基于虚拟机回放的恶意行为检测技术  

Techniques for Detecting Malicious Behavior Based on Virtual Machine Replay

在线阅读下载全文

作  者:尹正光 余荣威[1] 王丽娜[1] 刘维杰[1] 宋衍 谈诚[1] 

机构地区:[1]武汉大学计算机学院,湖北武汉430072 [2]信息保障技术重点实验室,中国北京100072

出  处:《武汉大学学报(理学版)》2016年第5期437-443,共7页Journal of Wuhan University:Natural Science Edition

基  金:国家自然科学基金(61373169);国家高技术研究发展(863)计划项目(2015AA016004);信息保障技术重点实验室开放基金(KJ-14-110;KJ-14-101)

摘  要:云计算环境下高灵活性、高扩展性、边界泛化等特性,使得已有的恶意行为检测技术误检率高,未知恶意行为检测能力低下.本文提出了基于虚拟机回放的恶意行为检测模型,该模型包括了基于行为关联图的警报关联算法和基于虚拟机回放的预警确认机制.首先在VMM层部署网络入侵检测和基于VMI的主机检测系统实现网络层和虚拟机内部的双层检测,然后警报关联结合双层检测结果进行综合评判发出预警,最后预警确认机制通过回放技术过滤虚假警报,并识别未知攻击.实验结果显示,回放开销相比ReVirt降低了21.8%,该方法相对于单一检测方法检测率有明显提升.Under the cloud computing environment,the high flexibility,high expansibility and boundary generalization characteristics have led to higher false detection rate of the malicious behavior detection technology and disability of the unknown malicious behavior detection.In this paper,we proposed a malicious behavior detection model based on virtual machine replay,which includes an alarm correlation algorithm and a pre-warning validation mechanism.First of all,we deployed both network intrusion detection system and VMI-based host detection system on VMM and acquired results respectively.Then,combining the double detection results,the alert correlation system would make a comprehensive evaluation and give pre-warning.In the end,with the help of virtual machine replay technique,the prewarning validation mechanism filtered false alerts and identified unknown attacks.Experimental results show that the replay overhead was 21.8%lower than that of ReVirt,which means the detection rate of this method has improved significantly compared with the single-detection method.

关 键 词:虚拟化安全 虚拟机回放 恶意行为检测 行为关联图 

分 类 号:TP391[自动化与计算机技术—计算机应用技术]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象