检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
机构地区:[1]复旦大学软件学院,上海200433 [2]上海交通大学软件学院,上海200240
出 处:《计算机应用与软件》2015年第7期266-271,共6页Computer Applications and Software
基 金:国家自然科学基金项目(61303011)
摘 要:随着互联网的发展,当今社会对于信息安全的关注度越来越高。内核级Rootkit能够隐藏自身及恶意软件,对系统安全产生了严重威胁。现有基于虚拟化技术的内核Rootkit检测方案主要针对系统静态Hook进行检测和保护,对基于动态Hook的攻击行为缺乏有效的分析和防御手段。为了解决上述问题,设计并实现了一种基于新型VMI(Virtual Machine Introspection)的检测内核Rootkit的通用系统,对内核静态和动态Hook都能够进行检测和保护。实验表明,系统成功检测出内核级Rootkit对于内核Hook的攻击和篡改,对大量常见的内核Rootkit都有效,同时对于基于动态Hook的攻击行为也能够及时报警,能够有效增强系统对于Rootkit的检测能力。With the development of Internet, current society pays more and more attentions on information security. Kernel level rootkits are the serious security threat to operating system because they can hide themselves and other malicious software. Current kernel rootkit detection schemes based on virtualisation technology mainly focus on the detection and protection of static kernel Hooks but lacks effective analysis and defense means against the attacks based on dynamic Hooks. To address the above problems, we design and implement a new generic system to detect kernel rootkits which is based on new VMI, it can detect and defend both kernel static and dynamic Hook. Experiment demonstrates that, the system successfully detects the attacks and tempers on kernel Hook by the kernel level rootkits, and it is effective to a lot of common kernel rootkits. Meanwhile, timely alarm can also be realised against dynamic-based Hook attacking actions, this can effectively enhance the detection capability of the system on rootkits.
关 键 词:内核Rootkits 内核Hook 虚拟机自省 系统安全
分 类 号:TP316[自动化与计算机技术—计算机软件与理论]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:3.14.251.87
