基于VMM的操作系统隐藏对象关联检测技术  被引量:21

Hidden OS Objects Correlated Detection Technology Based on VMM

在线阅读下载全文

作  者:李博[1] 沃天宇[1] 胡春明[1] 李建欣[1] 王颖[1] 怀进鹏[1] 

机构地区:[1]北京航空航天大学计算机科学与技术系,北京100191

出  处:《软件学报》2013年第2期405-420,共16页Journal of Software

基  金:国家自然科学基金(61202424;60903149;91018008);国家重点基础研究发展计划(973)(2011CB302600)

摘  要:恶意软件通过隐藏自身行为来逃避安全监控程序的检测.当前的安全监控程序通常位于操作系统内部,难以有效检测恶意软件,特别是内核级恶意软件的隐藏行为.针对现有方法中存在的不足,提出了基于虚拟机监控器(virtual machine monitor,简称VMM)的操作系统隐藏对象关联检测方法,并设计和实现了相应的检测系统vDetector.采用隐式和显式相结合的方式建立操作系统对象的多个视图,通过对比多视图间的差异性来识别隐藏对象,支持对进程、文件及网络连接这3种隐藏对象的检测,并基于操作系统语义建立隐藏对象间的关联关系以识别完整攻击路径.在KVM虚拟化平台上实现了vDetector的系统原型,并通过实验评测vDetector的有效性和性能.结果表明,vDetector能够有效检测出客户操作系统(guest OS)中的隐藏对象,且性能开销在合理范围内.To evade the detection of security monitoring systems, malware often hides its behavior. Current monitoring systems usually reside in the operating system (OS). Thus, it is hard to detect the existence of malware, especially the kernel rootkits. In this paper, a hidden OS objects detection and correlation approach based on VMM (virtual machine monitor) is proposed, and the corresponding detection system, vDetector, is designed and implemented. Both implicit and explicit information are used to create multiple views of OS objects, and a multi-view comparison mechanism are designed to identify three kinds of hidden OS objects: process, file and connections. The relations among hidden objects are established based on OS semantic information to trace the complete attack path. vDetector is implemented based on KVM virtualization platlbrm and the effectiveness and performance overhead of vDetector are evaluated by comprehensive experiments. The results show that vDetector can successfully detect the existence of hidden OS objects with reasonable performance overhead.

关 键 词:虚拟化 虚拟机监控器 隐藏对象 多视图 关联检测 

分 类 号:TP316[自动化与计算机技术—计算机软件与理论]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象