摘要
虚拟机监视器(Virtual Machine Monitor,VMM)具有强隔离性、高透明性的特点,成为研究系统行为和程序行为的热点。文中针对利用VMM带来的语义鸿沟问题,选择开源虚拟机软件QEMU做为VMM,提出了一种基于QEMU的程序行为监控方法,通过对QEMU结构及实现原理的分析,利用QEMU内建函数和嵌入钩子函数的方式获取程序行为的低层(Low-level)数据,完成对进程行为的视图重构,并提取出程序的关键行为数据,以作为对程序检测的重要依据。实验结果表明该方法能有效提取程序的行为数据并重构出关键的行为信息。
Considering that a virtual machine monitor ( VMM ) which has both the characteristics of strong isolation and high transparency,it becomes popular among information security researchers. Thispaper uses QEMU as a VMM to fix the semantic gap issue, and presents a QEMU-based program behavior extraction model. Alter doing the analysis lor QEMU structure and design principle, the lowleveldata ol program behavior from the V M M layer can be captured via QEMU built-in functions or/andimplanted hooks and then reconstruct them to high-level view ol the program. The key data ol theprogram behavior information can be used to detect and determine that it is a malware or not. The experimental results show that the model can ellectively extract the behavior data and can reconstruct the key behavior inlormation ol a program.
作者
蒋传勇
姚立红
JIANG Chuan-yong;YAO Li-hong(School of Electronic Information and Electrical Engineering, Shanghai Jiaotong University, Shanghai 200240, China;Key Lab of Integrated M anagement of Information Security,Shanghai, Shanghai 200240,China;State Key Lab for Novel Software Technology, Nanjing University, Nanjing 210093,China)
出处
《信息技术》
2016年第12期116-120,共5页
Information Technology
