《计算机应用研究》|Application Research of Computers

基于Xen虚拟化的隐藏进程检测方法

Method of detecting hidden process based on Xen virtualization

免费全文下载 (已被下载 次)  
获取PDF全文
作者 赵志远,朱智强,孙磊,杨杰
机构 信息工程大学 三院,郑州 450000
统计 摘要被查看 次,已被下载
文章编号 1001-3695(2015)04-1127-04
DOI 10.3969/j.issn.1001-3695.2015.04.040
摘要 恶意进程利用Rootkit使自己具有极强的隐蔽性。传统的隐藏进程检测工具部署在被检测系统中,容易受到攻击。为提高检测系统的抗攻击性和准确性,提出了一种虚拟环境下特征匹配的隐藏进程检测系统。该系统部署在被监控虚拟机外部,自调整检测频率扫描计算机内存来获取进程相关信息,并通过与预先构建好的特征模板进行相似度匹配,达到检测隐藏进程的目的。实验结果表明,该检测系统可以有效地检测出典型的Rootkit代码,确定隐藏进程的存在。
关键词 虚拟机监视器;隐藏进程;匹配特征;匹配模板;相似度匹配;检测频率
基金项目 国家“863”计划基金资助项目(2008AA01Z404)
国防预研基金资助项目(910A26010306JB5201)
本文URL http://www.arocmag.com/article/01-2015-04-040.html
英文标题 Method of detecting hidden process based on Xen virtualization
作者英文名 ZHAO Zhi-yuan, ZHU Zhi-qiang, SUN Lei, YANG Jie
机构英文名 The Third Institute, Information Engineering University, Zhengzhou 450000, China
英文摘要 Malicious processes are the major hidden danger to the safety of the computer system, which make themselves more hidden through the Rootkit. Conventional detection tools exist inside the very host they are protecting, which make them vulnerable to be attacked. In order to improve the ability and accuracy of tamper resistance, this paper designed a hidden process detection system using feature matching in virtual environment. By scanning machine memory directly and adjusting itself frequently, the system located outside the monitored virtual machine inspected the process information, and then achieved the purpose of detecting hidden process through judging the process information similar to the pre-framed feature template. Experimental results show that the detection system can effectively detect typical Rootkit code, determine the presence of hidden processes.
英文关键词 VMM; hidden process; matching characteristics; matching template; similarity matching; inspection frequency
参考文献 查看稿件参考文献
  [1] 王磊. 网络犯罪若干问题研究[D] . 北京:中共中央党校, 2011.
[2] HOGLUND G, BUTLER J. Rootkits:subverting the Windows kernel[M] . [S. l. ] :Addison-Wesley Professional, 2005.
[3] 冯帆, 罗森林. 基于VMM的Rootkit检测技术及模型分析[J] . 技术研究, 2013(6):35-39, 89.
[4] CHEN P M, NOBLE B D. When virtual is better than real[C] //Proc of the 8th Workshop on Hot Topics in Operating Systems. Washington DC:IEEE Computer Society, 2001:133-138.
[5] BARHAM P, DRAGOVIC B, FRASER K, et al. Xen and the art of virtualization[C] //Proc of the 19th ACM Symposium on Operating Systems Principles. New York:ACM Press, 2003:164-177.
[6] 项国富, 金海, 邹德清. 基于虚拟化的安全监控[J] . 软件学报, 2012, 23(8):2173-2188.
[7] WHITE J S, PAPE S R, MEILY A T, et al. Dynamic malware analysis using IntroVirt:a modified hypervisor-based system[C] //Proc of SPIE Defense Security and Sensing Cyber Security Conference. 2013.
[8] JONES S, ARPACI-DUSSEAU A, ARPACI-DUSSEAU R. AntFarm:tracking processes in a virtual machine environment[C] //Proc of Annual USENIX Technical Conference. Berkeley, CA:USENIX, 2008:1-14.
[9] PAYNE B D, CARBONE M, LEE W. Secure and flexible monitoring of virtual machines[C] //Proc of the 23rd Annual Computer Security Applications Conference. Piscataway, NJ:IEEE Press, 2007:385-397.
[10] JIANG Xu-xian, WANG Xin-yuan, XU Dong-yan. Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction[J] . ACM Trans on Information and Systems Security, 2010, 13(2):12-28.
[11] 王丽娜, 高汉军, 刘炜, 等. 利用虚拟机监视器检测及管理隐藏进程[J] . 计算机研究与发展, 2011, 48(8):1534-1541.
[12] SCHUSTER A. Searching for process and threads in Microsoft Windows memory dumps[C] //Proc of the 6th Annual Digital Forensic Research Workshop. Lafayette:ELSEVI, 2006:10-16.
[13] PAYNE B D. Simplifying virtual machine introspection using Lib-VMI, SAND2012-7818[R] . [S. l. ] :Sandia National Laboratories, 2012.
[14] DOLAN G B, SBIVASTAVA A, TRAYNOR P, et al. Robust signatures for kernel data structures[C] //Proc of the 16th ACM Conference on Computer and Communications Security. New York:ACM Press, 2009:566-577.
[15] 曹立铭, 赵逢禹. 私有云平台上的虚拟机进程安全检测[J] . 计算机应用研究, 2013, 30(5):1495-1499.
收稿日期 2014/4/8
修回日期 2014/5/20
页码 1127-1130,1153
中图分类号 TP309
文献标志码 A