首页 | 本学科首页   官方微博 | 高级检索  
     

一种恶意软件行为分析系统的设计与实现
引用本文:杨科,凌冲,朱陈成. 一种恶意软件行为分析系统的设计与实现[J]. 计算机安全, 2012, 0(9): 2-7
作者姓名:杨科  凌冲  朱陈成
作者单位:解放军61716部队;解放军陆军军官学院
摘    要:基于虚拟化技术的恶意软件行为分析是近年来出现的分析恶意软件的方法。该方法利用虚拟化平台良好的隔离性和控制力对恶意软件运行时的行为进行分析,但存在两方面的不足:一方面,现有虚拟机监视器(Virtual Machine Monitor,VMM)的设计初衷是提高虚拟化系统的通用性和高效性,并没有充分考虑虚拟化系统的透明性,导致现有的VMM很容易被恶意软件的环境感知测试所发现。为此,提出一种基于硬件辅助虚拟化技术的恶意软件行为分析系统——THVA。THVA是一个利用了安全虚拟机(SVM)、二级页表(NPT)和虚拟机自省等多种虚拟化技术完成的、专门针对恶意软件行为分析的微型VMM。实验结果表明,THVA在行为监控和反恶意软件检测方面表现良好。

关 键 词:硬件辅助虚拟化  恶意软件行为分析  虚拟机自省  二级页表  外部设备访问保护

Design and Achievement of Malware Analysis System based on Hardware-assisted Virtualization Monitor
YANG Ke,LING Chong,ZHU Chen-cheng. Design and Achievement of Malware Analysis System based on Hardware-assisted Virtualization Monitor[J]. Network & Computer Security, 2012, 0(9): 2-7
Authors:YANG Ke  LING Chong  ZHU Chen-cheng
Affiliation:1.61716 Troops,Fuzhou,Fujian 350001,China,2.Army Officer Academy,Hefei,Anhui 230001,China)
Abstract:Malware analysis based on Hardware-assisted Virtualization Monitor has been recently presently,which utilize the strong isolation and the ability to control Guest OS of virtualization platform to analyze the malware runtime behavior.But there are two shortages: one is that the design motive of VMM is not for transparency but for functionality and performance,which induce VMM to be detected by malware’s virtualization environment detection;another is that VMM’s code are too large and complex,and part of their function is unnecessary.These features bring more"side-effects"and vulnerabilities.Therefore,a malware analysis system based on Hardware-assisted Virtualization Monitor—THVA is presented.THVA is thin VMM,which only about 6000 lines code,utilizing the SVM,NPT,EAP and virtual machine introspection technologies to achieve,and special for malware analysis.The result of experiments shows that THVA is good for virtual machine introspection,behavior monitor and anti-detection,etc.In addition,THVA utilizes the Security Mode Transition technology to enhance the performance itself for about 18.2%.
Keywords:Hardware-assisted Virtualization Monitor  malware analysis  virtual machine introspection  NPT  EAP
本文献已被 CNKI 维普 等数据库收录!
设为首页 | 免责声明 | 关于勤云 | 加入收藏

Copyright©北京勤云科技发展有限公司  京ICP备09084417号