Malware Process Detecting Via Hypervisor
首发时间:2014-01-21
Abstract:Recent malware processes are armed with stealthy techniques to detect, subvert malware detection facilities of the victim. Traditional host-based detection tools execute inside the very hosts they are protecting, which makes them vulnerable to deceive and subvert. To address this limitation and improve the effectiveness and accuracy of detection and the ability of tamper resistance, a VMM-based hidden process detection system is designed and implemented. The system is placed outside the protected virtual machine, using virtual machine introspection mechanism to inspect the low-level state of the protected virtual machine, and then reconstructs the guest OS data structures by guest view casting technique. Based on view comparison detection, the system indentifies the missing of the critical processes and the target hidden process. What's more, this system provides process management operations such as terminate and restart. User can configure the corresponding response mechanism with configuration files.
keywords: Software Engineering Virtual machine introspection Memory detection Process management
点击查看论文中文信息
基于虚拟机监控器的恶意进程检测
摘要:Recent malware processes are armed with stealthy techniques to detect, subvert malware detection facilities of the victim. Traditional host-based detection tools execute inside the very hosts they are protecting, which makes them vulnerable to deceive and subvert. To address this limitation and improve the effectiveness and accuracy of detection and the ability of tamper resistance, a VMM-based hidden process detection system is designed and implemented. The system is placed outside the protected virtual machine, using virtual machine introspection mechanism to inspect the low-level state of the protected virtual machine, and then reconstructs the guest OS data structures by guest view casting technique. Based on view comparison detection, the system indentifies the missing of the critical processes and the target hidden process. What's more, this system provides process management operations such as terminate and restart. User can configure the corresponding response mechanism with configuration files.
关键词: Software Engineering; Virtual machine introspection; Memory detection; Process management
基金:
论文图表:
引用
No.****
同行评议
共计0人参与
勘误表
基于虚拟机监控器的恶意进程检测
评论
全部评论0/1000