| 基于VMM的操作系统隐藏对象关联检测技术 |
| |
| 引用本文: | 李博,沃天宇,胡春明,李建欣,王颖,怀进鹏.基于VMM的操作系统隐藏对象关联检测技术[J].软件学报,2013,24(2):405-420. |
| |
| 作者姓名: | 李博 沃天宇 胡春明 李建欣 王颖 怀进鹏 |
| |
| 作者单位: | 北京航空航天大学 计算机科学与技术系,北京 100191;北京航空航天大学 计算机科学与技术系,北京 100191;北京航空航天大学 计算机科学与技术系,北京 100191;北京航空航天大学 计算机科学与技术系,北京 100191;北京航空航天大学 计算机科学与技术系,北京 100191;北京航空航天大学 计算机科学与技术系,北京 100191 |
| |
| 基金项目: | 国家自然科学基金(61202424,60903149,91018008);国家重点基础研究发展计划(973)(2011CB302600) |
| |
| 摘 要: | 恶意软件通过隐藏自身行为来逃避安全监控程序的检测.当前的安全监控程序通常位于操作系统内部,难以有效检测恶意软件,特别是内核级恶意软件的隐藏行为.针对现有方法中存在的不足,提出了基于虚拟机监控器(virtual machine monitor,简称VMM)的操作系统隐藏对象关联检测方法,并设计和实现了相应的检测系统vDetector.采用隐式和显式相结合的方式建立操作系统对象的多个视图,通过对比多视图间的差异性来识别隐藏对象,支持对进程、文件及网络连接这3种隐藏对象的检测,并基于操作系统语义建立隐藏对象间的关联关系以识别完整攻击路径.在KVM虚拟化平台上实现了vDetector的系统原型,并通过实验评测vDetector的有效性和性能.结果表明,vDetector能够有效检测出客户操作系统(guest OS)中的隐藏对象,且性能开销在合理范围内.
|
| 关 键 词: | 虚拟化 虚拟机监控器 隐藏对象 多视图 关联检测 |
| 收稿时间: | 2012/2/27 0:00:00 |
| 修稿时间: | 2012/4/26 0:00:00 |
Hidden OS Objects Correlated Detection Technology Based on VMM |
| |
| LI Bo,WO Tian-Yu,HU Chun-Ming,LI Jian-Xin,WANG Ying and HUAI Jin-Peng.Hidden OS Objects Correlated Detection Technology Based on VMM[J].Journal of Software,2013,24(2):405-420. |
| |
| Authors: | LI Bo WO Tian-Yu HU Chun-Ming LI Jian-Xin WANG Ying and HUAI Jin-Peng |
| |
| Affiliation: | School of Computer Science and Engineering, BeiHang University, Beijing 100191, China;School of Computer Science and Engineering, BeiHang University, Beijing 100191, China;School of Computer Science and Engineering, BeiHang University, Beijing 100191, China;School of Computer Science and Engineering, BeiHang University, Beijing 100191, China;School of Computer Science and Engineering, BeiHang University, Beijing 100191, China;School of Computer Science and Engineering, BeiHang University, Beijing 100191, China |
| |
| Abstract: | To evade the detection of security monitoring systems, malware often hides its behavior. Current monitoring systems usually reside in the operating system (OS). Thus, it is hard to detect the existence of malware, especially the kernel rootkits. In this paper, a hidden OS objects detection and correlation approach based on VMM (virtual machine monitor) is proposed, and the corresponding detection system, vDetector, is designed and implemented. Both implicit and explicit information are used to create multiple views of OS objects, and a multi-view comparison mechanism are designed to identify three kinds of hidden OS objects: process, file and connections. The relations among hidden objects are established based on OS semantic information to trace the complete attack path. vDetector is implemented based on KVM virtualization platform and the effectiveness and performance overhead of vDetector are evaluated by comprehensive experiments. The results show that vDetector can successfully detect the existence of hidden OS objects with reasonable performance overhead. |
| |
| Keywords: | virtualization VMM hidden object multi-view correlated detection |
|
| 点击此处可从《软件学报》浏览原始摘要信息 |
|
点击此处可从《软件学报》下载全文 |
|
