摘要
恶意进程是威胁计算机系统安全的重大隐患,与内核级rootkit合作时具有较强的隐蔽性和不可觉察性.传统的隐藏进程检测工具驻留在被监控系统中,容易受到恶意篡改.为提高检测信息的精确性和检测系统的抗攻击能力,设计并实现一种基于虚拟机监视器的隐藏进程检测系统.该系统驻留在被监控虚拟机外,利用虚拟机自省机制获取被监控主机的底层状态信息,借助语义视图重构技术重构其进程队列,并通过交叉视图的方式比较各进程队列间的差异,从而确定隐藏进程.同时,该系统也提供相应的响应机制,用以汇报隐藏进程的详细信息(包括实际占用内存信息、网络端口等),以及提供终止和挂起隐藏进程的功能.通过对具有隐藏进程能力的rootkit进行实验,证明了系统的有效性和可行性.
Malicious process is a significant threat to computer system security, which is not only able to compromise the integrity of system, but also getting increasingly stealthy and elusive when facilitated with stealthy rootkit techniques. Conventional detection tools are deployed and executed inside the very host they are protecting, which makes them vulnerable to deceive and subvert. In order to improve the accuracy of detection and the ability of tamper resistance, a VMM-based hidden process detection system located outside the protected virtual machine is designed and implemented. Using virtual machine introspection mechanism, the system implicitly inspects the low-levei state of the protected virtual machine, and then reconstructs the high level OS abstractions (process queues) which are needed for analysis by semantic view reconstruction technique. Based on cross-view validation principle, the system compares various process queues between internal and external view, and finally identifies the target hidden process through their discrepancies. In the meantime, this system facilitates response mechanism for reporting more specific information (such as network port, real memory occupation etc) about the hidden process to the administrator and supplies the interfaces for hidden process termination and suspension. The experiments on some real world rootkits which can hide process are designed to validate the effectiveness and feasibility of the detection system.
出处
《计算机研究与发展》
EI
CSCD
北大核心
2011年第8期1534-1541,共8页
Journal of Computer Research and Development
基金
国家自然科学基金项目(60970114)
国家"八六三"高技术研究发展计划基金项目(2009AA01Z442)
关键词
隐藏进程检测
虚拟机自省
语义视图重构
交叉视图
进程终止和挂起
hidden process detection
virtual machine introspection
semantic view reconstruction
cross-view
process termination and suspension