Detecting Hidden Malware Method Based on "In-VM" Model 被引量：2

“In-VM”模型的隐藏代码检测模型(英文)

下载PDF

导出

摘要 Security tools are rapidly developed as network security threat is becoming more and more serious.To overcome the fundamental limitation of traditional host-based anti-malware system which is likely to be deceived and attacked by malicious codes,VMM-based anti-malware systems have recently become a hot research field.In this article,the existing malware hiding technique is analyzed,and a detecting model for hidden process based on "In-VM" idea is also proposed.Based on this detecting model,a hidden process detection technology which is based on HOOK SwapContext on the VMM platform is also implemented successfully.This technology can guarantee the detecting method not to be attacked by malwares and also resist all the current process hiding technologies.In order to detect the malwares which use remote injection method to hide themselves,a method by hijacking sysenter instruction is also proposed.Experiments show that the proposed methods guarantee the isolation of virtual machines,can detect all malware samples,and just bring little performance loss. Security tools are rapidly developed as network security threat is becoming more and more serious.To overcome the fundamental limitation of traditional host-based anti-malware system which is likely to be deceived and attacked by malicious codes,VMM-based anti-malware systems have recently become a hot research field.In this article,the existing malware hiding technique is analyzed,and a detecting model for hidden process based on 'In-VM' idea is also proposed.Based on this detecting model,a hidden process detection technology which is based on HOOK SwapContext on the VMM platform is also implemented successfully.This technology can guarantee the detecting method not to be attacked by malwares and also resist all the current process hiding technologies.In order to detect the malwares which use remote injection method to hide themselves,a method by hijacking sysenter instruction is also proposed.Experiments show that the proposed methods guarantee the isolation of virtual machines,can detect all malware samples,and just bring little performance loss.

作者陈林刘波胡华平肖枫涛张静

机构地区 Computer School

出处《China Communications》 SCIE CSCD 2011年第4期99-108,共10页 中国通信（英文版）

基金 National High Technical Research and Development Program of China(863 Program)under Grant No. 2008AA01Z414

关键词 network security Virtual Machine Monitor(VMM) malware detection hidden process hardware virtualization network security Virtual Machine Monitor(VMM) malware detection hidden process hardware virtualization

分类号 TP393.08 [自动化与计算机技术—计算机应用技术]

引文网络
相关文献

参考文献23

1李伟,苏璞睿.基于内核驱动的恶意代码动态检测技术[J].中国科学院研究生院学报,2010,27(5):695-703. 被引量：9
2SHARIF M,LEE W,CUI W,LANZI A.Secure In-VM Mo- nitoring Using Hardware Virtualization. Proceedings of the 16th ACM Conference on Computer and Communications Security . 2009
3CNCERT/CC.The 26thChina Internet Development Statistics report. . 2010
4WEN Yan.Research on the Key Technologies of Isolated Ex- ecution Environment. . 2008
5PAYNE B D,CARBONE M,LEE W.Secure and Flexible Monitoring of Virtual Machines. Proceedings of the 23rd Annual Computer Security Applications Conference . 2007
6MAO Decao.Windows Kernel Analysis. . 2009
7Intel Corporation.Intel 64 and IA-32 Architectures Soft- ware Developer’’’’s Manual Volume 3B: System Programming Guide,Part 2. . 2009
8Intel Corporation.Intel 64 and IA-32 Architectures Soft- ware Developer’’’’s Manual Volume 3A: System Programming Guide,Part 1. . 2009
9GOLDBERG R P.Architecture of Virtual Machines. Proceedings of the Workshop on Virtual Computer Systems . 1973
10IAN P,KEIR F,STEVE H,et al.Xen 3.0 and the Art ofVirtualization. Proceedings of the Ottawa Linux Sym- posium . 2005

二级参考文献16

1(美)KeithBrown著,刘涛,李一舟.Windows安全性编程[M]中国电力出版社,2004.
2(美)[J.里克特]JeffreyRichter著,王建华等.Windows核心编程[M]机械工业出版社,2000.
3Robert K.Three ways to Inject Your Code into Another Process. http://www.codeguru.com/Cpp/W-P/system/processesmodules/article.php/c5767 . 2009
4Rattle.Using process infection to bypass Windows software firewalls phrack[R/OL]. http://www.phrack.org/show.php?p=62&a=13 . 2004
5Matt P.Learn system-level Win32coding techniques by writing and API spy program. Microsoft Systems Journal . 1994
6Matt P.Under the Hood. Microsoft Systems Journal . 1997
7Holy_F.Technics of hooking API functions on Windows[R/OL]. http://www.hxdef.org . 2002
8Crazyload.Playing with Windows/dev/(k)mem. Phrack . 2002
9Tan CK.Defeating Kernel Native API Hookers by Direct Service dispatch Table Restoration. http://www.security.org.sg . 2004
10Nguyen,Reiher N,Kuenning P,et al.Detecting insider threats by monitoring system call activity. Information Assurance Workshop,IEEE Systems,Man and Cybernetics Society . 2003

共引文献8

1汪锋,周大水.白名单主动防御系统的设计与实现[J].计算机工程与设计,2011,32(7):2241-2244. 被引量：16
2吴茜茵,郑雪.基于API HOOK的U盘安全卫士设计与实现[J].电脑知识与技术,2011,7(8):5378-5380.
3张健飞,陈黎飞,郭躬德.检测迷惑恶意代码的层次化特征选择方法[J].计算机应用,2012,32(10):2761-2767. 被引量：3
4郝增帅,郭荣华,文伟平,孟正.基于特征分析和行为监控的未知木马检测系统研究与实现[J].信息网络安全,2015(2):57-65. 被引量：15
5张小军,李铁强,张倩,陈倩.基于主动防御模型的信息安全管理平台研究[J].遥测遥控,2016,37(1):60-66. 被引量：3
6张驯,马之力,智勇,朱小琴,龚波,李志茹.基于内核检测的数据库漏洞扫描器的设计与实现[J].电力信息与通信技术,2016,14(8):38-41. 被引量：1
7李湘宁,凌捷.改进的隐藏进程检测查杀技术[J].计算机工程与设计,2016,37(11):2939-2943. 被引量：2
8陈立娜,季保启.基于虚拟化平台的隐藏进程检测技术[J].信息技术与信息化,2023(10):132-135.

同被引文献31

1郑康锋,王秀娟,杨义先,郭世泽.Detecting DDoS Attack With Hilbert-Huang Transformation[J].China Communications,2011,8(2):126-133. 被引量：1
2朱维军,王忠勇,张海宾.Intrusion Detection Algorithm Based on Model Checking Interval Temporal Logic[J].China Communications,2011,8(3):66-72. 被引量：5
3易平,吴越,陈佳霖.Towards an Artificial Immune System for Detecting Anomalies in Wireless Mesh Networks[J].China Communications,2011,8(3):107-117. 被引量：3
4STIBOR T, TIMMIS J, ECKERT C. A Comparative Study Of Real-Valued Negative Selection To Statistical Anomaly Detection Techniques [C]// Proceedhags of the 4th Interna- tional Conference On Artificial Immune Systems. Springer, 2005: 262-275.
5GREENSMITH J, AICKELIN U, CAYZER S. Introducing Dendritic Cells As a Novel Immune-Inspked Algorithm for Anomaly Detection[C]//Proceedings of ICARIS-05. LNCS 3627, 2005: 153-167.
6GREENSMITH J, TWYCROSS J, AICKELIN U. Dendritic Cells for Anomaly Detection[C]//Proceedings of the IEEE Congress on Evolutionary Computation (CEC 2006), Van- couver, BC. IEEE Press, 2006: 664-671.
7AL-HAMMADI Y, AICKELIN U, GREENSMITH J. DCA for Bot Detection[C]//Proceedings of the IEEE World Con- gress on Computational Intelligence (WCCI2008): July 1-6, 2008, Hong Kong. IEEE Press, 2008: 1807-1816.
8GU Feng, GREENSMITH J, AICKELIN U. Integrating Re- al-Time Analysis With The Dendritic Cell Algorithm Through Segmentation[C]//Proceedings of the 11 th Annual conference on Genetic and evolutionary computation (GECCO'2009): July 8-12, 2009, Montreal, QC, Canada. ACM Press, 2009: 1203-1210.
9AL-HAMMADI Y, AICKELIN U, GREENSMITH J. Per- formance Evaluation of DCA and SRC on a Single Bot De- tection[J]. Journal of Information Assurance and Security, 2010, 2010(5): 303-313.
10TWYCROSS J, AICKELIN U, AMANDA M. Detecting A- nomalous Process Behaviour using Second Generation Arti-ficial Immune Systems[J]. International Journal of Uncon- ventional Computing, 2010, 6(3-4): 301-326.

引证文献2

1Fang Xianjin,Song Danjie.Dendritic Cells Algorithm and Its Application to Nmap Portscan Detection[J].China Communications,2012,9(3):145-152. 被引量：1
2罗森林,闫广禄,潘丽敏,冯帆,刘昊辰.基于劫持内核入口点的隐藏进程检测方法[J].北京理工大学学报,2015,35(5):545-550. 被引量：3

二级引证文献4

1安丽丽,方贤进.树突细胞算法在线分析组件的研究[J].计算机技术与发展,2014,24(1):147-150.
2陈蒙蒙,陈兴蜀,金鑫.基于进程生命周期的虚拟机隐藏进程检测技术[J].计算机应用,2017,37(A02):39-43.
3杨晓晖,许烨.基于硬件虚拟化的虚拟机内核完整性保护[J].河北大学学报（自然科学版）,2018,38(2):194-203.
4陈佳昕.虚拟机隐藏进程检测系统设计与实现[J].现代计算机,2019,25(1):93-96. 被引量：2

1综合数字业务及传输[J].电子科技文摘,2003,0(12):52-53.
2XUChang-biao,LONGKe-ping,等.Improving Network Performance by Ameliorating TCP Congestion Control Mechanism[J].The Journal of China Universities of Posts and Telecommunications,2002,9(1):1-6. 被引量：7
3ImageWare Systems与墨西哥政府签订多生物识别解决方案服务合同[J].A&S（安全&自动化）,2006(2):30-30.
4TANG Chun-ming.A simple perfect hiding commitment scheme in one-round from any one-way permutation[J].通讯和计算机（中英文版）,2008,5(9):51-53.
5沙学军,徐玉滨,强蔚.A statistical hiding algorithm based on self-similar network traffic[J].Journal of Harbin Institute of Technology(New Series),2008,15(1):100-103.
6信号处理、分析与设计[J].电子科技文摘,2002,0(7):53-55.
7机器人、机械手、自动调节、控制与执行机构[J].电子科技文摘,2000(7):126-126.
8WU Mingqiao,ZHU Zhongliang,JIN Shiyao.Detection of Jsteg Hiding Using Image Statistical Model[J].Chinese Journal of Electronics,2006,15(1):165-168. 被引量：3
9Robert H.DENG.Techniques for Hiding Mobile Node's Location Movement Information in Mobile IP[J].China Communications,2007,4(1):85-94.
10NIU Xiaopeng,LI Qingbao,WANG Wei,WANG Yulong.G Bytes Data Hiding Method Based on Cluster Chain Structure[J].Wuhan University Journal of Natural Sciences,2013,18(5):443-448. 被引量：1

China Communications

2011年第4期

浏览历史

内容加载中请稍等...