| 基于虚拟机自省的隐藏文件检测方法 |
| |
| 引用本文: | 乌云,李平,李勇钢.基于虚拟机自省的隐藏文件检测方法[J].计算机系统应用,2016,25(1):175-180. |
| |
| 作者姓名: | 乌云 李平 李勇钢 |
| |
| 作者单位: | 中国科学院合肥物质科学研究院应用技术研究所, 合肥 230088,中国科学院合肥智能机械研究所, 合肥 230031;中国科学技术大学自动化系, 合肥 230027,中国科学院合肥智能机械研究所, 合肥 230031;中国科学技术大学自动化系, 合肥 230027 |
| |
| 基金项目: | 中国科学院合肥物质科学研究院院长基金(YZJJ201329) |
| |
| 摘 要: | 通过检测虚拟机内部的隐藏文件,检测工具可以及时判断虚拟机是否受到攻击.传统的文件检测工具驻留在被监视虚拟机中,容易遭到恶意软件的攻击.基于虚拟机自省原理,设计并实现一种模块化的虚拟机文件检测方法FDM. FDM借助操作系统内核知识,解析虚拟机所依存的物理硬件,构建虚拟机文件语义视图,并通过与内部文件列表比较来发现隐藏文件. FDM将硬件状态解析和操作系统语义信息获取以不同模块实现,不仅具备虚拟机自省技术的抗干扰性,还具备模块化架构的可移植性与高效性.实验结果表明, FDM能够准确快速地检测出虚拟机内部的隐藏文件.
|
| 关 键 词: | 虚拟机自省 文件检测 隐藏文件 |
| 收稿时间: | 5/3/2015 12:00:00 AM |
| 修稿时间: | 2015/6/15 0:00:00 |
Method of Hidden File Detection Based on Virtual Machine Introspection |
| |
| WU Yun,LI Ping and LI Yong-Gang.Method of Hidden File Detection Based on Virtual Machine Introspection[J].Computer Systems& Applications,2016,25(1):175-180. |
| |
| Authors: | WU Yun LI Ping and LI Yong-Gang |
| |
| Affiliation: | Institute of Applied Technology, Chinese Academy of Sciences, Hefei 230088, China,Institute of Intelligent Machines, Chinese Academy of Sciences, Hefei 230031, China;Department of Automation, University of Science and Technology of China, Hefei 230027, China and Institute of Intelligent Machines, Chinese Academy of Sciences, Hefei 230031, China;Department of Automation, University of Science and Technology of China, Hefei 230027, China |
| |
| Abstract: | The detection tools can judge whether the virtual machine is under attack or not through detecting the hidden files. The traditional file detection tools reside in the monitored virtual machine, which are vulnerable to attack by the malicious software. According to the virtual machine introspection, a modularized virtual machine file detection method(FDM) is designed and implemented. With the operating system kernel knowledge, FDM can parse the physical hardware and build the semantic view of the files. Then FDM can identify the hidden files by comparing with the internal file list. Meanwhile, parsing hardware status and obtaining semantic information are implemented in different modules. FDM has not only the tamper resistance of the virtual machine introspection, also has a modular architecture, portability and efficiency The experimental results show that the FDM can quickly and accurately detect the hidden filesinside virtual machine. |
| |
| Keywords: | virtual machine introspection file detection hidden file |
|
| 点击此处可从《计算机系统应用》浏览原始摘要信息 |
|
点击此处可从《计算机系统应用》下载全文 |
|
