摘要
云基础设施的恶意软件检测是必要的。为了避免被恶意软件发现,针对云基础设施的特点,设计了一个外部的恶意软件检测器。首先,利用一个具有特殊权限且位于目标之外的虚拟机收集可疑进程的系统调用;然后,将收集到的系统调用转换为进程的行为图;最后,利用行为图间的相似性来判断可疑进程是否为恶意软件。实验结果表明,平均检测率为89%,误报率低于5%,检测器对客户虚拟机的性能影响不大,且能够抵抗添加率低于30%的系统调用攻击。
Malware detection is essential for cloud infrastructure.In the study,an external detector of malware is proposed based on characteristics of cloud infrastructure to avoid being detected by malware.First,system calls of a suspected process are gathered by the Forensic Virtual Machine(FVM)which is a privileged virtual machine outside the target.They then are transformed into a behavioral graph.Finally,the similarity between behavioral graphs is calculated to determine if a suspected executable is malicious.Results show the average detection rate is 89%and the false positive rate is below 5%.The impact of the FVM on the guest virtual machine is insignificant.It is also confirmed that our methodology is robust for the addition attack on system calls under the addition rate is below 30%.
作者
张小莉
程光
Zhang Xiaoli;Cheng Guang(Department of Intelligent control,Shanxi Railway Vocational and Technical College,Shanxi Taiyuan 030013;Key Laboratory of Computer Network and Information Integration(Southeast University),Ministry of Education,Jiangsu Nanjing 211189;School of Cyber Science and Engineering,Southeast University,Jiangsu Nanjing 211189)
出处
《网络空间安全》
2020年第10期62-67,共6页
Cyberspace Security
基金
国家重点研发计划“宽带通信和新型网络”重点专项自主可控高性能路由器及关键技术项目(项目编号:2018YFB1800600)。
关键词
恶意软件
行为图
云基础设施
malware
behavior graph
cloud infrastructure
