软件学报
軟件學報
연건학보
JOURNAL OF SOFTWARE
2013年
2期
405-420
,共16页
李博%沃天宇%胡春明%李建欣%王颖%怀进鹏
李博%沃天宇%鬍春明%李建訢%王穎%懷進鵬
리박%옥천우%호춘명%리건흔%왕영%부진붕
虚拟化%虚拟机监控器%隐藏对象%多视图%关联检测
虛擬化%虛擬機鑑控器%隱藏對象%多視圖%關聯檢測
허의화%허의궤감공기%은장대상%다시도%관련검측
virtualization%VMM%hidden object%multi-view%correlated detection
恶意软件通过隐藏自身行为来逃避安全监控程序的检测.当前的安全监控程序通常位于操作系统内部,难以有效检测恶意软件,特别是内核级恶意软件的隐藏行为.针对现有方法中存在的不足,提出了基于虚拟机监控器(virtual machine monitor,简称VMM)的操作系统隐藏对象关联检测方法,并设计和实现了相应的检测系统vDetector.采用隐式和显式相结合的方式建立操作系统对象的多个视图,通过对比多视图间的差异性来识别隐藏对象,支持对进程、文件及网络连接这3种隐藏对象的检测,并基于操作系统语义建立隐藏对象间的关联关系以识别完整攻击路径.在 KVM 虚拟化平台上实现了 vDetector 的系统原型,并通过实验评测 vDetector 的有效性和性能.结果表明, vDetector能够有效检测出客户操作系统(guest OS)中的隐藏对象,且性能开销在合理范围内.
噁意軟件通過隱藏自身行為來逃避安全鑑控程序的檢測.噹前的安全鑑控程序通常位于操作繫統內部,難以有效檢測噁意軟件,特彆是內覈級噁意軟件的隱藏行為.針對現有方法中存在的不足,提齣瞭基于虛擬機鑑控器(virtual machine monitor,簡稱VMM)的操作繫統隱藏對象關聯檢測方法,併設計和實現瞭相應的檢測繫統vDetector.採用隱式和顯式相結閤的方式建立操作繫統對象的多箇視圖,通過對比多視圖間的差異性來識彆隱藏對象,支持對進程、文件及網絡連接這3種隱藏對象的檢測,併基于操作繫統語義建立隱藏對象間的關聯關繫以識彆完整攻擊路徑.在 KVM 虛擬化平檯上實現瞭 vDetector 的繫統原型,併通過實驗評測 vDetector 的有效性和性能.結果錶明, vDetector能夠有效檢測齣客戶操作繫統(guest OS)中的隱藏對象,且性能開銷在閤理範圍內.
악의연건통과은장자신행위래도피안전감공정서적검측.당전적안전감공정서통상위우조작계통내부,난이유효검측악의연건,특별시내핵급악의연건적은장행위.침대현유방법중존재적불족,제출료기우허의궤감공기(virtual machine monitor,간칭VMM)적조작계통은장대상관련검측방법,병설계화실현료상응적검측계통vDetector.채용은식화현식상결합적방식건립조작계통대상적다개시도,통과대비다시도간적차이성래식별은장대상,지지대진정、문건급망락련접저3충은장대상적검측,병기우조작계통어의건립은장대상간적관련관계이식별완정공격로경.재 KVM 허의화평태상실현료 vDetector 적계통원형,병통과실험평측 vDetector 적유효성화성능.결과표명, vDetector능구유효검측출객호조작계통(guest OS)중적은장대상,차성능개소재합리범위내.
To evade the detection of security monitoring systems, malware often hides its behavior. Current monitoring systems usually reside in the operating system (OS). Thus, it is hard to detect the existence of malware, especially the kernel rootkits. In this paper, a hidden OS objects detection and correlation approach based on VMM (virtual machine monitor) is proposed, and the corresponding detection system, vDetector, is designed and implemented. Both implicit and explicit information are used to create multiple views of OS objects, and a multi-view comparison mechanism are designed to identify three kinds of hidden OS objects:process, file and connections. The relations among hidden objects are established based on OS semantic information to trace the complete attack path. vDetector is implemented based on KVM virtualization platform and the effectiveness and performance overhead of vDetector are evaluated by comprehensive experiments. The results show that vDetector can successfully detect the existence of hidden OS objects with reasonable performance overhead.
