristics comprise instruction response time sequence characteristics obtained by sending legal and nondestructive standard instructions to the peripheral and measuring response time of the standard instructions; Querying a policy knowledge base based on the deep fingerprint to determine whether the peripheral belongs to a whitelisted device, a blacklisted device, or an unknown device; When the peripheral belongs to white list equipment, judging the peripheral as low risk and automatically mounting the peripheral to the virtual machine, and updating the peripheral as trusted; when the peripheral belongs to the blacklist equipment, judging the peripheral as high risk, preventing mounting and recording a security event, and updating the peripheral as unreliable; When the peripheral is an unknown device, calculating a comprehensive risk value R of the peripheral, comparing the comprehensive risk value R with a preset low risk threshold value theta low and a preset high risk threshold value theta high, and executing one of the following control according to a comparison result: When R is less than or equal to theta low, judging the peripheral equipment to be low in risk and automatically mounting the peripheral equipment to the virtual machine; when R is more than or equal to theta high, judging the peripheral equipment as high risk, preventing mounting and recording a security event; when theta low < R < theta high, initiating secondary authentication; updating the peripheral equipment to be trusted and automatically mounting the peripheral equipment to the virtual machine when the secondary authentication is passed, updating the peripheral equipment to be untrusted and preventing mounting and recording a security event when the secondary authentication is not passed; And when the high-risk abnormal behavior is identified, triggering active defense treatment, wherein the active defense treatment at least comprises one or a combination of suspending transmission, notifying a user alarm and forcibly disconnecting the peripheral.
2. 2. The method of claim 1, wherein obtaining the deep fingerprint comprises parsing the peripheral access event to obtain unique path identification information of the peripheral in the system, the path identification information comprising a bus number and a device number or port path identification, and opening the peripheral and obtaining a device handle in a control transmission manner through a libusb interface or a kernel usbfs interface.
3. 3. The method of claim 2, wherein the base identification information comprises at least a vendor IDVID, a product IDPID, a device version number bcdDevice, and string descriptor indexes iManufacturer, iProduct and iSerialNumber of the peripheral device.
4. 4. The method of claim 2, wherein the device descriptor information includes reading configuration descriptors and their associated interface descriptors and endpoint descriptors via control transmissions and obtaining therefrom device class/subclass/protocol codes and endpoint addresses, endpoint attributes and maximum packet sizes, and wherein the obtaining depth fingerprints further includes obtaining vendor strings, product strings and serial number strings based on the string descriptor index and performing unified transcoding and normalization processing on the strings.
5. 5. The method of claim 4, wherein when the peripheral device is identified as a storage class device, the obtaining the depth fingerprint further comprises sending a SCSIINQUIRY command to obtain a vendor identification, a product identification, and a product revision level, and sending READCAPACITY a command to obtain a number of logical blocks and a logical block size.
6. 6. The method of claim 4, wherein the obtaining a depth fingerprint further comprises: Selecting a TEST instruction set aiming at the class of the peripheral, wherein the TEST instruction set at least comprises a GET_DESCRIPTOR request for controlling transmission, and when the peripheral is a storage class device, the TEST instruction set also comprises a TEST_UNIT_ READY, REQUEST _SENSE and a short-length READ command; Executing the test instruction set for a plurality of times in a fixed sequence, recording the delay time from the completion of sending each instruction to the receipt of complete response in a high-precision timing mode, and further calculating the average response time of each instruction to form an instruction response fingerprint; Generating a fused fingerprint vector F based on the base identification information, the device descriptor information, the function information obtained by the class-specific request, and the instruction response timing characteristics, Wherein the fingerprint vector F comprises at least a set of basic identification information BaseInfo formed by the basic identification information, an extended static information set ExpStaData formed by the device descriptor information and string information, a set of function information FunctionInfoData obtained by class-specific requests, and a set of instruction response time characteristics InstResponseTime formed by the instruction response time characteristics.
7. 7. The method of claim 1, wherein the integrated risk value R is obtained by a multi-factor weighted summation, the multi-factor including at least device risk Risk of behaviour Contextual risk The comprehensive risk value The following relation is satisfied: ; Wherein, the 、 、 Is a preset or configurable weight coefficient; Risk of the equipment The method comprises the steps that a fingerprint vector F inserted into a peripheral is compared with registered fingerprint vectors in a strategy knowledge base, the comparison result comprises an overlapping proportion or similarity index, and the risk of equipment is determined according to the comparison result; risk of the behavior Determining by a peripheral access initial behavior, wherein the access initial behavior comprises behavior characteristics of the peripheral attempting to enumerate a large number of endpoints or send abnormal data packets after insertion; the contextual risk The method comprises determining based on the environmental information, the environmental information comprising at least access period information and access location information.
8. 8. The method of claim 1, wherein the automatically mounting to the virtual machine is accomplished through an underlying virtualization interface, the underlying virtualization interface comprising a libvirt interface.
9. 9. The method of any one of claims 1 to 8, wherein the continuous monitoring after the peripheral is mounted to the virtual machine comprises initializing an I/O monitoring framework, creating an independent monitoring thread for each peripheral and initializing a buffer for recording time-ordered I/O events, wherein the continuous monitoring and analysis comprises periodically extracting I/O behavior feature vectors, the I/O behavior feature vectors comprising at least throughput features, access pattern features, time-ordered burst features, and semantic features, wherein: The throughput characteristics comprise read-write bandwidth and IOPS; The access mode features comprise a ratio of sequential access to random access or an access mode index calculated based on entropy; The time sequence burst characteristic comprises duration time and idle interval of burst transmission; The semantic features include recognition results of the type of file being transferred.
10. 10. The method of claim 9, wherein identifying abnormal behavior comprises performing dynamic abnormality detection based on the I/O behavior feature vector, and wherein at least two of suspending peripheral data transfer, sending alert notifications to a user, and forcing disconnection of peripherals by virtualizing off-load peripherals or disconnecting peripherals when high risk abnormal behavior is detected, is performed sequentially or in parallel.

Description

Virtual machine peripheral safe mounting method based on depth fingerprint and dynamic risk control Technical Field The invention relates to the technical field of computer information security and virtualization, in particular to a virtual machine peripheral secure mounting method based on depth fingerprint and dynamic risk control. Background With the wide application of virtualization technology, in the scene of severe requirements on terminal security, such as government affairs, a mode of running a virtual machine on a host machine to bear a specific service system is often adopted to realize service isolation and centralized management and control. Under such a scenario, USB storage, USB network card, encryption key and other external devices are used as necessary carriers for service operation and maintenance management, and the process of accessing and mounting the external devices to the virtual machine is not only a key link of data interaction, but also an important source of security risks such as data leakage, malicious code introduction, unauthorized access and the like, so that strict management and control on the external device mounting are needed. At present, a static and manual technical scheme is generally adopted for peripheral mounting management in a domestic operating system single virtual machine environment, and a core depends on a Vendor ID (VID) and a Product ID (PID) of USB equipment to realize equipment identification and management. VID and PID are basic identifiers distributed to equipment manufacturers and specific product models by USB standard organizations, and the working flow of the existing scheme is that after a peripheral is inserted into a host, the host kernel reads VID/PID information of equipment, a user needs to manually select from an equipment list through virtual machine management software and complete mounting, or a VID/PID white list is preset, a system automatically mounts compliance equipment by matching the white list information, and unmatched equipment is directly prevented, so that suspicious peripheral is primarily eliminated. However, the prior art has obvious defects in practical application, and is difficult to meet the protection requirement of a scene with high security level, namely, firstly, the identity recognition reliability is insufficient and the anti-counterfeiting capability is weak. The VID/PID is only the basic classification identification of the equipment, the data format is simple and easy to be tampered or imitated by malicious, an attacker can enable malicious peripherals to bypass a system basic identification mechanism to illegally access a virtual machine by forging VID/PID information of legal equipment, so that core data is revealed, great hidden danger is brought to information safety, and the capability of intelligent perception and dynamic risk research and judgment is lacking. The existing scheme can only perform one-time static identity verification at the initial stage of equipment access, cannot judge the rationality of equipment access by combining with the context information such as user operation intention, use period, office place and the like, cannot monitor the behavior risk after equipment access, for example, when legally accessed equipment suddenly initiates malicious operations such as a large number of data copies, abnormal enumeration endpoints and the like, a system cannot sense and early warn in real time, and thirdly, a protection chain is incomplete and a full life cycle safety closed loop is not formed. The protection in the prior art is limited to the identity verification in the equipment access stage, the whole operation process after equipment mounting is not covered, the sudden malicious behavior after equipment access cannot be handled, obvious breakpoints exist in the protection, and the end-to-end protection from equipment access, risk assessment to operation monitoring is difficult to realize. In summary, the conventional VID/PID-based virtual machine peripheral mounting scheme has defects in reliability of identity recognition, intelligence of risk management and control and protection integrity, and cannot meet the severe requirements of fields such as government affairs on core data security, so that a secure mounting technology with high-precision equipment recognition, dynamic risk assessment and full life cycle monitoring capability is needed to solve the defects of the prior art. Disclosure of Invention The invention aims to overcome the defects that the prior virtual machine peripheral mounting scheme relies on basic identifications such as VID/PID to perform static admission control, so that the reliability of identity identification is insufficient, dynamic risk research and judgment are lacked, and continuous monitoring is performed after mounting, and provides a virtual machine peripheral safe mounting method based on deep fingerprint and dynamic risk control; the method compris