Hidden OS Objects Correlated Detection Technology Based on VMM

Abstract

PDF HTML阅读 XML下载 导出引用 引用提醒 基于VMM的操作系统隐藏对象关联检测技术 DOI: 10.3724/SP.J.1001.2013.04265 作者: 作者单位: 作者简介: 通讯作者: 中图分类号: 基金项目: 国家自然科学基金(61202424,60903149,91018008);国家重点基础研究发展计划(973)(2011CB302600) Hidden OS Objects Correlated Detection Technology Based on VMM Author: Affiliation: Fund Project: 摘要 | 图/表 | 访问统计 | 参考文献 | 相似文献 | 引证文献 | 资源附件 | 文章评论 摘要:恶意软件通过隐藏自身行为来逃避安全监控程序的检测.当前的安全监控程序通常位于操作系统内部,难以有效检测恶意软件,特别是内核级恶意软件的隐藏行为.针对现有方法中存在的不足,提出了基于虚拟机监控器(virtual machine monitor,简称VMM)的操作系统隐藏对象关联检测方法,并设计和实现了相应的检测系统vDetector.采用隐式和显式相结合的方式建立操作系统对象的多个视图,通过对比多视图间的差异性来识别隐藏对象,支持对进程、文件及网络连接这3种隐藏对象的检测,并基于操作系统语义建立隐藏对象间的关联关系以识别完整攻击路径.在KVM虚拟化平台上实现了vDetector的系统原型,并通过实验评测vDetector的有效性和性能.结果表明,vDetector能够有效检测出客户操作系统(guest OS)中的隐藏对象,且性能开销在合理范围内. Abstract:To evade the detection of security monitoring systems, malware often hides its behavior. Current monitoring systems usually reside in the operating system (OS). Thus, it is hard to detect the existence of malware, especially the kernel rootkits. In this paper, a hidden OS objects detection and correlation approach based on VMM (virtual machine monitor) is proposed, and the corresponding detection system, vDetector, is designed and implemented. Both implicit and explicit information are used to create multiple views of OS objects, and a multi-view comparison mechanism are designed to identify three kinds of hidden OS objects: process, file and connections. The relations among hidden objects are established based on OS semantic information to trace the complete attack path. vDetector is implemented based on KVM virtualization platform and the effectiveness and performance overhead of vDetector are evaluated by comprehensive experiments. The results show that vDetector can successfully detect the existence of hidden OS objects with reasonable performance overhead. 参考文献 相似文献 引证文献