CN102521537A - Detection method and device for hidden process based on virtual machine monitor - Google Patents
Detection method and device for hidden process based on virtual machine monitor Download PDFInfo
- Publication number
- CN102521537A CN102521537A CN2011104017027A CN201110401702A CN102521537A CN 102521537 A CN102521537 A CN 102521537A CN 2011104017027 A CN2011104017027 A CN 2011104017027A CN 201110401702 A CN201110401702 A CN 201110401702A CN 102521537 A CN102521537 A CN 102521537A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- monitor
- list
- user
- obtains
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides a detection method and a device for a hidden process based on a virtual machine monitor, wherein the method comprises the steps of obtaining a user mode, a kernel mode and progress information in the virtual machine monitor; comparing the process information in the user mode with the process information in the kernel mode to obtain the hidden process in the user mode; comparing the process information in the kernel mode with the process information in the virtual machine monitor to obtain the hidden process in the kernel mode. The device comprises an acquision module, a first comparison module and a second comparison module. The scheme provided by the invention achieves multi-view hidden process detection and identification technology and provides good security for the virtual machine.
Description
Technical field
The present invention relates to virtual machine technique, relate in particular to that a kind of (Virtual Machine Monitor abbreviates as: VMM) hidden process detection method and device belong to field of computer technology based on monitor of virtual machine.
Background technology
The development of Intel Virtualization Technology has promoted the appearance of virtual machine technique.Realize virtual machine through virtual hardware, with virtual one or more virtual computer system that turns to of physical computer system, each virtual computer system all has the virtual hardware (like CPU, internal memory and equipment etc.) of oneself.The various advantages of virtual machine have been impelled the development of virtual computation environmental.Certainly, as the core of computing environment, the security of virtual machine must be guaranteed better that this also becomes following the major issue that will study of current virtual computation environmental.In addition, the development of virtual machine technique not only promotes the development of virtual computation environmental, and some advantages of itself have also been brought new opportunity for the development of safety technique.Monitor of virtual machine is in the bottom of client computer and client machine system, has higher level of privilege.Therefore, can solve some safe problems more easily through monitor of virtual machine.
In the various safety problems that dummy machine system can occur, hidden object is brought serious day by day safety problem in the system.So-called " hiding " refers to " user is invisible ".A kind of like this Malware is arranged, often be called as " Rootkit (kernel level back door/wooden horse) ", they operate in the system kernel attitude, can connect or the like from the process of hiding oneself, service, daily record and network, and can hide normal user program.So, how to detect the important content that hidden object in the system becomes the maintenance system internal security, also be the important content that ensures the virtual machine internal security under the virtual computation environmental.
The various objects of about how hiding in the detection system at present mainly contain three kinds of methods: a kind of research and realization based on internal system, and a kind of based on auxiliary hardware, also have a kind of some security mechanisms based on the virtual machine controller.There is the danger of distorting, forbid, walking around based on system-level hidden object testing mechanism, and based on ancillary hardware, need the support of specialised hardware, increased cost, and realized that function is imperfect.Safety technique based on VMM has had very big development, and security increasing, but also can occur some shortcomings respectively: some is the detection of coarseness; Some is to utilize kernel data structure to carry out semantic conversion, under the situation that does not have checking, can miss some information; Some has sacrificed some complete semantic informations in order to realize greater security; And more research has been placed on the flow of research aspect; Research about file, network connect is fewer; If exist only to have stopped the process of hiding and ignored the hidden file of leaving over, perhaps not have to pay close attention to the network of hiding to connect, these connections probably are non-hiding process creations; Or the like under the certain situation, what cause detecting is range limited.Except, the research usable range of the commercial system that some do not support to increase income also has certain limitation.
Summary of the invention
First aspect of the present invention provides a kind of hidden process detection method based on monitor of virtual machine, comprising:
Obtain the progress information in user's attitude, kernel state and the monitor of virtual machine respectively;
Progress information in more said user's attitude and the progress information in the said kernel state obtain the hidden process in user's attitude;
Progress information in progress information in the more said kernel state and the said monitor of virtual machine obtains the hidden process in the kernel state.
Second aspect of the present invention provides a kind of hidden process detection method based on monitor of virtual machine, comprising:
Relatively the network connection information of the network connection information of virtual machine internal user attitude program maintenance and monitor of virtual machine maintenance obtains the network connection of hiding;
Utilize monitor of virtual machine to obtain the map information of process and port, the network port according to said hiding network connects obtains hidden process.
Second aspect of the present invention provides a kind of hidden process pick-up unit based on monitor of virtual machine, comprising:
Obtain module, be used for obtaining respectively the progress information of user's attitude, kernel state and monitor of virtual machine;
First comparison module is used for the progress information of more said user's attitude and the progress information in the said kernel state, obtains the hidden process in user's attitude;
Second comparison module is used for the progress information of more said kernel state and the progress information in the said monitor of virtual machine, obtains the hidden process in the kernel state.
The technique effect of one aspect of the invention is: utilizing the technology of hardware virtualization; And the module that can load as linux system; In monitor of virtual machine KVM, make amendment; Do not influence the normal operation of monitor of virtual machine and produce acceptable extra performance expense, realized that the hidden process of multiple view detects and recognition technology, and connect the suspicious process of further finding through the network of detection of concealed; Realize that multi-angle, omnibearing process detect, for virtual machine provides higher security.
Description of drawings
The hidden process detection method process flow diagram that Fig. 1 provides for one embodiment of the invention based on monitor of virtual machine;
The kernel state process list that Fig. 2 provides for the embodiment of the invention obtain process flow diagram;
The VMM process list that Fig. 3 provides for the embodiment of the invention obtain process flow diagram;
Many views synoptic diagram that Fig. 4 provides for the embodiment of the invention;
The hidden process detection method process flow diagram of the monitor of virtual machine that Fig. 5 provides for the embodiment of the invention;
The hidden process pick-up unit structural representation that Fig. 6 provides for the embodiment of the invention based on monitor of virtual machine;
The hidden process pick-up unit structural representation that Fig. 7 provides for the embodiment of the invention based on monitor of virtual machine.
Embodiment
To defective and the deficiency in the present hidden process testing mechanism, the characteristics of combined with virtual machine environment the present invention proposes a kind of many views hidden process detection method and device based on monitor of virtual machine; Utilizing the technology of hardware virtualization; And as the module that (like Linux) system can load, in monitor of virtual machine KVM, make amendment, do not influence the normal operation of monitor of virtual machine and produce acceptable extra performance expense; The hidden process of having realized multiple view detects; And the network through detection of concealed connects the suspicious process of further finding, realizes that multi-angle, omnibearing process detect, for virtual machine provides higher security.
The hidden process detection method process flow diagram that Fig. 1 provides for one embodiment of the invention based on monitor of virtual machine, as shown in Figure 1, this method comprises:
Step 101, obtain progress information under user's attitude (User-level), kernel state (Kernel-level) and the monitor of virtual machine (VMM-level) respectively;
Wherein can comprise:
The API API of the user's attitude that (1) provides from system obtains process list and the corresponding progress information of User-level;
(2) call process list and the corresponding progress information of safeguarding a Kernel-level through interception system;
Concrete, the process list of Kernel-level can but be not limited to obtain through following mode:
The obtaining mainly to call through interception system of Kernel-level process list realized.In the time of process creation and execution, all need come complete operation through invoke system call; This time; Rapid system call instruction (SYSENTER instruction) will be performed; System will change kernel state over to from user's attitude; And carry out the kernel initialization operation, value accordingly is loaded in the relevant register, specify register (SYSENTER_CS_MSR) to preserve the selector of kernel code section such as the code selector of carrying out highest weight limit (Ring 0) code; Carry out the start address of highest weight limit Ring 0 code and specify register (SYSENTER_EIP_MSR) to preserve the linear address of kernel entrance, carry out the stack pointer of Ring 0 code and specify register (SYSENTER_ESP_MSR) to preserve the kernel stack pointer.So, can give SYSENTER_EIP_MSR with a non-existent address assignment, make when generation systems calls, to produce the wrong unusual of the mistake (PageFault) that skips leaf, force virtual machine that the control of CPU is exchanged to monitor of virtual machine.This time; Monitor of virtual machine has obtained the CPU control; And can obtain current system call number through reading eax register; Number judge current system call type (the execution execve of process, withdraw from exit_group) through this system call, come the process list of Kernel-level is added or removing members.The process flow diagram that obtains of kernel state process list can be as shown in Figure 2.Step 201, the SYSENTER_EIP_MSR that virtual machine is set are a disabled address 0xffffffff; Step 202, by above-mentioned address, it is unusual to cause virtual machine to take place, the CPU control is grasped by KVM; Step 203, judge above-mentionedly whether be the mistake that skips leaf unusually, if change step 204 over to, if not continuing step 201; The information of step 204, the intercepting and capturing current system call of virtual machine and process; Step 205, from the information of the current system call of virtual machine, obtain system call number; Step 206, judge system call number; System call number is 11 to change step 207 over to, and system call number is 252, changes step 211 over to; If number being 11, step 207 system call changes step 208 over to; Step 208, in the process list of Kernel-level inquiry current process information; Step 209, judge whether the Kernel-level view has current process information, if any, flow process finishes; No, change step 210 over to; Step 210, this progress information is added the Kernel-level view, then flow process finishes; Step 211, this system call number are 252, change step 212 over to; Step 212, this process is deleted from the Kernel-level view, flow process finishes.
After having obtained process list, also need carry out obtaining of process semantic information.Obtaining of process semantic information mainly is through reading the information among the data structure process descriptors task_struct that kernel is the process maintenance.And obtaining of process descriptors task_struct is that mapping relations according between process kernel stack address and the process descriptors address are obtained.In Linux; During kernel distribution process task structure space, be that unit distributes, comprise two page space with 8KB; One is progress information structure (thread_info structure) storage space, and one is the storage space that process is used for the system space storehouse.Wherein the thread_info structure has been stored process descriptors task_struct, and is positioned at the start address of this address space, and stack space then increases to low address from the high address of memory headroom.Because the integral multiple that in-process nuclear space start address is 8KB; Promptly 213; Then the address of task_struct and process stacks address preceding 19 identical; In switching morning and afternoon of the process of generation, what the SP of current C PU (ESP register) was deposited is the kernel stack of the process after switching, with this value and 0xffffe000 (sexadecimal) step-by-step and the address that just obtains the task_struct structure.Simultaneously; Consider internal memory virtualization; To consider the mechanism of twice address translation when from internal memory, reading process descriptors, i.e. client computer virtual machine address (GVA, Guest Virtual Address)->client computer physical address (GPA; Guest Physical Address)->conversion of host physical address (HPA, Host Physical Address).
(3) process list of the VMM-level of acquisition monitor of virtual machine maintenance.
Concrete, the process list of VMM-level can but be not limited to obtain through following mode:
Under virtual machine environment, between processor and the system process have logic conforming, so although concrete semantic system process is sightless for monitor of virtual machine, the used address space of process is visible to monitor of virtual machine.So monitor of virtual machine wants maintenance process to tabulate just can be through the CPU incident of intercepting and capturing process, such as the context switching of process.Under the x86 framework; The base address of page directory tables under the in store process address space of the 4th control register (CR3 register) of CPU; In case a new process is used CPU; Its corresponding page directory tables base address just is written among the CR3, can its kernel stack address be write the ESP register simultaneously.So, capture point insertion function is set in the CR3 register controlled operation of system virtualization software KVM judges whether new process initiation.About withdrawing from of process, adopt Fixed Time Interval process to be judged whether to withdraw from, and make corresponding operation according to the process status of kernel process chained list.The process flow diagram that obtains of VMM process list can be as shown in Figure 3.Step 301, waiting for CPU generation register update event; The register incident takes place in step 302, CPU, and KVM obtains the CPU control, and KVM judges current register incident; Step 303, if current register be that the CR3 register changes, then carry out step 304; Otherwise, begin from step 301.Step 304, process function are prepared to carry out; Step 305, obtain the information of current process; The progress information inquiry VMM-level process list that step 306, basis are obtained; The result of step 307, determining step 306 if there is this process, then changes step 309 over to; Otherwise, change step 308 over to; Step 308, this progress information is added into VMM-level process list; Step 309, check VMM-level list update time tag, whether judging distance update time last time is above 2 seconds; If surpass, then carry out step 310, if do not have, flow process finishes; Step 310, operation is upgraded in the tabulation of VMM-level prepared; Step 311, from the tabulation of VMM-level, get next process, judge whether process in addition, if having, carry out step 312, if do not have, flow process withdraws from; The process data structure doubly linked list that step 312, inquiry kernel are safeguarded; Step 313, judge whether this process exists in the doubly linked list,, then carry out step 311 if exist; Otherwise, carry out step 314; Step 314, with the deletion from VMM-level tabulation of this process, change step 311 over to.
After having obtained process list, also comprise: the process semantic information is obtained.Like the description in above-mentioned (2), do not do here and give unnecessary details.
The progress information of step 102, more said User-level and the progress information of said Kernel-level obtain the hidden process among the User-level;
The progress information of step 103, more said Kernel-level and the progress information of said VMM-level obtain the hidden process among the Kernel-level.
Wherein, present embodiment is the execution sequence between conditioning step 102 and the step 103 not, can be first execution in step 102, back execution in step 103, also can be first execution in step 103, back execution in step 102, perhaps two steps are carried out simultaneously.
Following mask body is carried out detailed introduction to the technology in each step.
At first, many views verification technique is through a plurality of angles system object to be observed to draw different views and the correlativity that has no between these views.In the level of total system, the view confidence level that high more level obtains is low more.According to the difficulty or ease to the attack of system, a hiding system object more possibly appear in the view of lower level.When a system object appears in the higher credible view and do not appear in the low credible view, this hidden object just can be detectedly be found so.
And for process; Least believable view; The application programming api function (Application Programming Interface) of the user's attitude that provides from system just can obtain, such as utilizing viewing command ps of system and top to safeguard the process list of a User-level.Simultaneously; If create or executive process, generally need call built-in function and system call realizes in user's attitude, so; Call through interception system and can find just whether a process is created, movable or destroy; Therefore, many views synoptic diagram as shown in Figure 4 can call the process list of safeguarding a Kernel-level through interception system.Through this Kernel-level tabulation and the User-level tabulation contrast that obtained just now; The process that just can obtain hiding; And can know this process hiding in user's attitude, because its API for user's attitude is sightless, but the system library function of kernel state can be intercepted and captured and obtains.System call can be walked around; Such as in kernel inside through direct execution kernel function or revise subsystem call table or the like, and through loading the rootkit that kernel module program (LKM, Loadable Kernel Module) realizes; Be hidden in the kernel state; Not only can not found, also can not found by system call by the program of user's attitude, then obtain the most credible view just become essential.Under virtual machine environment; Monitor of virtual machine has the highest weight limit to virtual machine, and any activity authority of virtual machine all can not be crossed the rank of monitor of virtual machine, so; Safeguard that from monitor of virtual machine a true VMM-level process list just becomes possibility; And for example shown in Figure 4, through this tabulation and Kernel-level tabulation contrast, just can find the Kernel-level tabulation the rootkit that is hidden in kernel state that can not find.
The following requirement satisfied in this invention: 1) transparent to client computer.For virtual machine, the activity of whole detection is transparent, and the detection behavior can not influence the running status of normal virtual machine; And; Because its transparency makes the inner Malware of virtual machine also can not know the existence of detection system, has improved the security and the accuracy of detection system more.2) cross over semanteme, user interactions.Realize measuring ability from the outside of virtual machine, but system still need be for the user provides clearly semantic with friendly interface, so that the user can grasp own virtual machine inner state and information at any time.Simultaneously, good semanteme is provided convenience for the identification hidden process.3) view is more complete, does not omit.Through many views testing mechanism, the progress information that especially provides through the Kernel-level and the hiding network port makes more perfect for the detection of virtual machine inside hidden process.Simultaneously, can be to the more differentiation of refinement of type of hidden process, such as; Process is hidden in user's attitude or kernel state; Even survey and excavate for the suspicious process with hiding behavior (connecting as hiding network), improve and detect rank, further strengthen the security of virtual machine.4) active detecting.Since some scannings for hidden process be at a distance from the time in addition passive, also maybe be in inappropriate time interval, hidden process is ingenious hides detection, so, for process in case create even operation is just caught to detect and is very important.5) function ease for use.According to the demand of current hosted environment, native system should be dynamically to load demountablely, does not influence the host machine integral environment.
The hidden process detection method process flow diagram of the monitor of virtual machine that Fig. 5 provides for the embodiment of the invention, as shown in Figure 5, this method comprises:
The network connection information (view) of step 501, relatively virtual machine internal user attitude program maintenance is compared with the network connection information that monitor of virtual machine is safeguarded, the network that obtains to hide connects;
Wherein, the network port is intercepted and captured, and is visible according to monitor of virtual machine KVM for the network interface card of virtual machine, and can just carries out the operation that packet capturing is intercepted and captured in user's attitude of host, and the embodiment of the invention mainly realizes through such mode.Special, the network configuration of virtual machine is with the configuration of bridge form among this paper, and each virtual machine all has corresponding test access port (tap port, Test Access Port) to carry out the acceptance and the transmission of packet.Host is visible for the tap port, and can be through the packet capturing of tap port being carried out the control of network state.The network port is intercepted and captured module and just the tap port is intercepted, and just can be obtained in case there is packet to send.
Process and port mapping relation can be obtained through following mode: in Linux, process is set up network and is connected through creating the realization of socket (socket) file, when process is carried out network service, just opens corresponding socket file.Linux kernel has all been safeguarded a tabulation that opens file for each process.Can go to inquire about the concrete corresponding catalogue of each file again through this tabulation, just can search for according to this catalogue and obtain real index file on the Linux file system.In the Linux file system; All safeguarded the index data structure of a file inode (inode) for each authentic document; And corresponding pattern attribute field (i_mode) is set representes, judge that through built-in socket grand (S_ISSOCK ()) can judge whether i_mode is the socket type.When a file type structure (file) the pointed socket of process file; Can say the private data attribute (private_data attribute) of the corresponding socket structure address assignment of this document to file; Through the judgement of front, just can obtain the socket structure.In the network protocol stack of Linux, can concrete address information not left in the socket structure, the socket structure is based on Virtual File System and creates out; Do not preserve concrete network connection information; Concrete network protocol message leaves in the socket data structure (sock data structure) of expansion, but it belongs to the socket of network layer, more detailed network domains (INET territory) information; For example the network address (IP address), port etc. leave the inet_sock data structure in.So, just can find the mapping relations of process and port through such analysis.
Concrete, the purpose of Rootkits mainly is to connect through network to control destination host, also is its important attack means so hide relevant network connection.Find the hiding network port through detecting; And through the corresponding relation of port and process, thereby can further find suspicious process, prevent that the rootkit utilization from seeming the network behavior that normal consumer process carries out malice; Such as remote access order (ssh, telnet) etc.The hiding user's of being attitude program that network connects (for example network connects the program netstat program of checking) can't be found, but the existence of network activity can be found through intercepting and capturing the network interface card network activity.In the inner realization of virtual machine, then have the possibility of being walked around, but monitor of virtual machine is owing to being visible to Microsoft Loopback Adapter, so monitor of virtual machine also has the ability that whole views obtain for the network activity on this network interface card naturally.Thereby, the view of safeguarding through virtual machine internal user attitude program (for example netstat) is connected with the network that monitor of virtual machine is safeguarded tabulate contrast, just can find the network connection of hiding.Found after the hiding port that utilize monitor of virtual machine to obtain the map information of process and port, finding can process.
On the basis of above-mentioned embodiment, this method can also comprise:
Obtain the process list and the network view that obtain in the client computer; Obtain two process lists and process and the port corresponding informance that obtain from VMM; Obtain the network view that obtains from network port module; The network view that obtains handled adding the process content, three views of process are put in order, two views of network are put in order.Owing to can adopt the mode of equipment to realize, the mutual of host kernel and user's attitude mainly realized through device systems device control function (ioctl), and the data of other user's attitude transmit main character string and the buffer memory of passing through.
Persistence is handled and to be positioned at host user attitude, and the main function that realizes is exactly with storing into the database from each view information that obtains, for example the Mysql database.Be connected view for process list with network, every the information that needs storage is through arrangement.
The function that the displaying of user interface will realize is that dynamic result with detection of the present invention shows the user.Present embodiment adopts and carries out the displaying of web client based on the pattern of browser/server (B/S); And utilize agile development mode based on the network frame Rails (Ruby On Rails) of Ruby language; Closely combine with the Mysql database; The dynamically change of acquisition database, the dynamic page show, promptly in case there is process creation just to have renewal of the page.
The hidden process pick-up unit structural representation based on monitor of virtual machine that Fig. 6 provides for the embodiment of the invention, as shown in Figure 6, this device can comprise: obtain module 601, first comparison module 602 and second comparison module 603.Wherein, Obtain the progress information that module 601 is used for obtaining respectively user's attitude, kernel state and monitor of virtual machine; First comparison module 602 is used for the progress information of comparison user attitude and the progress information in the kernel state; Obtain the hidden process in user's attitude, second comparison module 603 is used for the progress information of comparison kernel state and the progress information in the monitor of virtual machine, obtains the hidden process in the kernel state.
Under a kind of embodiment, progress information comprises the implied meaning information of process list and process, and then obtaining module 601 can comprise: first module, Unit second, Unit the 3rd and Unit the 4th.Wherein, The API of user's attitude that first module is used for providing from system obtains the process list of user's attitude; Unit second is used for calling the process list that obtains kernel state through interception system; Unit the 3rd is used for obtaining through the CPU incident of intercepting and capturing process the process list of monitor of virtual machine, and Unit the 4th is used for through reading the semantic information of each process in each process list of information acquisition that kernel is the data structure descriptor safeguarded of process.
On the basis of above-mentioned embodiment, Unit second can comprise: first subelement, second subelement and the 3rd subelement.Wherein, Call if first subelement is used for generation systems, then obtain the system call number of current generation, second subelement is used for number judging according to the system call of current generation the system call type of current generation; If it is the execution of process that the 3rd subelement is used for the system call type of current generation; Then this process is added the process list of kernel state,, then this process is deleted from the process list of kernel state if the system call type of current generation is withdrawing from of process.
On the basis of above-mentioned embodiment; Unit the 3rd is used for: if the CPU incident of the process of generation; Then this process is joined the process list of monitor of virtual machine; Process status according to the at interval interior kernel process chained list of Preset Time judges whether process withdraws from, if withdraw from, then this process is deleted from the process of monitor of virtual machine.
The hidden process pick-up unit structural representation based on monitor of virtual machine that Fig. 7 provides for the embodiment of the invention, as shown in Figure 7, this device can comprise: first module 701 and second module 702.Wherein, first module 701 is used for the network connection information of comparison virtual machine internal user attitude program maintenance and the network connection information that monitor of virtual machine is safeguarded, the network that obtains to hide connects.Second module 702 is used to utilize monitor of virtual machine to obtain the map information of process and port, and the network port according to the network of hiding connects obtains hidden process.
Under a kind of embodiment; Comprise processing unit in this second module 702, be used for obtaining the socket structure body according to the file pointer of process socket file pointed; Preserve port in the inet_sock data structure of this socket structure body, thus the map information of acquisition process and port.
One of ordinary skill in the art will appreciate that: all or part of step that realizes above-mentioned each method embodiment can be accomplished through the relevant hardware of programmed instruction.Aforesaid program can be stored in the computer read/write memory medium.This program the step that comprises above-mentioned each method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM (read-only memory) (ROM), random access memory (RAM), magnetic disc or CD.
What should explain at last is: above each embodiment is only in order to explaining technical scheme of the present invention, but not to its restriction; Although the present invention has been carried out detailed explanation with reference to aforementioned each embodiment; Those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, perhaps to wherein part or all technical characteristic are equal to replacement; And these are revised or replacement, do not make the scope of the essence disengaging various embodiments of the present invention technical scheme of relevant art scheme.
Claims (10)
1. the hidden process detection method based on monitor of virtual machine is characterized in that, comprising:
Obtain the progress information in user's attitude, kernel state and the monitor of virtual machine respectively;
Progress information in more said user's attitude and the progress information in the said kernel state obtain the hidden process in user's attitude;
Progress information in progress information in the more said kernel state and the said monitor of virtual machine obtains the hidden process in the kernel state.
2. method according to claim 1 is characterized in that said progress information comprises the semantic information of process list and process, then obtains the process of the progress information in user's attitude, kernel state and the monitor of virtual machine respectively, comprising:
The API API of the user's attitude that provides from system obtains the process list of user's attitude;
Call the process list that obtains kernel state through interception system;
Obtain the process list of monitor of virtual machine through the CPU incident of intercepting and capturing process;
Through reading the semantic information of each process in above-mentioned each process list of information acquisition in the data structure process descriptors that kernel is the process maintenance.
3. method according to claim 2 is characterized in that, saidly calls the process list that obtains kernel state through interception system, comprising:
If generation systems calls, monitor of virtual machine obtains the system call number of current generation;
Number judge the system call type of current generation according to the system call of said current generation;
If the system call type of current generation is the execution of process, then this process is added the process list of kernel state;
If the system call type of current generation is withdrawing from of process, then this process is deleted from the process list of kernel state.
4. method according to claim 2 is characterized in that, said CPU incident through the intercepting and capturing process obtains the process list of monitor of virtual machine, comprising:
If the CPU incident of process takes place, then this process is added the process list of monitor of virtual machine;
Process status according to the at interval interior kernel process chained list of Preset Time judges whether process withdraws from, if withdraw from, then this process is deleted from the process list of monitor of virtual machine.
5. the hidden process detection method based on monitor of virtual machine is characterized in that, comprising:
Relatively the network connection information of the network connection information of virtual machine internal user attitude program maintenance and monitor of virtual machine maintenance obtains the network connection of hiding;
Utilize monitor of virtual machine to obtain the map information of process and port, the network port according to said hiding network connects obtains hidden process.
6. method according to claim 5 is characterized in that, the said map information that utilizes monitor of virtual machine to obtain process and port comprises:
According to the file pointer of process socket file pointed, obtain the socket structure body, preserve port in the socket proprietary attribute extended data structure (inet_sock) of this socket.
7. the hidden process pick-up unit based on monitor of virtual machine is characterized in that, comprising:
Obtain module, be used for obtaining respectively the progress information of user's attitude, kernel state and monitor of virtual machine;
First comparison module is used for the progress information of more said user's attitude and the progress information in the said kernel state, obtains the hidden process in user's attitude;
Second comparison module is used for the progress information of more said kernel state and the progress information in the said monitor of virtual machine, obtains the hidden process in the kernel state.
8. device according to claim 7 is characterized in that said progress information comprises the semantic information of process list and process, and then said acquisition module comprises:
First module, the API API of the user's attitude that is used for providing from system obtains the process list of user's attitude;
Unit second is used for calling the process list that obtains kernel state through interception system;
Unit the 3rd is used for the process list through the CPU incident acquisition monitor of virtual machine of intercepting and capturing process;
Unit the 4th is used for through reading the semantic information of each process in above-mentioned each process list of information acquisition that kernel is the data structure process descriptors safeguarded of process.
9. device according to claim 8 is characterized in that, said Unit second comprises:
First subelement calls if be used for generation systems, obtains the system call number of current generation;
Second subelement is used for number judging according to the system call of said current generation the system call type of current generation;
The 3rd subelement is the execution of process if be used for the system call type of current generation, then this process is added the process list of kernel state; If the system call type of current generation is withdrawing from of process, then this process is deleted from the process list of kernel state.
10. device according to claim 8 is characterized in that, said Unit the 3rd is used for: if the CPU incident of process takes place, then this process is added the process list of monitor of virtual machine; Process status according to the at interval interior kernel process chained list of Preset Time judges whether process withdraws from, if withdraw from, then this process is deleted from the process list of monitor of virtual machine.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110401702.7A CN102521537B (en) | 2011-12-06 | 2011-12-06 | Detection method and device for hidden process based on virtual machine monitor |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110401702.7A CN102521537B (en) | 2011-12-06 | 2011-12-06 | Detection method and device for hidden process based on virtual machine monitor |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102521537A true CN102521537A (en) | 2012-06-27 |
| CN102521537B CN102521537B (en) | 2015-05-20 |
Family
ID=46292448
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110401702.7A Expired - Fee Related CN102521537B (en) | 2011-12-06 | 2011-12-06 | Detection method and device for hidden process based on virtual machine monitor |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102521537B (en) |
Cited By (56)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102867062A (en) * | 2012-09-24 | 2013-01-09 | 杭州安恒信息技术有限公司 | Detection method and system for invading hidden user of database kernel |
| CN102880701A (en) * | 2012-09-24 | 2013-01-16 | 杭州安恒信息技术有限公司 | Method and system for detecting database kernel invasion hidden object |
| CN103065084A (en) * | 2012-12-27 | 2013-04-24 | 武汉大学 | Windows hidden process detection method performed at external machine of virtual machine |
| CN103118100A (en) * | 2013-01-25 | 2013-05-22 | 武汉大学 | Guarantee method and guarantee system for improving usability of virtual machine application |
| CN103400074A (en) * | 2013-07-09 | 2013-11-20 | 青岛海信传媒网络技术有限公司 | Method and device for detecting hidden processes |
| CN103605557A (en) * | 2013-10-25 | 2014-02-26 | 普华基础软件股份有限公司 | Virtual device management system and management method |
| CN103761175A (en) * | 2013-11-25 | 2014-04-30 | 中国科学院计算技术研究所 | System and method for monitoring program execution paths under Linux system |
| CN103886259A (en) * | 2014-03-19 | 2014-06-25 | 四川大学 | Kernel-level rootkit detecting and processing method based on Xen virtualization environment |
| CN103996004A (en) * | 2014-06-12 | 2014-08-20 | 浪潮电子信息产业股份有限公司 | Highly-available system design method based on virtualization |
| CN104715201A (en) * | 2015-03-31 | 2015-06-17 | 北京奇虎科技有限公司 | Method and system for detecting malicious acts of virtual machine |
| CN104715202A (en) * | 2015-03-31 | 2015-06-17 | 北京奇虎科技有限公司 | Hidden process detecting method and hidden process detecting device in virtual machine |
| CN105468967A (en) * | 2015-11-19 | 2016-04-06 | 国云科技股份有限公司 | Xen-based hidden process detection method aiming at Linux virtual machine malicious code attack |
| CN106572103A (en) * | 2016-10-28 | 2017-04-19 | 桂林电子科技大学 | Hidden port detection method based on SDN network architecture |
| CN106778243A (en) * | 2016-11-28 | 2017-05-31 | 北京奇虎科技有限公司 | Kernel Hole Detection document protection method and device based on virtual machine |
| CN107688481A (en) * | 2017-08-17 | 2018-02-13 | 中国电子科技集团公司第五十四研究所 | A kind of KVM virtual machine hides process detection systems for supporting multinode |
| US9935851B2 (en) | 2015-06-05 | 2018-04-03 | Cisco Technology, Inc. | Technologies for determining sensor placement and topology |
| US9967158B2 (en) | 2015-06-05 | 2018-05-08 | Cisco Technology, Inc. | Interactive hierarchical network chord diagram for application dependency mapping |
| CN108228319A (en) * | 2018-01-10 | 2018-06-29 | 天津理工大学 | A kind of Semantics Reconstruction method based on more bridges |
| US10033766B2 (en) | 2015-06-05 | 2018-07-24 | Cisco Technology, Inc. | Policy-driven compliance |
| CN108363611A (en) * | 2017-11-02 | 2018-08-03 | 北京紫光恒越网络科技有限公司 | Method for managing security, device and the omnidirectional system of virtual machine |
| CN108446160A (en) * | 2018-01-29 | 2018-08-24 | 中国电子科技网络信息安全有限公司 | A kind of virtual machine hides process detection method and system |
| US10089099B2 (en) | 2015-06-05 | 2018-10-02 | Cisco Technology, Inc. | Automatic software upgrade |
| CN108710799A (en) * | 2018-05-21 | 2018-10-26 | 郑州云海信息技术有限公司 | A method of finding that Linux hides port |
| US10116559B2 (en) | 2015-05-27 | 2018-10-30 | Cisco Technology, Inc. | Operations, administration and management (OAM) in overlay data center environments |
| US10142353B2 (en) | 2015-06-05 | 2018-11-27 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
| CN109032770A (en) * | 2018-05-30 | 2018-12-18 | 珠海市君天电子科技有限公司 | A kind of progress recognizing method, apparatus and electronic equipment |
| US10177977B1 (en) | 2013-02-13 | 2019-01-08 | Cisco Technology, Inc. | Deployment and upgrade of network devices in a network environment |
| CN109194756A (en) * | 2018-09-12 | 2019-01-11 | 网宿科技股份有限公司 | Application features information extracting method and device |
| CN109298916A (en) * | 2018-11-30 | 2019-02-01 | 郑州云海信息技术有限公司 | The method and apparatus for identifying process on virtual machine |
| US10250446B2 (en) | 2017-03-27 | 2019-04-02 | Cisco Technology, Inc. | Distributed policy store |
| US10289438B2 (en) | 2016-06-16 | 2019-05-14 | Cisco Technology, Inc. | Techniques for coordination of application components deployed on distributed virtual machines |
| WO2019127399A1 (en) * | 2017-12-29 | 2019-07-04 | 浙江大学 | Fine-grained sandbox policy execution method for linux container |
| US10374904B2 (en) | 2015-05-15 | 2019-08-06 | Cisco Technology, Inc. | Diagnostic network visualization |
| CN110472410A (en) * | 2018-05-11 | 2019-11-19 | 阿里巴巴集团控股有限公司 | Identify method, equipment and the data processing method of data |
| US10523541B2 (en) | 2017-10-25 | 2019-12-31 | Cisco Technology, Inc. | Federated network and application data analytics platform |
| US10523512B2 (en) | 2017-03-24 | 2019-12-31 | Cisco Technology, Inc. | Network agent for generating platform specific network policies |
| US10554501B2 (en) | 2017-10-23 | 2020-02-04 | Cisco Technology, Inc. | Network migration assistant |
| US10574575B2 (en) | 2018-01-25 | 2020-02-25 | Cisco Technology, Inc. | Network flow stitching using middle box flow stitching |
| US10594542B2 (en) | 2017-10-27 | 2020-03-17 | Cisco Technology, Inc. | System and method for network root cause analysis |
| US10594560B2 (en) | 2017-03-27 | 2020-03-17 | Cisco Technology, Inc. | Intent driven network policy platform |
| US10680887B2 (en) | 2017-07-21 | 2020-06-09 | Cisco Technology, Inc. | Remote device status audit and recovery |
| US10708183B2 (en) | 2016-07-21 | 2020-07-07 | Cisco Technology, Inc. | System and method of providing segment routing as a service |
| US10708152B2 (en) | 2017-03-23 | 2020-07-07 | Cisco Technology, Inc. | Predicting application and network performance |
| US10764141B2 (en) | 2017-03-27 | 2020-09-01 | Cisco Technology, Inc. | Network agent for reporting to a network policy system |
| US10798015B2 (en) | 2018-01-25 | 2020-10-06 | Cisco Technology, Inc. | Discovery of middleboxes using traffic flow stitching |
| US10826803B2 (en) | 2018-01-25 | 2020-11-03 | Cisco Technology, Inc. | Mechanism for facilitating efficient policy updates |
| US10873593B2 (en) | 2018-01-25 | 2020-12-22 | Cisco Technology, Inc. | Mechanism for identifying differences between network snapshots |
| US10873794B2 (en) | 2017-03-28 | 2020-12-22 | Cisco Technology, Inc. | Flowlet resolution for application performance monitoring and management |
| US10917438B2 (en) | 2018-01-25 | 2021-02-09 | Cisco Technology, Inc. | Secure publishing for policy updates |
| US10931629B2 (en) | 2016-05-27 | 2021-02-23 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
| US10972388B2 (en) | 2016-11-22 | 2021-04-06 | Cisco Technology, Inc. | Federated microburst detection |
| US10999149B2 (en) | 2018-01-25 | 2021-05-04 | Cisco Technology, Inc. | Automatic configuration discovery based on traffic flow data |
| US11128700B2 (en) | 2018-01-26 | 2021-09-21 | Cisco Technology, Inc. | Load balancing configuration based on traffic flow telemetry |
| US11233821B2 (en) | 2018-01-04 | 2022-01-25 | Cisco Technology, Inc. | Network intrusion counter-intelligence |
| CN115774574A (en) * | 2021-09-06 | 2023-03-10 | 华为技术有限公司 | Operating system kernel switching method and device |
| US11765046B1 (en) | 2018-01-11 | 2023-09-19 | Cisco Technology, Inc. | Endpoint cluster assignment and query generation |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10171357B2 (en) | 2016-05-27 | 2019-01-01 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101093452A (en) * | 2006-06-21 | 2007-12-26 | 韩国电子通信研究院 | System and method for detecting hidden process using system event information |
| CN101782954A (en) * | 2009-01-20 | 2010-07-21 | 联想(北京)有限公司 | Computer and abnormal progress detection method |
-
2011
- 2011-12-06 CN CN201110401702.7A patent/CN102521537B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101093452A (en) * | 2006-06-21 | 2007-12-26 | 韩国电子通信研究院 | System and method for detecting hidden process using system event information |
| CN101782954A (en) * | 2009-01-20 | 2010-07-21 | 联想(北京)有限公司 | Computer and abnormal progress detection method |
Non-Patent Citations (1)
| Title |
|---|
| 温研等: "基于本地虚拟化技术的隐藏进程检测", 《计算机应用》, vol. 28, no. 7, 31 July 2008 (2008-07-31) * |
Cited By (146)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102867062A (en) * | 2012-09-24 | 2013-01-09 | 杭州安恒信息技术有限公司 | Detection method and system for invading hidden user of database kernel |
| CN102880701A (en) * | 2012-09-24 | 2013-01-16 | 杭州安恒信息技术有限公司 | Method and system for detecting database kernel invasion hidden object |
| CN102867062B (en) * | 2012-09-24 | 2016-01-20 | 杭州安恒信息技术有限公司 | Detection method and the system of user are hidden in database kernel invasion |
| CN102880701B (en) * | 2012-09-24 | 2016-06-29 | 杭州安恒信息技术有限公司 | The detection method of database kernel invasion hidden object and system |
| CN103065084A (en) * | 2012-12-27 | 2013-04-24 | 武汉大学 | Windows hidden process detection method performed at external machine of virtual machine |
| CN103065084B (en) * | 2012-12-27 | 2015-10-21 | 武汉大学 | In the windows hidden process detection method that external machine of virtual machine is carried out |
| CN103118100A (en) * | 2013-01-25 | 2013-05-22 | 武汉大学 | Guarantee method and guarantee system for improving usability of virtual machine application |
| US10177977B1 (en) | 2013-02-13 | 2019-01-08 | Cisco Technology, Inc. | Deployment and upgrade of network devices in a network environment |
| CN103400074A (en) * | 2013-07-09 | 2013-11-20 | 青岛海信传媒网络技术有限公司 | Method and device for detecting hidden processes |
| CN103400074B (en) * | 2013-07-09 | 2016-08-24 | 青岛海信传媒网络技术有限公司 | The detection method of a kind of hidden process and device |
| CN103605557A (en) * | 2013-10-25 | 2014-02-26 | 普华基础软件股份有限公司 | Virtual device management system and management method |
| CN103761175A (en) * | 2013-11-25 | 2014-04-30 | 中国科学院计算技术研究所 | System and method for monitoring program execution paths under Linux system |
| CN103761175B (en) * | 2013-11-25 | 2016-08-17 | 中国科学院计算技术研究所 | Program execution path monitoring system and method under a kind of linux system |
| CN103886259A (en) * | 2014-03-19 | 2014-06-25 | 四川大学 | Kernel-level rootkit detecting and processing method based on Xen virtualization environment |
| CN103886259B (en) * | 2014-03-19 | 2016-09-21 | 四川大学 | Kernel level rootkit based on Xen virtualized environment detection and processing method |
| CN103996004A (en) * | 2014-06-12 | 2014-08-20 | 浪潮电子信息产业股份有限公司 | Highly-available system design method based on virtualization |
| CN103996004B (en) * | 2014-06-12 | 2018-09-04 | 浪潮电子信息产业股份有限公司 | A kind of high-availability system design method based on virtualization |
| CN104715201A (en) * | 2015-03-31 | 2015-06-17 | 北京奇虎科技有限公司 | Method and system for detecting malicious acts of virtual machine |
| CN104715202A (en) * | 2015-03-31 | 2015-06-17 | 北京奇虎科技有限公司 | Hidden process detecting method and hidden process detecting device in virtual machine |
| CN104715201B (en) * | 2015-03-31 | 2018-02-27 | 北京奇虎科技有限公司 | A kind of virtual machine malicious act detection method and system |
| US10374904B2 (en) | 2015-05-15 | 2019-08-06 | Cisco Technology, Inc. | Diagnostic network visualization |
| US10116559B2 (en) | 2015-05-27 | 2018-10-30 | Cisco Technology, Inc. | Operations, administration and management (OAM) in overlay data center environments |
| US10623284B2 (en) | 2015-06-05 | 2020-04-14 | Cisco Technology, Inc. | Determining a reputation of a network entity |
| US11368378B2 (en) | 2015-06-05 | 2022-06-21 | Cisco Technology, Inc. | Identifying bogon address spaces |
| US9979615B2 (en) | 2015-06-05 | 2018-05-22 | Cisco Technology, Inc. | Techniques for determining network topologies |
| US10009240B2 (en) | 2015-06-05 | 2018-06-26 | Cisco Technology, Inc. | System and method of recommending policies that result in particular reputation scores for hosts |
| US11968103B2 (en) | 2015-06-05 | 2024-04-23 | Cisco Technology, Inc. | Policy utilization analysis |
| US10033766B2 (en) | 2015-06-05 | 2018-07-24 | Cisco Technology, Inc. | Policy-driven compliance |
| US11968102B2 (en) | 2015-06-05 | 2024-04-23 | Cisco Technology, Inc. | System and method of detecting packet loss in a distributed sensor-collector architecture |
| US11936663B2 (en) | 2015-06-05 | 2024-03-19 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
| US9935851B2 (en) | 2015-06-05 | 2018-04-03 | Cisco Technology, Inc. | Technologies for determining sensor placement and topology |
| US10089099B2 (en) | 2015-06-05 | 2018-10-02 | Cisco Technology, Inc. | Automatic software upgrade |
| US11924073B2 (en) | 2015-06-05 | 2024-03-05 | Cisco Technology, Inc. | System and method of assigning reputation scores to hosts |
| US10116531B2 (en) | 2015-06-05 | 2018-10-30 | Cisco Technology, Inc | Round trip time (RTT) measurement based upon sequence number |
| US11924072B2 (en) | 2015-06-05 | 2024-03-05 | Cisco Technology, Inc. | Technologies for annotating process and user information for network flows |
| US10116530B2 (en) | 2015-06-05 | 2018-10-30 | Cisco Technology, Inc. | Technologies for determining sensor deployment characteristics |
| US10129117B2 (en) | 2015-06-05 | 2018-11-13 | Cisco Technology, Inc. | Conditional policies |
| US10142353B2 (en) | 2015-06-05 | 2018-11-27 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
| US11902121B2 (en) | 2015-06-05 | 2024-02-13 | Cisco Technology, Inc. | System and method of detecting whether a source of a packet flow transmits packets which bypass an operating system stack |
| US11902120B2 (en) | 2015-06-05 | 2024-02-13 | Cisco Technology, Inc. | Synthetic data for determining health of a network security system |
| US10177998B2 (en) | 2015-06-05 | 2019-01-08 | Cisco Technology, Inc. | Augmenting flow data for improved network monitoring and management |
| US11902122B2 (en) | 2015-06-05 | 2024-02-13 | Cisco Technology, Inc. | Application monitoring prioritization |
| US10181987B2 (en) | 2015-06-05 | 2019-01-15 | Cisco Technology, Inc. | High availability of collectors of traffic reported by network sensors |
| US11894996B2 (en) | 2015-06-05 | 2024-02-06 | Cisco Technology, Inc. | Technologies for annotating process and user information for network flows |
| US10230597B2 (en) | 2015-06-05 | 2019-03-12 | Cisco Technology, Inc. | Optimizations for application dependency mapping |
| US10243817B2 (en) | 2015-06-05 | 2019-03-26 | Cisco Technology, Inc. | System and method of assigning reputation scores to hosts |
| US11700190B2 (en) | 2015-06-05 | 2023-07-11 | Cisco Technology, Inc. | Technologies for annotating process and user information for network flows |
| US11695659B2 (en) | 2015-06-05 | 2023-07-04 | Cisco Technology, Inc. | Unique ID generation for sensors |
| US10305757B2 (en) | 2015-06-05 | 2019-05-28 | Cisco Technology, Inc. | Determining a reputation of a network entity |
| US10320630B2 (en) | 2015-06-05 | 2019-06-11 | Cisco Technology, Inc. | Hierarchichal sharding of flows from sensors to collectors |
| US10326673B2 (en) | 2015-06-05 | 2019-06-18 | Cisco Technology, Inc. | Techniques for determining network topologies |
| US10326672B2 (en) | 2015-06-05 | 2019-06-18 | Cisco Technology, Inc. | MDL-based clustering for application dependency mapping |
| US11637762B2 (en) | 2015-06-05 | 2023-04-25 | Cisco Technology, Inc. | MDL-based clustering for dependency mapping |
| US11601349B2 (en) | 2015-06-05 | 2023-03-07 | Cisco Technology, Inc. | System and method of detecting hidden processes by analyzing packet flows |
| US10439904B2 (en) | 2015-06-05 | 2019-10-08 | Cisco Technology, Inc. | System and method of determining malicious processes |
| US10454793B2 (en) | 2015-06-05 | 2019-10-22 | Cisco Technology, Inc. | System and method of detecting whether a source of a packet flow transmits packets which bypass an operating system stack |
| US11528283B2 (en) | 2015-06-05 | 2022-12-13 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
| US10505828B2 (en) | 2015-06-05 | 2019-12-10 | Cisco Technology, Inc. | Technologies for managing compromised sensors in virtualized environments |
| US10505827B2 (en) | 2015-06-05 | 2019-12-10 | Cisco Technology, Inc. | Creating classifiers for servers and clients in a network |
| US11522775B2 (en) | 2015-06-05 | 2022-12-06 | Cisco Technology, Inc. | Application monitoring prioritization |
| US10516586B2 (en) | 2015-06-05 | 2019-12-24 | Cisco Technology, Inc. | Identifying bogon address spaces |
| US10516585B2 (en) | 2015-06-05 | 2019-12-24 | Cisco Technology, Inc. | System and method for network information mapping and displaying |
| US11516098B2 (en) | 2015-06-05 | 2022-11-29 | Cisco Technology, Inc. | Round trip time (RTT) measurement based upon sequence number |
| US11502922B2 (en) | 2015-06-05 | 2022-11-15 | Cisco Technology, Inc. | Technologies for managing compromised sensors in virtualized environments |
| US10536357B2 (en) | 2015-06-05 | 2020-01-14 | Cisco Technology, Inc. | Late data detection in data center |
| US11496377B2 (en) | 2015-06-05 | 2022-11-08 | Cisco Technology, Inc. | Anomaly detection through header field entropy |
| US10567247B2 (en) | 2015-06-05 | 2020-02-18 | Cisco Technology, Inc. | Intra-datacenter attack detection |
| US11477097B2 (en) | 2015-06-05 | 2022-10-18 | Cisco Technology, Inc. | Hierarchichal sharding of flows from sensors to collectors |
| US11431592B2 (en) | 2015-06-05 | 2022-08-30 | Cisco Technology, Inc. | System and method of detecting whether a source of a packet flow transmits packets which bypass an operating system stack |
| US11405291B2 (en) | 2015-06-05 | 2022-08-02 | Cisco Technology, Inc. | Generate a communication graph using an application dependency mapping (ADM) pipeline |
| US10623283B2 (en) | 2015-06-05 | 2020-04-14 | Cisco Technology, Inc. | Anomaly detection through header field entropy |
| US10623282B2 (en) | 2015-06-05 | 2020-04-14 | Cisco Technology, Inc. | System and method of detecting hidden processes by analyzing packet flows |
| US9967158B2 (en) | 2015-06-05 | 2018-05-08 | Cisco Technology, Inc. | Interactive hierarchical network chord diagram for application dependency mapping |
| US10659324B2 (en) | 2015-06-05 | 2020-05-19 | Cisco Technology, Inc. | Application monitoring prioritization |
| US11252060B2 (en) | 2015-06-05 | 2022-02-15 | Cisco Technology, Inc. | Data center traffic analytics synchronization |
| US11252058B2 (en) | 2015-06-05 | 2022-02-15 | Cisco Technology, Inc. | System and method for user optimized application dependency mapping |
| US10686804B2 (en) | 2015-06-05 | 2020-06-16 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
| US10693749B2 (en) | 2015-06-05 | 2020-06-23 | Cisco Technology, Inc. | Synthetic data for determining health of a network security system |
| US11153184B2 (en) | 2015-06-05 | 2021-10-19 | Cisco Technology, Inc. | Technologies for annotating process and user information for network flows |
| US11128552B2 (en) | 2015-06-05 | 2021-09-21 | Cisco Technology, Inc. | Round trip time (RTT) measurement based upon sequence number |
| US10728119B2 (en) | 2015-06-05 | 2020-07-28 | Cisco Technology, Inc. | Cluster discovery via multi-domain fusion for application dependency mapping |
| US10735283B2 (en) | 2015-06-05 | 2020-08-04 | Cisco Technology, Inc. | Unique ID generation for sensors |
| US10742529B2 (en) | 2015-06-05 | 2020-08-11 | Cisco Technology, Inc. | Hierarchichal sharding of flows from sensors to collectors |
| US11121948B2 (en) | 2015-06-05 | 2021-09-14 | Cisco Technology, Inc. | Auto update of sensor configuration |
| US10797970B2 (en) | 2015-06-05 | 2020-10-06 | Cisco Technology, Inc. | Interactive hierarchical network chord diagram for application dependency mapping |
| US11102093B2 (en) | 2015-06-05 | 2021-08-24 | Cisco Technology, Inc. | System and method of assigning reputation scores to hosts |
| US10797973B2 (en) | 2015-06-05 | 2020-10-06 | Cisco Technology, Inc. | Server-client determination |
| US10979322B2 (en) | 2015-06-05 | 2021-04-13 | Cisco Technology, Inc. | Techniques for determining network anomalies in data center networks |
| US10862776B2 (en) | 2015-06-05 | 2020-12-08 | Cisco Technology, Inc. | System and method of spoof detection |
| US10917319B2 (en) | 2015-06-05 | 2021-02-09 | Cisco Technology, Inc. | MDL-based clustering for dependency mapping |
| US10904116B2 (en) | 2015-06-05 | 2021-01-26 | Cisco Technology, Inc. | Policy utilization analysis |
| CN105468967A (en) * | 2015-11-19 | 2016-04-06 | 国云科技股份有限公司 | Xen-based hidden process detection method aiming at Linux virtual machine malicious code attack |
| US10931629B2 (en) | 2016-05-27 | 2021-02-23 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
| US11546288B2 (en) | 2016-05-27 | 2023-01-03 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
| US10289438B2 (en) | 2016-06-16 | 2019-05-14 | Cisco Technology, Inc. | Techniques for coordination of application components deployed on distributed virtual machines |
| US11283712B2 (en) | 2016-07-21 | 2022-03-22 | Cisco Technology, Inc. | System and method of providing segment routing as a service |
| US10708183B2 (en) | 2016-07-21 | 2020-07-07 | Cisco Technology, Inc. | System and method of providing segment routing as a service |
| CN106572103A (en) * | 2016-10-28 | 2017-04-19 | 桂林电子科技大学 | Hidden port detection method based on SDN network architecture |
| CN106572103B (en) * | 2016-10-28 | 2019-12-13 | 桂林电子科技大学 | hidden port detection method based on SDN network architecture |
| US10972388B2 (en) | 2016-11-22 | 2021-04-06 | Cisco Technology, Inc. | Federated microburst detection |
| CN106778243A (en) * | 2016-11-28 | 2017-05-31 | 北京奇虎科技有限公司 | Kernel Hole Detection document protection method and device based on virtual machine |
| CN106778243B (en) * | 2016-11-28 | 2020-06-09 | 北京奇虎科技有限公司 | Virtual machine-based kernel vulnerability detection file protection method and device |
| US11088929B2 (en) | 2017-03-23 | 2021-08-10 | Cisco Technology, Inc. | Predicting application and network performance |
| US10708152B2 (en) | 2017-03-23 | 2020-07-07 | Cisco Technology, Inc. | Predicting application and network performance |
| US10523512B2 (en) | 2017-03-24 | 2019-12-31 | Cisco Technology, Inc. | Network agent for generating platform specific network policies |
| US11252038B2 (en) | 2017-03-24 | 2022-02-15 | Cisco Technology, Inc. | Network agent for generating platform specific network policies |
| US10250446B2 (en) | 2017-03-27 | 2019-04-02 | Cisco Technology, Inc. | Distributed policy store |
| US10764141B2 (en) | 2017-03-27 | 2020-09-01 | Cisco Technology, Inc. | Network agent for reporting to a network policy system |
| US11509535B2 (en) | 2017-03-27 | 2022-11-22 | Cisco Technology, Inc. | Network agent for reporting to a network policy system |
| US11146454B2 (en) | 2017-03-27 | 2021-10-12 | Cisco Technology, Inc. | Intent driven network policy platform |
| US10594560B2 (en) | 2017-03-27 | 2020-03-17 | Cisco Technology, Inc. | Intent driven network policy platform |
| US10873794B2 (en) | 2017-03-28 | 2020-12-22 | Cisco Technology, Inc. | Flowlet resolution for application performance monitoring and management |
| US11863921B2 (en) | 2017-03-28 | 2024-01-02 | Cisco Technology, Inc. | Application performance monitoring and management platform with anomalous flowlet resolution |
| US11683618B2 (en) | 2017-03-28 | 2023-06-20 | Cisco Technology, Inc. | Application performance monitoring and management platform with anomalous flowlet resolution |
| US11202132B2 (en) | 2017-03-28 | 2021-12-14 | Cisco Technology, Inc. | Application performance monitoring and management platform with anomalous flowlet resolution |
| US10680887B2 (en) | 2017-07-21 | 2020-06-09 | Cisco Technology, Inc. | Remote device status audit and recovery |
| CN107688481A (en) * | 2017-08-17 | 2018-02-13 | 中国电子科技集团公司第五十四研究所 | A kind of KVM virtual machine hides process detection systems for supporting multinode |
| CN107688481B (en) * | 2017-08-17 | 2023-12-15 | 中国电子科技集团公司第五十四研究所 | Multi-node-supporting KVM virtual machine hiding process detection system |
| US11044170B2 (en) | 2017-10-23 | 2021-06-22 | Cisco Technology, Inc. | Network migration assistant |
| US10554501B2 (en) | 2017-10-23 | 2020-02-04 | Cisco Technology, Inc. | Network migration assistant |
| US10523541B2 (en) | 2017-10-25 | 2019-12-31 | Cisco Technology, Inc. | Federated network and application data analytics platform |
| US10594542B2 (en) | 2017-10-27 | 2020-03-17 | Cisco Technology, Inc. | System and method for network root cause analysis |
| US10904071B2 (en) | 2017-10-27 | 2021-01-26 | Cisco Technology, Inc. | System and method for network root cause analysis |
| CN108363611A (en) * | 2017-11-02 | 2018-08-03 | 北京紫光恒越网络科技有限公司 | Method for managing security, device and the omnidirectional system of virtual machine |
| WO2019127399A1 (en) * | 2017-12-29 | 2019-07-04 | 浙江大学 | Fine-grained sandbox policy execution method for linux container |
| US11233821B2 (en) | 2018-01-04 | 2022-01-25 | Cisco Technology, Inc. | Network intrusion counter-intelligence |
| US11750653B2 (en) | 2018-01-04 | 2023-09-05 | Cisco Technology, Inc. | Network intrusion counter-intelligence |
| CN108228319A (en) * | 2018-01-10 | 2018-06-29 | 天津理工大学 | A kind of Semantics Reconstruction method based on more bridges |
| CN108228319B (en) * | 2018-01-10 | 2021-03-30 | 天津理工大学 | Multi-bridge based semantic reconstruction method |
| US11765046B1 (en) | 2018-01-11 | 2023-09-19 | Cisco Technology, Inc. | Endpoint cluster assignment and query generation |
| US10574575B2 (en) | 2018-01-25 | 2020-02-25 | Cisco Technology, Inc. | Network flow stitching using middle box flow stitching |
| US11924240B2 (en) | 2018-01-25 | 2024-03-05 | Cisco Technology, Inc. | Mechanism for identifying differences between network snapshots |
| US10999149B2 (en) | 2018-01-25 | 2021-05-04 | Cisco Technology, Inc. | Automatic configuration discovery based on traffic flow data |
| US10873593B2 (en) | 2018-01-25 | 2020-12-22 | Cisco Technology, Inc. | Mechanism for identifying differences between network snapshots |
| US10826803B2 (en) | 2018-01-25 | 2020-11-03 | Cisco Technology, Inc. | Mechanism for facilitating efficient policy updates |
| US10798015B2 (en) | 2018-01-25 | 2020-10-06 | Cisco Technology, Inc. | Discovery of middleboxes using traffic flow stitching |
| US10917438B2 (en) | 2018-01-25 | 2021-02-09 | Cisco Technology, Inc. | Secure publishing for policy updates |
| US11128700B2 (en) | 2018-01-26 | 2021-09-21 | Cisco Technology, Inc. | Load balancing configuration based on traffic flow telemetry |
| CN108446160A (en) * | 2018-01-29 | 2018-08-24 | 中国电子科技网络信息安全有限公司 | A kind of virtual machine hides process detection method and system |
| CN110472410B (en) * | 2018-05-11 | 2023-02-28 | 阿里巴巴集团控股有限公司 | Method and device for identifying data and data processing method |
| CN110472410A (en) * | 2018-05-11 | 2019-11-19 | 阿里巴巴集团控股有限公司 | Identify method, equipment and the data processing method of data |
| CN108710799A (en) * | 2018-05-21 | 2018-10-26 | 郑州云海信息技术有限公司 | A method of finding that Linux hides port |
| CN109032770A (en) * | 2018-05-30 | 2018-12-18 | 珠海市君天电子科技有限公司 | A kind of progress recognizing method, apparatus and electronic equipment |
| CN109194756A (en) * | 2018-09-12 | 2019-01-11 | 网宿科技股份有限公司 | Application features information extracting method and device |
| CN109298916A (en) * | 2018-11-30 | 2019-02-01 | 郑州云海信息技术有限公司 | The method and apparatus for identifying process on virtual machine |
| CN115774574A (en) * | 2021-09-06 | 2023-03-10 | 华为技术有限公司 | Operating system kernel switching method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102521537B (en) | 2015-05-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102521537A (en) | Detection method and device for hidden process based on virtual machine monitor | |
| US20180330081A1 (en) | Execution environment virtualization method and apparatus and virtual execution environment access method and apparatus | |
| CN101681269B (en) | Adaptive dynamic selection and application of multiple virtualization techniques | |
| CN104598809B (en) | Program monitoring method and defending method thereof, as well as relevant device | |
| CN105393229B (en) | Page fault injection in virtual machine | |
| JP5611598B2 (en) | Encryption key container on USB token | |
| CN101866408B (en) | Transparent trust chain constructing system based on virtual machine architecture | |
| CN101436237B (en) | Method and system for whitelisting software components | |
| CN105393255A (en) | Process evaluation for malware detection in virtual machines | |
| CN103065084B (en) | In the windows hidden process detection method that external machine of virtual machine is carried out | |
| CN101782954B (en) | Computer and abnormal progress detection method | |
| CN102651062B (en) | System and method for tracking malicious behavior based on virtual machine architecture | |
| CN104408366B (en) | Android application program authority usage behavior tracking based on Program instrumentation | |
| CN105956468B (en) | A kind of Android malicious application detection method and system based on file access dynamic monitoring | |
| CN105184166A (en) | Kernel-based Android application real-time behavior analysis method and system | |
| US10552308B1 (en) | Analyzing attributes of memory mappings to identify processes running on a device | |
| CN104268473B (en) | Method and device for detecting application programs | |
| CN106778275A (en) | Based on safety protecting method and system and physical host under virtualized environment | |
| CN104102878A (en) | Malicious code analysis method and system under Linux platform | |
| CN102779244A (en) | Method and device for carrying out file operation | |
| CN111027054A (en) | Method and system for judging running of application program in multi-open environment based on android system | |
| CN111191243A (en) | Vulnerability detection method and device and storage medium | |
| US11151051B2 (en) | Process isolation for out of process page fault handling | |
| CN104732123A (en) | Function operation authority control method based on JSON format | |
| US20160092313A1 (en) | Application Copy Counting Using Snapshot Backups For Licensing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150520 Termination date: 20171206 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |