Detecting Hidden Malware Method Based on "In-VM" Model  被引量：2

作　　者：陈林 刘波 胡华平 肖枫涛 张静 

机构地区：[1]Computer School,National University of Defense Technology

出　　处：《China Communications》2011年第4期99-108,共10页中国通信（英文版）

基　　金：National High Technical Research and Development Program of China(863 Program)under Grant No. 2008AA01Z414

摘　　要：Security tools are rapidly developed as network security threat is becoming more and more serious.To overcome the fundamental limitation of traditional host-based anti-malware system which is likely to be deceived and attacked by malicious codes,VMM-based anti-malware systems have recently become a hot research field.In this article,the existing malware hiding technique is analyzed,and a detecting model for hidden process based on "In-VM" idea is also proposed.Based on this detecting model,a hidden process detection technology which is based on HOOK SwapContext on the VMM platform is also implemented successfully.This technology can guarantee the detecting method not to be attacked by malwares and also resist all the current process hiding technologies.In order to detect the malwares which use remote injection method to hide themselves,a method by hijacking sysenter instruction is also proposed.Experiments show that the proposed methods guarantee the isolation of virtual machines,can detect all malware samples,and just bring little performance loss.Security tools are rapidly developed as network security threat is becoming more and more serious.To overcome the fundamental limitation of traditional host-based anti-malware system which is likely to be deceived and attacked by malicious codes,VMM-based anti-malware systems have recently become a hot research field.In this article,the existing malware hiding technique is analyzed,and a detecting model for hidden process based on 'In-VM' idea is also proposed.Based on this detecting model,a hidden process detection technology which is based on HOOK SwapContext on the VMM platform is also implemented successfully.This technology can guarantee the detecting method not to be attacked by malwares and also resist all the current process hiding technologies.In order to detect the malwares which use remote injection method to hide themselves,a method by hijacking sysenter instruction is also proposed.Experiments show that the proposed methods guarantee the isolation of virtual machines,can detect all malware samples,and just bring little performance loss.

关 键 词：network security Virtual Machine Monitor(VMM) malware detection hidden process hardware virtualization 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]