检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
机构地区:[1]解放军信息工程大学数学工程与先进计算国家重点实验室,河南郑州450001 [2]信息保障技术重点实验室,北京100072 [3]河南省人民检察院,河南郑州450000
出 处:《浙江大学学报(工学版)》2018年第2期387-397,共11页Journal of Zhejiang University:Engineering Science
基 金:国家社会科学基金资助项目(15AGJ012);信息保障技术重点实验室开放基金资助项目(KJ-15-107)
摘 要:为了解决传统的基于"镜像-分析"的内存取证技术面临的提取内存镜像时间过长及无法有效截获瞬时性内存攻击的问题,提出类蜜罐的实时内存取证方法(RTMF).利用虚拟机监控器针对性地提取内存片段,对提取的数据进行语义重构,以获得操作系统级语义信息.利用扩展页表机制设置关键内存页面的访问权限,将这些内存页面作为蜜罐;针对蜜罐的违规访问会触发扩展页表故障而陷入虚拟机监控器,实时拦截攻击.结果表明,在发现内存攻击后,RTMF既可记录攻击者对内存的修改历史,又可对攻击者追踪溯源.经微基准测试,该方法引入的性能开销在可接受的范围内.Traditional image-analysis based memory forensics technologies face two issues:one is that the time for extracting memory images is too long,the other is that transient memory attacks cannot be effectively intercepted.A honeypot-like real-time memory forensics method RTMF was proposed to solve these issues.Virtual machine monitor(VMM)was used to purposefully extract memory fragments,then obtained data were semantically reconstructed to get the OS-level semantic information.Extended page table(EPT)mechanism was applied to set access permissions for key memory pages,and these pages were treated as"honeypot".EPT violation would be triggered by the violated access aiming at the honeypot,and the guest OS would be trapped in VMM.Thus memory attacks could be captured in real time.Results show that RTMF can record the attack-modifying history on memory and trace the attacker after the memory attack is found.The MicroBench tests results show that the performance overhead RTMF introduces is acceptable.
关 键 词:实时取证 蜜罐 内存行为 攻击载体 页面访问权限
分 类 号:TP391[自动化与计算机技术—计算机应用技术]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.222