虚拟内存进程重构与恶意行为扩展识别模型

Reconstruction of Virtual Memory Process and Extended Recognition Model of Malicious Behavior

为了解决现有虚拟机的恶意行为分析技术检测点单一、抗干扰能力弱、检测结果可信度不高等问题,提出了一种基于虚拟内存进程重构和进程关系识别的虚拟检测技术.通过分析VMware虚拟内存特点,重构进程生命周期中的启动、隐藏、可疑操作、网络通信等序列化行为,并形式化描述为<名称关系、父子关系、时间关系、文件关系、通信关系、用户关系>六元组.进一步地,将六元组扩展为证据链并提出一种基于改进k-means算法的恶意行为识别模型,通过计算不同进程六元组之间的相似度,结合先验知识,使用恶意进程集初始聚类中心,进而辨识出虚拟内存中的恶意进程及其关联性和依赖关系.测试结果表明:1 000个样本中恶意进程的检出率高达91.98%,相比传统内存取证技术该方法重构出的虚拟内存进程信息更加充分,恶意行为判定结果的准确性、可靠性更高.

To solve the existing problems of malicious behavior analysis technology based on virtual machine,such as the detection points are single,the anti-interference ability is weak,and the reliability of test results do not have high reliability,a method of multidimensional attribute extraction and reconstruction for virtual memory process was proposed.According to the characteristics of VMware virtual environment memory,the serialized behavior patterns in the lifecycle of the process were reconstructed such as startup,hiding,suspicious operations,network communication,etc.And the formal description as<name relationship,father-son relationship,time relationship,file relationship,communication relationship,user relationship>was given.Ulteriorly,the six tuples were extended into evidence chain and a malicious behavior recognition model based on improved k-means algorithm was proposed.By calculating the similarity between the six tuples of different processes,the set of malicious processes was used to initialize the cluster center combined with a priori knowledge.And then the relevance and dependence of behavioral evidence in virtual memory was analyzed.The test results show that the detection rate of malicious processes in 1 000 samples is as high as 91.98%.Compared with the traditional memory forensics technology,the virtual memory process information reconstructed in this paper is more sufficient,and the result of malicious behavior judgment is more accurate and reliable.