CN104715201A - Method and system for detecting malicious acts of virtual machine - Google Patents

Method and system for detecting malicious acts of virtual machine Download PDF

Info

Publication number
CN104715201A
CN104715201A CN201510149761.8A CN201510149761A CN104715201A CN 104715201 A CN104715201 A CN 104715201A CN 201510149761 A CN201510149761 A CN 201510149761A CN 104715201 A CN104715201 A CN 104715201A
Authority
CN
China
Prior art keywords
virtual machine
target virtual
target
network
relevant information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510149761.8A
Other languages
Chinese (zh)
Other versions
CN104715201B (en
Inventor
罗凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201510149761.8A priority Critical patent/CN104715201B/en
Publication of CN104715201A publication Critical patent/CN104715201A/en
Application granted granted Critical
Publication of CN104715201B publication Critical patent/CN104715201B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and a system for detecting the malicious acts of a virtual machine. The method comprises the following steps: monitoring the creation and quit events of processes in a target virtual machine, maintaining a trusted process list of processes practically running in the target virtual machine, obtaining an untrusted process list of processes in the target virtual machine by traversing a related data structure recording the process information in the target virtual machine, and judging hidden processes in the target virtual machine by comparing the trusted process list with the untrusted process list; intercepting data packets going in and out of the target virtual machine, determining the current active network connection in the target virtual machine and the processes of the network connection, reconstructing the related information of the current active network connection and the processes of the network connection outside the target virtual machine, and determining parasitic processes in the target virtual machine by analyzing the reconstructed related information. According to the method, the hidden processes and the parasitic processes in the virtual machines can be detected comprehensively.

Description

A kind of virtual machine malicious act detection method and system
Technical field
The present invention relates to field of computer technology, be specifically related to a kind of virtual machine malicious act detection method and system.
Background technology
Intel Virtualization Technology achieves the virtual of the IT resources such as calculating, storage, network, is the basis of cloud computing Industry Quick Development.Virtual machine (Virtual Machine) is the most basic a kind of service form that cloud environment externally provides, the virtual network that cloud service provider provides single virtual machine or multiple virtual machine to form to individual, organizing user, to meet the demand that user serves the elastic cloud of easy care, high availability.In virtualized environment, serve and be supplied to user's use with the form of virtual machine, cloud service provider can only utilize the interfaces such as Libvirt to obtain the CPU of target virtual machine from virtual machine outside, internal memory, disk, the information of the Resourse Distribute such as network and use, the granularity of the process behavior run in virtual machine can not be monitored, once the Malware that virtual machine victim is implanted controls, it is all huge threat to the safety and stablization of the safety of virtual machine in same virtual network and even cloud platform itself, safety monitoring when therefore running virtual machine becomes the joint demand of cloud service provider and user.In the technology of current virtual machine malicious act monitoring aspect, there are the following problems:
1. many safety monitoring instruments need the Agent relying on virtual machine internal to solve semantic gap problem, and this destroys the isolation in virtualization architecture to a certain extent, and also cannot realize the transparency of security tool to virtual machine;
2. is at present the characteristic that Malware is hidden to virtual machine malicious act monitoring more attention, to become main flow without process, portless, Malware behavior monitoring limited efficiency without file;
3. lack and synthetically consider the network of Malware and the behavior aspect of main frame inside, mostly carry out in mainframe network stream granularity the detection of network level abnormal behaviour, granularity is thicker.
Summary of the invention
In view of the above problems, the present invention is proposed to provide a kind of overcoming the problems referred to above or a kind of virtual machine malicious act detection method solved the problem at least in part and system.
According to one aspect of the present invention, provide a kind of virtual machine malicious act detection method, wherein, the method comprises:
Monitor the establishment of process in target virtual machine and exit event, safeguarding a trusted process list of recording actual motion process in described target virtual machine; There is the related data structures of the progress information in target virtual machine by traversal record, obtain one or more untrusted process lists of the process in record object virtual machine; By comparing trusted process list and untrusted process list, judge the hidden process in target virtual machine;
Intercept and capture the packet of turnover target virtual machine, according to intercepted and captured packet, determine that the network of the current active in target virtual machine connects and affiliated process; The network connection of described current active and the relevant information of affiliated process thereof is reconstructed in the outside of target virtual machine; By analyzing the parasitic process in the described relevant information determination target virtual machine of reconstruct.
Alternatively,
Process creation in Xen inner nuclear layer supervision target virtual machine and process exit event, and notify management domain Domain 0 layer; The notice exiting event according to process creation and process Domain 0 layer safeguards described trusted process list, and obtain one or more untrusted process list, by comparing the hidden process that trusted process list and untrusted process list are judged in target virtual machine; The packet of turnover target virtual machine is intercepted and captured at the virtual bridge place of Domain 0 layer; The network connection of described current active and the relevant information of affiliated process thereof is reconstructed Domain 0 layer, and by the parasitic process in the described relevant information determination target virtual machine of analysis reconstruct.
Alternatively, the network that the described outside at target virtual machine reconstructs described current active connects and the relevant information of affiliated process comprises: by calling the relevant interface function and configuration file mechanism that Libvmi storehouse provides, and the network obtaining described current active connects and the relevant information of affiliated process.
Alternatively, the relevant information of network connection and affiliated process thereof that the described outside at target virtual machine reconstructs described current active comprises: the related content obtaining the target process in the internal memory of target virtual machine, be specially: use Libvmi to map the memory address space of memory address space corresponding to this target process of described designated virtual machine to Domain 0, thus provide address space support for Volatility framework; Generate the script for carrying out analyzing reading to designated virtual machine internal memory when running based on described Volatility framework; Described script obtains the related content of target process by the memory address space of the Domain 0 after mapping.
Alternatively, the communication realized between Xen inner nuclear layer and Domain 0 layer comprises: based on Xen kernel provide _ _ HYPERVISOR_domctl hypercalls and Xen kernel are the mechanism of each Operation Definition for the data structure of Parameter transfer, add in Xen kernel and realize exiting the traffic operation of event and corresponding Parameter transfer data structure about process creation and process between Domain 0 and Xen kernel; Xen inner nuclear layer communicates based on the described traffic operation added and corresponding Parameter transfer data structure with Domain 0 layer.
Alternatively, the method comprises further: arrange message queue; The packet intercepting and capturing turnover target virtual machine is gone forward side by side after row relax, and result data are put into described message queue;
Data are extracted from described message queue, data according to extracting process, comprise: determine that the network of the current active in target virtual machine connects and affiliated process, the network connection of described current active and the relevant information of affiliated process thereof is reconstructed in the outside of target virtual machine, and by the parasitic process in the described relevant information determination target virtual machine of analysis reconstruct.
Alternatively,
The described packet intercepting and capturing turnover target virtual machine is gone forward side by side after row relax, result data are put into described message queue comprise: assist journey to intercept and capture the packet of turnover target virtual machine by first group of producer, extract connection summary info and put into first task queue; Assist journey from first task queue, obtain link summary info by first group of consumer, after completing relevant treatment, result data are sent in described message queue; And/or, described from described message queue extraction data, carry out process according to the data extracted and comprise: assist journey to monitor described message queue by second group of producer, data therefrom puts into the second task queue; Assist journey from the second task queue, obtain data by second group of consumer to go forward side by side row relax.
Alternatively, the described outside at target virtual machine reconstructs the network connection of described current active and the relevant information of affiliated process thereof, is comprised by the parasitic process analyzed in the described relevant information determination target virtual machine of reconstruct:
The relevant information that the network reconstructing the current active that the process in described target virtual machine is held in the outside of described target virtual machine connects; Whether network for current active connects, be abnormal connection by its relevant information and corresponding safety detection rule being carried out this network of matching judgment connects; Connect for abnormal if judge that a network connects, then determine that the process belonging to the connection of this network is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL);
And/or,
For each target process, in the management of process structure of described target virtual machine outside this target process of reconstruct in described target virtual machine inside; By analyzing the management of process structure of reconstruct, determine whether this target process is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL).
According to another aspect of the present invention, provide a kind of virtual machine malicious act detection system, wherein, this system comprises:
Process behavior detection module, is suitable for the establishment of the process in target virtual machine that monitors and exits event, and notifying safety monitoring module;
Safety monitoring module, the notice being suitable for exiting according to process creation and process event safeguards a trusted process list of recording actual motion process in described target virtual machine; There is the related data structures of the progress information in target virtual machine by traversal record, obtain one or more untrusted process lists of the process in record object virtual machine; And by comparing trusted process list and untrusted process list, judge the hidden process in target virtual machine;
Sniffer, is suitable for the packet intercepting and capturing turnover target virtual machine, according to intercepted and captured packet, determines that the network of the current active in target virtual machine connects and affiliated process;
Virtual machine is examined oneself module, and the network being suitable for reconstructing in the outside of target virtual machine described current active connects and the relevant information of affiliated process;
Safety monitoring module, is further adapted for the parasitic process in the described relevant information determination target virtual machine by analyzing reconstruct.
Alternatively, described process behavior detection module is positioned at Xen inner nuclear layer; Described safety monitoring module is positioned at management domain Domain 0 layer; Described sniffer is positioned at the virtual bridge place of Domain 0 layer; Described virtual machine module of examining oneself is positioned at Domain 0 layer; Described safety detection module comprises: hidden process detection module and parasitic process detection module; Hidden process detection module, the notice being suitable for exiting according to process creation and process event safeguards described trusted process list, and obtain one or more untrusted process list, by comparing the hidden process that trusted process list and untrusted process list are judged in target virtual machine; Parasitic process detection module, is suitable for the parasitic process in the described relevant information determination target virtual machine by analyzing reconstruct.
Alternatively, described virtual machine is examined oneself module, is suitable for by calling the relevant interface function and configuration file mechanism that Libvmi storehouse provides, and the network obtaining described current active connects and the relevant information of affiliated process.
Alternatively, described virtual machine is examined oneself module, be suitable for the related content of the target process obtained in the internal memory of target virtual machine, be specially: use Libvmi to map the memory address space of memory address space corresponding to this target process of described designated virtual machine to Domain 0, thus provide address space support for Volatility framework; Generate the script for carrying out analyzing reading to designated virtual machine internal memory during operation based on described Volatility framework, passed through the related content of the memory address space acquisition target process of the Domain 0 after mapping by described script.
Alternatively, based on Xen kernel provide _ _ HYPERVISOR_domctl hypercalls and Xen kernel are the mechanism of each Operation Definition for the data structure of Parameter transfer, add in Xen kernel and realize exiting the traffic operation of event and corresponding Parameter transfer data structure about process creation and process between Domain 0 and Xen kernel;
Be positioned at the process behavior detection module of Xen inner nuclear layer and be positioned at the safety monitoring module of Domain 0 layer, communicating based on the described traffic operation added and corresponding Parameter transfer data structure.
Alternatively, this system comprises further: message queue module, is suitable for preserving the message queue be arranged between sniffer and parasitic process detection module; The packet that turnover target virtual machine intercepted and captured by sniffer is gone forward side by side row relax, and result data are put into described message queue; Parasitic process detection module is extracted data from described message queue and to be gone forward side by side row relax.
Alternatively, the producer of sniffer assists journey to intercept and capture the packet of turnover target virtual machine, extracts and connects the task queue that summary info puts into sniffer; The consumer of sniffer assists journey from the task queue of sniffer, obtain link summary info, after completing relevant treatment, result data is sent in described message queue; And/or the producer in parasitic process detection module assists journey to monitor described message queue, data therefrom puts into the task queue of parasitic process detection module; Consumer in parasitic process detection module assists journey acquisition task processing from the task queue of parasitic process detection module.
Alternatively, described safety monitoring module, is further adapted for,
The relevant information that the network reconstructing the current active that the process in described target virtual machine is held in the outside of described target virtual machine connects; Whether network for current active connects, be abnormal connection by its relevant information and corresponding safety detection rule being carried out this network of matching judgment connects; Connect for abnormal if judge that a network connects, then determine that the process belonging to the connection of this network is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL);
And/or,
For each target process, in the management of process structure of described target virtual machine outside this target process of reconstruct in described target virtual machine inside; By analyzing the management of process structure of reconstruct, determine whether this target process is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL).
According to the establishment of process in this supervision target virtual machine of the present invention with exit event, safeguard a trusted process list of recording actual motion process in described target virtual machine, the related data structures of the progress information in target virtual machine is had by traversal record, obtain one or more untrusted process lists of the process in record object virtual machine, by comparing trusted process list and untrusted process list, judge the hidden process in target virtual machine, and intercept and capture the packet of turnover target virtual machine, according to intercepted and captured packet, determine that the relevant information of the network connection and affiliated process thereof that the network of the current active in target virtual machine connects and affiliated process reconstructs described current active in the outside of target virtual machine is by analyzing the technical scheme of the parasitic process in the described relevant information determination target virtual machine of reconstruct, can hidden process in complete detection virtual machine and parasitic process, and the Agent do not relied in virtual machine, belong to external detection pattern, the impact in performance can not be produced on virtual machine, there is the good transparency.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of instructions, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows a kind of according to an embodiment of the invention process flow diagram of virtual machine malicious act detection method;
Fig. 2 shows a kind of according to an embodiment of the invention frame diagram of virtual machine malicious act detection scheme;
Fig. 3 shows a kind of according to an embodiment of the invention design structure diagram of virtual machine malicious act detection scheme;
Fig. 4 shows the precedence diagram according to the restructuring procedure in one embodiment of the invention;
Fig. 5 shows communication sequence figure internuclear in Domain 0 and Xen according to an embodiment of the invention;
Fig. 6 shows the transmittance process schematic diagram of intercepted data bag according to an embodiment of the invention;
What Fig. 7 showed the monitoring of process-level network behavior according to an embodiment of the invention realizes class figure schematic diagram;
Fig. 8 show according to an embodiment of the invention inject behavior monitoring realize class figure schematic diagram;
Fig. 9 shows a kind of according to an embodiment of the invention structural drawing of virtual machine malicious act detection system.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
Fig. 1 shows a kind of according to an embodiment of the invention process flow diagram of virtual machine malicious act detection method.As shown in Figure 1, the method comprises:
Step S110, monitors the establishment of process in target virtual machine and exits event, safeguarding a trusted process list of recording actual motion process in described target virtual machine; There is the related data structures of the progress information in target virtual machine by traversal record, obtain one or more untrusted process lists of the process in record object virtual machine; By comparing trusted process list and untrusted process list, judge the hidden process in target virtual machine;
Step S120, intercepts and captures the packet of turnover target virtual machine, according to intercepted and captured packet, determines that the network of the current active in target virtual machine connects and affiliated process; The network connection of described current active and the relevant information of affiliated process thereof is reconstructed in the outside of target virtual machine; By analyzing the parasitic process in the described relevant information determination target virtual machine of reconstruct.
Method shown in Fig. 1, can hidden process in complete detection virtual machine and parasitic process, and does not rely on the Agent in virtual machine, belongs to external detection pattern, can not produce the impact in performance, have the good transparency to virtual machine.
In one embodiment of the invention, in the method shown in Fig. 1, the process creation in Xen inner nuclear layer supervision target virtual machine and process exit event, and notify management domain Domain 0 layer; The notice exiting event according to process creation and process Domain 0 layer safeguards described trusted process list, and obtain one or more untrusted process list, by comparing the hidden process that trusted process list and untrusted process list are judged in target virtual machine; The packet of turnover target virtual machine is intercepted and captured at the virtual bridge place of Domain 0 layer; The network connection of described current active and the relevant information of affiliated process thereof is reconstructed Domain 0 layer, and by the parasitic process in the described relevant information determination target virtual machine of analysis reconstruct.
Xen operates between hardware and VME operating system, and the resources such as unified management physical machine CPU, internal memory and I/O equipment, be configured to virtual resource pond, and externally provide Virtual base facilities services, be i.e. virtual machine, these virtual machines share hardware resource.Domain 0 is management domain, has very high privilege.
Fig. 2 shows a kind of according to an embodiment of the invention frame diagram of virtual machine malicious act detection scheme.Fig. 3 shows a kind of according to an embodiment of the invention design structure diagram of virtual machine malicious act detection scheme.As shown in Figures 2 and 3, realize virtual machine malicious act monitoring technology in Xen virtualized environment, basic design scheme is made up of examine oneself module, safety monitoring module, sniffer and process behavior monitoring modular of control module, virtual machine.The function of modules and between contact as follows:
Process behavior monitoring modular: be positioned at Xen inner nuclear layer, is responsible for establishment and the reactive power optimization of intercepting and capturing and transmit process in virtual machine, safeguards the shared drive for Parameter transfer between Xen kernel and Domain 0, and send the message that event occurs to control module;
Control module: be positioned at Domain 0, the interface controlling this monitoring system is externally provided, complete when receiving and monitoring request and create Domain 0 and Xen kernel shared drive, event channel and the preparatory work such as network packet sniffer is set at virtual bridge place, and by this request forwarding to safety monitoring module;
Safety monitoring module: obtain the supervision request to certain virtual machine from control module, the flow information of this virtual machine of turnover is obtained from sniffer, according to set strategy, safety inspection is carried out to process belonging to this flow, now need to use virtual machine module of examining oneself and solve semantic gap problem;
Virtual machine is examined oneself module: the problem that what this module solved is at virtual machine outside reconstruct internal process view, provides management structure in accesses virtual machine and obtain the interface of system API address for safety monitoring module.
The virtual machine malicious act monitoring system workflow that the present invention proposes is completed by the module coordination of Domain 0 layer, Xen inner nuclear layer.When the system is operated, the Technology of Network Sniffer being deployed in virtual bridge place intercepts the packet of certain virtual machine of turnover, sniffer is through processing (src_ip, src_port, dst_ip, dst_ip) four-tuple (representing source ip, source port, object ip and destination interface) sends to safety monitoring module, and safety monitoring module can perform the inspection of safe condition below:
1) safety monitoring module operationally can the establishment of each process and reactive power optimization in real time monitoring target virtual machine, preserve the trusted process list of virtual machine internal actual motion, compared by the process list obtained with other approach and determined whether that hidden process exists;
2) according to set security strategy, safety monitoring module detects and produces whether network behavior process is the parasitic process injected by Malware.
Virtual machine module of examining oneself realizes the basis of monitoring function from virtual machine outside, and the parasitic process detection module that this module is upper strata and hidden process detection module provide and obtain the interface that virtual machine internal management structure and operating system specify API address.
In one embodiment of the invention, the network reconstructing described current active described in the step S120 of method shown in Fig. 1 in the outside of target virtual machine connects and the relevant information of affiliated process comprises: by calling the relevant interface function and configuration file mechanism that Libvmi storehouse provides, and the network obtaining described current active connects and the relevant information of affiliated process.
Libvmi provides some basic interfaces of designated address space in accesses virtual machine, and conventional interface function and function thereof are as shown in table 1:
Interface name Interface function
vmi_init Create libvmi to connect, initialization related data structures
vmi_destroy Close libvmi to connect, release related resource
vmi_get_offset The side-play amount of specific data structure member variable is obtained from configuration file libvmi.conf
vmi_read_addr_va Read the content at target virtual machine process assigned address place
vmi_read_addr_pa Read the content in target virtual machine appointment physical address
vmi_read_str_va Read the character string at target virtual machine process assigned address place
windows_symbol_to_address Be the address in internal memory by the variable of deriving in windows, function name conversion
Table 1
Libvmi uses the mode of configuration file to define the value of one group of variable name and correspondence thereof for designated virtual machine, these variablees are very flexible, can be the position of debugging file, OS Type and data structure side-play amount etc. that some are important, we for target virtual machine OS Type for Windows XP SP3 system and windows 7SP1 system version illustrate the content of this configuration file, as shown in table 2:
Table 2
Wherein, win_pdbase corresponds to the _ side-play amount of the DirectoryTableBase variable of KPROCESS data structure.Win_pid corresponds to _ EPROCESS data structure in the side-play amount of UniqueProcessId variable, win_tasks corresponds to _ EPROCESS data structure in the side-play amount of ActiveProcessLinks variable, this variable points to the doubly linked list be made up of _ EPROCESS structure; Win_pname corresponds to _ EPROCESS data structure in the side-play amount of ImageFileName member variable; Win_peb corresponds to _ EPROCESS data structure in the skew of Peb member variable.
Need to utilize above-mentioned interface function and configuration file mechanism to realize semantic function of rebuilding, realize principle for what reconstruct EPROCESS chained list declarative semantics Reconstruction of The Function below:
The doubly linked list be made up of EPROCESS data structure maintains the relevant many information of the process run in system, and therefore reconstructing this data structure has important meaning to solution semantic gap problem.For the ease of safeguarding the necessary information of the process in virtual machine at Domain 0, achieve the structure ProcNode that represents progress information, contain the relevant information of process, id, EPROCESS address, page directory address information etc. of such as process, shown in particular content is as shown in table 3:
Table 3
Fig. 4 shows the precedence diagram of the restructuring procedure in one embodiment of the invention.See 4, can see that virtual machine module of examining oneself externally provides refresh_proc_list interface to obtain the list information of process, mainly call the vmi_get_offset that libvmi storehouse provides in this functional realiey process, the interfaces such as vmi_read_addr_va.
In another embodiment of the present invention, the relevant information of the network connection and affiliated process thereof that reconstruct described current active described in the step S120 of method shown in Fig. 1 in the outside of target virtual machine comprises: the related content obtaining the target process in the internal memory of target virtual machine, be specially: use Libvmi to map the memory address space of memory address space corresponding to this target process of described designated virtual machine to Domain 0, thus provide address space support for Volatility framework; Generate the script for carrying out analyzing reading to designated virtual machine internal memory when running based on described Volatility framework; Described script obtains the related content of target process by the memory address space of the Domain 0 after mapping.
Volatility is the Open Framework that of internal memory evidence obtaining field is famous, support the treatment and analysis to the core dump file of the systems such as Linux, Mac, Windows, its Plugin Mechanism provided simplifies the flow process utilizing this framework to carry out secondary development, achieves the Semantics Reconstruction to virtual machine run-time memory data in embodiments of the invention based on this framework.The analysis supporting virutal machine memory when running to make Volatility, utilizes Libvmi to provide a compatible address space for Volatility in embodiments of the invention.To be virtual community to examine oneself instrument to a kind of virtual machine of increasing income that researchist provides Libvmi, also the read-write to designated virtual machine address space and the supervision to particular event can be realized based on this instrument, and the recombination function realized further management of process structure in virtual machine, but realize this function and need to carry out conversed analysis to the system management structure of dissimilar operating system, determine the side-play amount of target variable in upper layer data structure, lack versatility, therefore the present invention only uses in Libvmi mapping designated virtual machine address space to Domain 0 as Volatility framework provides the function of address space.
As can be seen from Figure 2, in the detection of the hidden process proposed in the embodiment of the present invention and the detection implementation method of parasitic process, maximum difference is that hidden process detects needs the cooperation of Domain0 and Xen kernel portion to realize, and therefore needs the event notice both realizing and information communication mechanism.
In an embodiment of the present invention, the communication realized between Xen inner nuclear layer and Domain 0 layer comprises: based on Xen kernel provide _ _ HYPERVISOR_domctl hypercalls and Xen kernel are the mechanism of each Operation Definition for the data structure of Parameter transfer, add in Xen kernel and realize exiting the traffic operation of event and corresponding Parameter transfer data structure about process creation and process between Domain 0 and Xen kernel; Then Xen inner nuclear layer communicates based on the described traffic operation added and corresponding Parameter transfer data structure with Domain 0 layer.
Specifically in order to realize the control of the process behavior detection module of Domain 0 pair of Xen kernel portion, employ that Xen kernel provides _ _ HYPERVISOR_domctl hypercalls, this hypercalls is the interface that management domain provides managing virtual machines, comprise virtual machine creating (corresponding parameter is XEN_DOMCTL_createdomain), virtual machine is destroyed operations such as (corresponding parameter are XEN_DOMCTL_destroydomain) and is all completed by this hypercalls, Xen kernel is that each operation all defines corresponding Action number and the data structure for Parameter transfer, based on this mechanism, we with the addition of following new action type and parameter transfer structure in Xen kernel:
Dom_xen_comm data structure plays very important effect in Domain 0 and Xen kernel communication process, is the intermediate structure intercomed mutually.
Fig. 5 shows communication sequence figure internuclear in Domain 0 and Xen according to an embodiment of the invention.As shown in Figure 5, ask the process creation of certain virtual machine of supervision, exit event, Xen kernel carries out event notice and Message Transmission to Domain 0.
Set up and the Trusted List of maintenance process at Domain 0, Domain 0 needs to receive the announcement information of the process creation of Xen kernel transmission/exit, and the data structure for this reason defining communication used is as follows:
Use the method for foregoing description can set up Domain 0 and the Xen kernel page for Parameter transfer, struct nt_pro_info is namely as transmitting the data structure used, can see, in this data structure, define virtual machine ID corresponding to the type of event, event and the page directory address as Process identifier, the event-handling section of Domain 0 add the process chained list preserved accordingly according to the type of event, deletion action.
In one embodiment of the invention, the detection method of hidden process comprises: the process intercepted and captured in designated virtual machine exits event, and intercepts and captures the process creation event in described designated virtual machine; Exit and process creation event according to the process in the described designated virtual machine intercepted and captured, safeguard a trusted process list of recording true operation process in described designated virtual machine; There is the related data structures of the progress information in described designated virtual machine by traversal record, obtain one or more untrusted process lists of the process recorded in described designated virtual machine; By comparing trusted process list and untrusted process list, judge the hidden process in described designated virtual machine.
Wherein, the described related data structures being had the progress information in described designated virtual machine by traversal record, the one or more untrusted process lists obtaining the process in described designated virtual machine of recording comprise: by traversal kernel address space _ EPROCESS data structure, PspCidTable handle table or csrss.exe handle table in one or more, one or more groups progress information in the described virtual machine of corresponding acquisition; According to one or more groups obtained progress information, generate corresponding one or more untrusted process list.
Wherein, the process in described intercepting and capturing designated virtual machine exits event and comprises: acquisition process exits key position address; Wherein, system all can call NtTerminateProcess service routine to the process that process exits in kernel, NtTerminateProcess service routine after completing rev down process rev operation can by exit process _ chained list that forms in management of process structure of the address of EPROCESS management structure in unwind and be discharged into assigned address, this assigned address is exited key position address as process; Monitoring process exits key position address and performs event, shows that a process will terminate when the code of this address is called, obtain from this address the process of exiting _ address of EPROCESS management structure.
Wherein, acquisition process exits key position address and comprises: the address obtaining NtTerminateProcess service routine, exits key position address according to the address acquisition process according to NtTerminateProcess service routine; The address of described acquisition NtTerminateProcess service routine comprises: the address obtaining KeServiceDescriptorTable data structure; From KeServiceDescriptorTable data structure, obtain the address of SSDT table and determine the side-play amount of NtTerminateProcess service routine in SSDT table; The address of NtTerminateProcess service routine is obtained at the amount of the specifying Offsets place of SSDT table.
Wherein, describedly to comprise according to exiting key position address according to the address acquisition process of NtTerminateProcess service routine: the address obtaining the address offset 0x13c relative to NtTerminateProcess service routine, this address is the address of ecx register.
Wherein, described monitoring process exit key position address perform event comprise: when described designated virtual machine generation virtual machine enters VM_ENTRY event: address in the appointment debug address register in the VCPU of this designated virtual machine is set to process and exits key position address; Corresponding with described appointment debug address register in debug control registers in the VCPU of this designated virtual machine of set performs control bit; TRAP_debug control bit in the virtual machine control domain VMCS data structure of this designated virtual machine of set; When described designated virtual machine generation virtual machine exits VM_EXIT event: if debugging anomalous event then judges to produce whether abnormal address is the address that process exits key position, be, the process of reading exit the process that exits of preserving in key position address _ address of EPROCESS management structure.
Wherein, the process creation event in the described designated virtual machine of described intercepting and capturing comprises: safeguard a current operation process list about described designated virtual machine; Monitor and the process switching event that described designated virtual machine inside occurs obtain the value in the CR3 register of the VCPU of described designated virtual machine when monitoring this event; Value in described CR3 register is the relevant information of process after switching; Judge whether the value in the described CR3 register obtained is present in described current operation process list, if there is no then illustrate and create a process, the value obtained in described CR3 register is added in described current operation process list; When the process in intercepting and capturing described appointment and being virtual exits event, from described current operation process list, delete this process exited.
Wherein, the process switching event that described supervision described designated virtual machine inside occurs comprises: arrange the CPU_BASED_CR3_LOAD_EXITING control bit in the virtual machine control domain VMCS data structure of described designated virtual machine; The virtual machine for processor event that this control bit is positioned at VMCS data structure performs control domain, determines that when virtual machine performs Move to CR3 instruction and process switching, whether virtual machine occurring exits VM_EXIT event.
Wherein, the trusted process list that true operation process in described designated virtual machine is recorded in described maintenance one comprises: when intercepting and capturing a process creation event in described designated virtual machine, judge this process whether in trusted process list, if do not existed, this process is added in trusted process list; When intercepting and capturing a process in described designated virtual machine and exiting event, this process is deleted from trusted process list.
In one embodiment of the invention, detecting in the parasitic process detection scheme in virtual machine, examining oneself of virtual machine is realized based on Volatility.Virtual machine based on Libvmi scheme of examining oneself achieves the outside access to inner process address space assigned address data of virtual machine, but this scheme needs to carry out conversed analysis to determine the side-play amount of target data objects to different operating system, very inconvenient; And Volatility is as the internal memory forensics analysis framework of maturation, provide general support to each OS Type, this framework realizes based on Python, and its address space mechanisms provided makes it have good extendability.The interface that the present invention uses Libvmi to provide address space to use for Volatility, by the input file of abstract for the run-time memory of virtual machine Volatility.Realize the address space of expansion Volatility support by inheriting BaseAddressSpace class and realize the interfaces such as read, zread, get_available_addresses.
The parasitic process detection scheme proposed in the embodiment of the present invention is driven by the network behavior of process, just can carry out the detection of sneak case when the critical processes of namely specifying in virtual machine produces network behavior to the process producing network traffics.When virtual machine produces increasing network traffics, adopt the synchronous tupe of " packet, process, next packet " that a large amount of packet loss problems can be caused, and can because the long problem causing the progress information failure reconstructed belonging to next packet of delay of the upper packet of process.Following solution is proposed in these embodiments of the invention:
Message queue is set; The packet intercepting and capturing turnover target virtual machine is gone forward side by side after row relax, and result data are put into described message queue; Data are extracted from described message queue, data according to extracting process, comprise: determine that the network of the current active in target virtual machine connects and affiliated process, the network connection of described current active and the relevant information of affiliated process thereof is reconstructed in the outside of target virtual machine, and by the parasitic process in the described relevant information determination target virtual machine of analysis reconstruct.
Wherein, the described packet intercepting and capturing turnover target virtual machine is gone forward side by side after row relax, result data are put into described message queue comprise: assist journey to intercept and capture the packet of turnover target virtual machine by first group of producer, extract connection summary info and put into first task queue; Assist journey from first task queue, obtain link summary info by first group of consumer, after completing relevant treatment, result data are sent in described message queue.Described from described message queue extraction data, carry out process according to the data extracted and comprise: assist journey to monitor described message queue by second group of producer, data therefrom puts into the second task queue; Assist journey from the second task queue, obtain data by second group of consumer to go forward side by side row relax.
Fig. 6 shows the transmittance process schematic diagram of intercepted data bag according to an embodiment of the invention.Two kinds of packet delivery mechanism can be had based on Fig. 6:
(1) intercepted data bag is only retained at sniffer, extract and connect summary, detection procedure abnormal network connects three basic functions, and the association's journey (Coroutine) introducing lightweight in asynchronous event process improves the efficiency of process, the producer assists journey from the network traffics of virtual bridge blip steady virtual machine, extract and connect summary info and the task queue of putting into sniffer, consumer assists journey from task queue, obtain connection summary, complete process in associated virtual machine and detect the work connecting legitimacy, and the task requests of testing result or detection is further sent in the RabbitMQ message queue of specifying, in order to extract process belonging to life cycle as UDP connects of shorter connection in time, the connection that this module employs Priority Queues mechanism the type preferentially obtains process,
(2) between sniffer and parasitic process detection module be the relation of loose coupling, both need the safe condition of process belonging to the network connection of inspection by the transmission of RabbitMQ message queue mechanism, and the progress information of the result that network behavior is monitored by sniffer or injection behavior to be detected reaches parasitic process detection module by message queue.In order to improve the efficiency of parasitic process process, association's journey technology is employed equally in parasitic process detection module, the producer assists journey to monitor the RabbitMQ queue of specifying, and obtain new task and put into the task queue of this module, consumer assists journey from task queue, obtain task and process.
In one embodiment of the invention, outside at target virtual machine described in method shown in Fig. 1 reconstructs the network connection of described current active and the relevant information of affiliated process thereof, comprises one or both in the following two kinds method by the parasitic process analyzed in the described relevant information determination target virtual machine of reconstruct:
The first parasitic process detection method: the relevant information that the network reconstructing the current active that the process in described target virtual machine is held in the outside of described target virtual machine connects; Whether network for current active connects, be abnormal connection by its relevant information and corresponding safety detection rule being carried out this network of matching judgment connects; Connect for abnormal if judge that a network connects, then determine that the process belonging to the connection of this network is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL);
The parasitic proceeding method of the second: for each target process, in the management of process structure of described target virtual machine outside this target process of reconstruct in described target virtual machine inside; By analyzing the management of process structure of reconstruct, determine whether this target process is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL).
In one embodiment of the invention, the first described parasitic process detection method is that the network behavior of process-level detects, and is realized by NetAnomalyDetector class.What Fig. 7 showed the monitoring of process-level network behavior according to an embodiment of the invention realizes class figure schematic diagram.See Fig. 7, such is that base class is to call the interface in Volatility framework equally with Dlllist, the TCP/UDP link information provide and resolve access control rule, monitoring designated virtual machine, reconstruction progress, whether the packet that detection procedure sends meets the functional interfaces such as access control rule.
In one embodiment of the invention, the parasitic process detection method of described the second is the injection behavioral value of process-level.Fig. 8 show according to an embodiment of the invention inject behavior monitoring realize class figure schematic diagram.As depicted in figure 8, injecting codes block measuring ability mainly realizes in InjectionDetector class, in order to use the interface provided in Volatility framework, inherit DllList class, and have invoked _ EPROCESS class in obtain three functions of DLL list, achieve based on this and DLL injected and the function of code injection behavioral value.
In one embodiment of the invention, the parasitic process detection method of described the first specifically comprises: the packet intercepting and capturing turnover designated virtual machine; According to intercepted and captured packet, determine that the network of the current active in designated virtual machine connects; The relevant information that the network reconstructing the current active that the process in described designated virtual machine is held in the outside of described designated virtual machine connects; Whether network for current active connects, be abnormal connection by its relevant information and corresponding safety detection rule being carried out this network of matching judgment connects; Connect for abnormal if judge that a network connects, then determine that the process belonging to the connection of this network is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL).
Wherein, the relevant information that the network reconstructing the current active that the process in described designated virtual machine is held in the outside of described designated virtual machine connects comprises: use Libvmi to map the memory address space of memory address space corresponding to this target process of described designated virtual machine to Domain 0, thus provides address space support for Volatility framework; Generate the script for carrying out analyzing reading to designated virtual machine internal memory when running based on described Volatility framework; Described script obtains the related content of this target process by the memory address space of the Domain 0 after mapping.
Wherein, the relevant information that the network that the described outside in described designated virtual machine reconstructs the current active that the process in described designated virtual machine is held connects comprises: the node finding the preservation tcpip.sys module information in Windows system; _ the address of AddrObjTable and _ TCBTable is obtained from the node of described preservation tcpip.sys module information; The single-track link table that traversal AddrObjTable and _ TCBTable points to, the relevant information that the network obtaining the current active that the process in described designated virtual machine is held connects.
Wherein, the node finding the preservation tcpip.sys module information in Windows system described in comprises: the FS register from kernel mode obtains _ and the pointer of KPCR data structure; The pointer of reading _ DBGKD_GET_VERSION64 data structure in KdVersionBlock variable from _ KPCR data structure; The doubly linked list head node address of preserving module information is obtained from the PsloadedModuleList member variable of _ DBGKD_GET_VERSION64 data structure; The doubly linked list that traversal PsloadedModuleList points to, finds the node preserving tcpip.sys module information.
Wherein, described according to intercepted and captured packet, determine that the network of the current active in designated virtual machine connects, and the relevant information that the network reconstructing the current active that the process in described designated virtual machine is held in the outside of described designated virtual machine connects comprises: set up record queue and process queue; Wherein, record queue safeguards the network connection information of the current active of described designated virtual machine, comprising: the mark that network connects, corresponding process, processing time and safety detection result; The process list of described designated virtual machine is preserved in described process queue.
Wherein, for the packet of each intercepting and capturing, perform following flow process: the network connection information judging whether to have existed in record queue current active corresponding to this packet, if existed, carry out respective handling according to existing safety detection result, the relevant information that the network if there is no then reconstructing this current active that the process in described designated virtual machine is held connects; The process belonging to it is determined according to the relevant information of the network connection of this current active of reconstruct, and judge whether there is this process in process queue, if there is no then this process be updated in process queue, whether if existed, connecting according to the network of this current active of safety detection rule judgment corresponding to this process is abnormal connection; Process accordingly according to safety detection result; The network of this current active is connected, corresponding process, processing time and safety detection result be updated in record queue.
Wherein, a described network for current active connects, whether be comprise abnormal connection by its relevant information and corresponding safety detection rule being carried out this network of matching judgment connects: for the process of the single application program of access type, extracting the intrinsic network behavior that may perform of this application program, to generate lawful acts regular; The relevant information connected by the network of current active lawful acts rule corresponding to process belonging to it is mated, and if there is no occurrence, be then judged as abnormal connection.
Wherein, a network for current active connects, be whether comprise abnormal connection by its relevant information and corresponding safety detection rule being carried out this network of matching judgment connects: pre-set the acquiescence comprising one or more occurrence and refuse rule, and it is regular to pre-set the acquiescence permission comprising one or more occurrence; A network for current active connects, and first belonging to it, process judges adopt acquiescence refusal rule or adopt acquiescence to allow rule; If adopt acquiescence refusal rule, the relevant information then connected by the network of this current active is mated with the occurrence in the extra permission rule of definition, if there is the item of coupling, then determine that this network connects to connect for normal, if there is no the item mated, then determine that this network connects and connect for abnormal; If adopt acquiescence to allow rule, the relevant information then connected by the network of this current active is mated with the occurrence of the extra refusal rule of definition, if there is the item of coupling, then determine that this network connects to connect for abnormal, if there is no the item mated, then determine that this network connects and connect for normal.
In one embodiment of the invention, the parasitic process detection method of described the second specifically comprises: determine that one or more processes in designated virtual machine are as target process; For each target process, in the management of process structure of described designated virtual machine outside this target process of reconstruct in described designated virtual machine inside; By analyzing the management of process structure of reconstruct, determine whether this target process is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL).
Wherein, the described one or more processes determined in designated virtual machine comprise as target process: using one or more processes of the generation network behavior in described designated virtual machine as target process.
Described designated virtual machine outside reconstruct this target process comprise in the management of process structure of described designated virtual machine inside: the related content obtaining this target process in the internal memory of described designated virtual machine.
Wherein, the related content of this target process in the internal memory of the described designated virtual machine of described acquisition comprises: use Libvmi to map the memory address space of memory address space corresponding to this target process of described designated virtual machine to Domain 0, thus provides address space support for Volatility framework; Generate the script for carrying out analyzing reading to designated virtual machine internal memory when running based on described Volatility framework; Described script obtains the related content of this target process by the memory address space of the Domain 0 after mapping.
Wherein, the related content of this target process in the internal memory of the described designated virtual machine of described acquisition comprises: obtain from the process context block PEB being positioned at user address space the DLL information that this target process loads; With the DLL information obtaining the loading of this target process from the virtual address descriptor VAD structure being arranged in kernel address space.
Wherein, the described process context block PEB from being arranged in user address space obtains the DLL information that this target process loads and comprises: the DLL information obtaining the loading of this target process from three of PEB doubly linked lists be made up of record DLL information node; Wherein, three doubly linked list submeters are: according to the InLoadOrderList of loading sequence sequence, according to the InMemoryOrderList of order sequence in internal memory and the InInitOrderList according to initialization order sequence.
Wherein, the DLL information that the described virtual address descriptor VAD structure from being arranged in kernel address space obtains the loading of this target process comprises: traversal EPROCESS chained list, obtains the EPROCESS address of this target process; The address VadRoot of the root node of VAD tree is obtained from the EPROCESS data structure the EPROCESS address of this target process; Use preorder traversal algorithm to travel through VAD tree, extraction has execution authority and FileName is not empty VAD node; According to the DLL information that this target process of acquisition of information in the VAD node extracted loads.
Wherein, the DLL information of this target process loading is obtained from the process context block PEB being positioned at user address space, and, when obtaining the DLL information of this target process loading from the virtual address descriptor VAD structure being arranged in kernel address space, determine whether this target process is the parasitic process being injected into malice DLL in the following way: if a DLL does not exist in the DLL information obtained from PEB, and exist in the DLL information obtained from VAD structure, then this DLL is malice DLL, and this target process is the parasitic process being injected into malice DLL.
Wherein, the described management of process structure by analyzing reconstruct, determine that whether this target process is that the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL) comprises: in the data of the management of process structure of described reconstruct, if there is the header structure of PE formatted file, then using the target of the content corresponding to the header structure of this PE formatted file as safety monitoring.
Wherein, describedly to comprise in the management of process structure of described designated virtual machine inside at this target process of described designated virtual machine outside reconstruct: obtain in the internal memory of described designated virtual machine and be arranged in the executable code relevant to this target process that difference can perform memory block; The described management of process structure by analyzing reconstruct, determine that whether this target process is that the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL) comprises: the entropy calculating the executable code in described different memory block respectively, if the entropy that has calculated is greater than the executable code of predetermined threshold value, then determine that this target process is the parasitic process being injected into malicious code or being injected into malice DLL.
The structural drawing of the virtual machine malicious act detection system in the present invention is provided based on the above embodiments.
Fig. 9 shows a kind of according to an embodiment of the invention structural drawing of virtual machine malicious act detection system.As shown in Figure 9, this virtual machine malicious act detection system 900 comprises:
Process behavior detection module 910, is suitable for the establishment of the process in target virtual machine that monitors and exits event, and notifying safety monitoring module;
Safety monitoring module 920, the notice being suitable for exiting according to process creation and process event safeguards a trusted process list of recording actual motion process in described target virtual machine; There is the related data structures of the progress information in target virtual machine by traversal record, obtain one or more untrusted process lists of the process in record object virtual machine; And by comparing trusted process list and untrusted process list, judge the hidden process in target virtual machine;
Sniffer 930, is suitable for the packet intercepting and capturing turnover target virtual machine, according to intercepted and captured packet, determines that the network of the current active in target virtual machine connects and affiliated process;
Virtual machine is examined oneself module 940, and the network being suitable for reconstructing in the outside of target virtual machine described current active connects and the relevant information of affiliated process;
Safety monitoring module 920, is further adapted for the parasitic process in the described relevant information determination target virtual machine by analyzing reconstruct.
In one embodiment of the invention, described process behavior detection module 910 is positioned at Xen inner nuclear layer; Described safety monitoring module 920 is positioned at management domain Domain 0 layer; Described sniffer 930 is positioned at the virtual bridge place of Domain0 layer; Described virtual machine module 940 of examining oneself is positioned at Domain 0 layer;
Described safety detection module 920 comprises: hidden process detection module 921 and parasitic process detection module 922;
Hidden process detection module 921, the notice being suitable for exiting according to process creation and process event safeguards described trusted process list, and obtain one or more untrusted process list, by comparing the hidden process that trusted process list and untrusted process list are judged in target virtual machine;
Parasitic process detection module 922, is suitable for the parasitic process in the described relevant information determination target virtual machine by analyzing reconstruct.
In one embodiment of the invention, described virtual machine is examined oneself module 940, is suitable for by calling the relevant interface function and configuration file mechanism that Libvmi storehouse provides, and the network obtaining described current active connects and the relevant information of affiliated process.
In one embodiment of the invention, described virtual machine is examined oneself module 940, be suitable for the related content of the target process obtained in the internal memory of target virtual machine, be specially: use Libvmi to map the memory address space of memory address space corresponding to this target process of described designated virtual machine to Domain 0, thus provide address space support for Volatility framework; Generate the script for carrying out analyzing reading to designated virtual machine internal memory during operation based on described Volatility framework, passed through the related content of the memory address space acquisition target process of the Domain 0 after mapping by described script.
In one embodiment of the invention, based on Xen kernel provide _ _ HYPERVISOR_domctl hypercalls and Xen kernel are the mechanism of each Operation Definition for the data structure of Parameter transfer, add in Xen kernel and realize exiting the traffic operation of event and corresponding Parameter transfer data structure about process creation and process between Domain 0 and Xen kernel; Be positioned at the process behavior detection module 910 of Xen inner nuclear layer and be positioned at the safety monitoring module 920 of Domain 0 layer, communicating based on the described traffic operation added and corresponding Parameter transfer data structure.
In one embodiment of the invention, this system 900 comprises further: message queue module 950, is suitable for preserving the message queue be arranged between sniffer and parasitic process detection module;
The packet that turnover target virtual machine intercepted and captured by sniffer 930 is gone forward side by side row relax, and result data are put into described message queue; Parasitic process detection module 922 is extracted data from described message queue and to be gone forward side by side row relax.
In one embodiment of the invention, the producer of sniffer 930 assists journey to intercept and capture the packet of turnover target virtual machine, extracts and connects the task queue that summary info puts into sniffer; The consumer of sniffer 930 assists journey from the task queue of sniffer, obtain link summary info, after completing relevant treatment, result data is sent in described message queue.And/or the producer in parasitic process detection module 922 assists journey to monitor described message queue, data therefrom puts into the task queue of parasitic process detection module; Consumer in parasitic process detection module 922 assists journey acquisition task processing from the task queue of parasitic process detection module.
In one embodiment of the invention, described safety monitoring module 920, is further adapted for the relevant information of the network connection reconstructing the current active that the process in described target virtual machine is held in the outside of described target virtual machine; Whether network for current active connects, be abnormal connection by its relevant information and corresponding safety detection rule being carried out this network of matching judgment connects; Connect for abnormal if judge that a network connects, then determine that the process belonging to the connection of this network is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL); And/or, for each target process, in the management of process structure of described target virtual machine outside this target process of reconstruct in described target virtual machine inside; By analyzing the management of process structure of reconstruct, determine whether this target process is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL).
The related content of native system 900 is identical with the content in aforesaid embodiment of the method, repeats no longer one by one here.
In sum, according to the establishment of process in this supervision target virtual machine of the present invention with exit event, safeguard a trusted process list of recording actual motion process in described target virtual machine, the related data structures of the progress information in target virtual machine is had by traversal record, obtain one or more untrusted process lists of the process in record object virtual machine, by comparing trusted process list and untrusted process list, judge the hidden process in target virtual machine, and intercept and capture the packet of turnover target virtual machine, according to intercepted and captured packet, determine that the relevant information of the network connection and affiliated process thereof that the network of the current active in target virtual machine connects and affiliated process reconstructs described current active in the outside of target virtual machine is by analyzing the technical scheme of the parasitic process in the described relevant information determination target virtual machine of reconstruct, can hidden process in complete detection virtual machine and parasitic process, and the Agent do not relied in virtual machine, belong to external detection pattern, the impact in performance can not be produced on virtual machine, there is the good transparency.
It should be noted that:
Intrinsic not relevant to any certain computer, virtual bench or miscellaneous equipment with display at this algorithm provided.Various fexible unit also can with use based on together with this teaching.According to description above, the structure constructed required by this kind of device is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In instructions provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary array mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the virtual machine malicious act detection system of the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
The invention discloses A1, a kind of virtual machine malicious act detection method, wherein, the method comprises:
Monitor the establishment of process in target virtual machine and exit event, safeguarding a trusted process list of recording actual motion process in described target virtual machine; There is the related data structures of the progress information in target virtual machine by traversal record, obtain one or more untrusted process lists of the process in record object virtual machine; By comparing trusted process list and untrusted process list, judge the hidden process in target virtual machine;
Intercept and capture the packet of turnover target virtual machine, according to intercepted and captured packet, determine that the network of the current active in target virtual machine connects and affiliated process; The network connection of described current active and the relevant information of affiliated process thereof is reconstructed in the outside of target virtual machine; By analyzing the parasitic process in the described relevant information determination target virtual machine of reconstruct.
A2, method as described in A1, wherein,
Process creation in Xen inner nuclear layer supervision target virtual machine and process exit event, and notify management domain Domain 0 layer; The notice exiting event according to process creation and process Domain 0 layer safeguards described trusted process list, and obtain one or more untrusted process list, by comparing the hidden process that trusted process list and untrusted process list are judged in target virtual machine; The packet of turnover target virtual machine is intercepted and captured at the virtual bridge place of Domain 0 layer; The network connection of described current active and the relevant information of affiliated process thereof is reconstructed Domain 0 layer, and by the parasitic process in the described relevant information determination target virtual machine of analysis reconstruct.
A3, method as described in A1 or A2, wherein, the network that the described outside at target virtual machine reconstructs described current active connects and the relevant information of affiliated process comprises:
By calling the relevant interface function and configuration file mechanism that Libvmi storehouse provides, the network obtaining described current active connects and the relevant information of affiliated process.
A4, method as described in A1 or A2, wherein, the network that the described outside at target virtual machine reconstructs described current active connects and the relevant information of affiliated process comprises:
Obtain the related content of the target process in the internal memory of target virtual machine, be specially: use Libvmi to map the memory address space of memory address space corresponding to this target process of described designated virtual machine to Domain 0, thus provide address space support for Volatility framework; Generate the script for carrying out analyzing reading to designated virtual machine internal memory when running based on described Volatility framework; Described script obtains the related content of target process by the memory address space of the Domain 0 after mapping.
A5, method as described in A2, wherein, the communication realized between Xen inner nuclear layer and Domain 0 layer comprises:
Based on Xen kernel provide _ _ HYPERVISOR_domctl hypercalls and Xen kernel are the mechanism of each Operation Definition for the data structure of Parameter transfer, add in Xen kernel and realize exiting the traffic operation of event and corresponding Parameter transfer data structure about process creation and process between Domain 0 and Xen kernel;
Xen inner nuclear layer communicates based on the described traffic operation added and corresponding Parameter transfer data structure with Domain 0 layer.
A6, method as described in A 2, wherein, the method comprises further: arrange message queue;
The packet intercepting and capturing turnover target virtual machine is gone forward side by side after row relax, and result data are put into described message queue;
Data are extracted from described message queue, data according to extracting process, comprise: determine that the network of the current active in target virtual machine connects and affiliated process, the network connection of described current active and the relevant information of affiliated process thereof is reconstructed in the outside of target virtual machine, and by the parasitic process in the described relevant information determination target virtual machine of analysis reconstruct.
A7, method as described in A6, wherein,
The described packet intercepting and capturing turnover target virtual machine is gone forward side by side after row relax, result data are put into described message queue comprise: assist journey to intercept and capture the packet of turnover target virtual machine by first group of producer, extract connection summary info and put into first task queue; Assist journey from first task queue, obtain link summary info by first group of consumer, after completing relevant treatment, result data are sent in described message queue;
And/or,
Described from described message queue extraction data, carry out process according to the data extracted and comprise: assist journey to monitor described message queue by second group of producer, data therefrom puts into the second task queue; Assist journey from the second task queue, obtain data by second group of consumer to go forward side by side row relax.
A8, method as described in A1 or A2, wherein, the network that the described outside at target virtual machine reconstructs described current active connects and the relevant information of affiliated process, is comprised by the parasitic process analyzed in the described relevant information determination target virtual machine of reconstruct:
The relevant information that the network reconstructing the current active that the process in described target virtual machine is held in the outside of described target virtual machine connects; Whether network for current active connects, be abnormal connection by its relevant information and corresponding safety detection rule being carried out this network of matching judgment connects; Connect for abnormal if judge that a network connects, then determine that the process belonging to the connection of this network is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL);
And/or,
For each target process, in the management of process structure of described target virtual machine outside this target process of reconstruct in described target virtual machine inside; By analyzing the management of process structure of reconstruct, determine whether this target process is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL).
The invention discloses B9, a kind of virtual machine malicious act detection system, wherein, this system comprises:
Process behavior detection module, is suitable for the establishment of the process in target virtual machine that monitors and exits event, and notifying safety monitoring module;
Safety monitoring module, the notice being suitable for exiting according to process creation and process event safeguards a trusted process list of recording actual motion process in described target virtual machine; There is the related data structures of the progress information in target virtual machine by traversal record, obtain one or more untrusted process lists of the process in record object virtual machine; And by comparing trusted process list and untrusted process list, judge the hidden process in target virtual machine;
Sniffer, is suitable for the packet intercepting and capturing turnover target virtual machine, according to intercepted and captured packet, determines that the network of the current active in target virtual machine connects and affiliated process;
Virtual machine is examined oneself module, and the network being suitable for reconstructing in the outside of target virtual machine described current active connects and the relevant information of affiliated process;
Safety monitoring module, is further adapted for the parasitic process in the described relevant information determination target virtual machine by analyzing reconstruct.
B10, system as described in B9, wherein, described process behavior detection module is positioned at Xen inner nuclear layer; Described safety monitoring module is positioned at management domain Domain 0 layer; Described sniffer is positioned at the virtual bridge place of Domain 0 layer; Described virtual machine module of examining oneself is positioned at Domain 0 layer; Described safety detection module comprises: hidden process detection module and parasitic process detection module; Hidden process detection module, the notice being suitable for exiting according to process creation and process event safeguards described trusted process list, and obtain one or more untrusted process list, by comparing the hidden process that trusted process list and untrusted process list are judged in target virtual machine; Parasitic process detection module, is suitable for the parasitic process in the described relevant information determination target virtual machine by analyzing reconstruct.
B11, system as described in B9 or B10, wherein,
Described virtual machine is examined oneself module, is suitable for by calling the relevant interface function and configuration file mechanism that Libvmi storehouse provides, and the network obtaining described current active connects and the relevant information of affiliated process.
B12, system as described in B9 or B10, wherein,
Described virtual machine is examined oneself module, be suitable for the related content of the target process obtained in the internal memory of target virtual machine, be specially: use Libvmi to map the memory address space of memory address space corresponding to this target process of described designated virtual machine to Domain 0, thus provide address space support for Volatility framework; Generate the script for carrying out analyzing reading to designated virtual machine internal memory during operation based on described Volatility framework, passed through the related content of the memory address space acquisition target process of the Domain 0 after mapping by described script.
B13, system as described in B10, wherein,
Based on Xen kernel provide _ _ HYPERVISOR_domctl hypercalls and Xen kernel are the mechanism of each Operation Definition for the data structure of Parameter transfer, add in Xen kernel and realize exiting the traffic operation of event and corresponding Parameter transfer data structure about process creation and process between Domain 0 and Xen kernel;
Be positioned at the process behavior detection module of Xen inner nuclear layer and be positioned at the safety monitoring module of Domain 0 layer, communicating based on the described traffic operation added and corresponding Parameter transfer data structure.
B14, system as described in B10, wherein, this system comprises further: message queue module, is suitable for preserving the message queue be arranged between sniffer and parasitic process detection module;
The packet that turnover target virtual machine intercepted and captured by sniffer is gone forward side by side row relax, and result data are put into described message queue;
Parasitic process detection module is extracted data from described message queue and to be gone forward side by side row relax.
B15, system as described in B14, wherein,
The producer of sniffer assists journey to intercept and capture the packet of turnover target virtual machine, extracts and connects the task queue that summary info puts into sniffer; The consumer of sniffer assists journey from the task queue of sniffer, obtain link summary info, after completing relevant treatment, result data is sent in described message queue;
And/or,
The producer in parasitic process detection module assists journey to monitor described message queue, and data therefrom puts into the task queue of parasitic process detection module; Consumer in parasitic process detection module assists journey acquisition task processing from the task queue of parasitic process detection module.
The system of B16 as described in B9 or B10, wherein, described safety monitoring module, is further adapted for,
The relevant information that the network reconstructing the current active that the process in described target virtual machine is held in the outside of described target virtual machine connects; Whether network for current active connects, be abnormal connection by its relevant information and corresponding safety detection rule being carried out this network of matching judgment connects; Connect for abnormal if judge that a network connects, then determine that the process belonging to the connection of this network is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL);
And/or,
For each target process, in the management of process structure of described target virtual machine outside this target process of reconstruct in described target virtual machine inside; By analyzing the management of process structure of reconstruct, determine whether this target process is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL).

Claims (10)

1. a virtual machine malicious act detection method, wherein, the method comprises:
Monitor the establishment of process in target virtual machine and exit event, safeguarding a trusted process list of recording actual motion process in described target virtual machine; There is the related data structures of the progress information in target virtual machine by traversal record, obtain one or more untrusted process lists of the process in record object virtual machine; By comparing trusted process list and untrusted process list, judge the hidden process in target virtual machine;
Intercept and capture the packet of turnover target virtual machine, according to intercepted and captured packet, determine that the network of the current active in target virtual machine connects and affiliated process; The network connection of described current active and the relevant information of affiliated process thereof is reconstructed in the outside of target virtual machine; By analyzing the parasitic process in the described relevant information determination target virtual machine of reconstruct.
2. the method for claim 1, wherein
Process creation in Xen inner nuclear layer supervision target virtual machine and process exit event, and notify management domain Domain 0 layer;
The notice exiting event according to process creation and process Domain 0 layer safeguards described trusted process list, and obtain one or more untrusted process list, by comparing the hidden process that trusted process list and untrusted process list are judged in target virtual machine;
The packet of turnover target virtual machine is intercepted and captured at the virtual bridge place of Domain 0 layer;
The network connection of described current active and the relevant information of affiliated process thereof is reconstructed Domain 0 layer, and by the parasitic process in the described relevant information determination target virtual machine of analysis reconstruct.
3. method as claimed in claim 1 or 2, wherein, the relevant information of network connection and affiliated process thereof that the described outside at target virtual machine reconstructs described current active comprises:
By calling the relevant interface function and configuration file mechanism that Libvmi storehouse provides, the network obtaining described current active connects and the relevant information of affiliated process.
4. method as claimed in claim 1 or 2, wherein, the relevant information of network connection and affiliated process thereof that the described outside at target virtual machine reconstructs described current active comprises:
Obtain the related content of the target process in the internal memory of target virtual machine, be specially: use Libvmi to map the memory address space of memory address space corresponding to this target process of described designated virtual machine to Domain 0, thus provide address space support for Volatility framework; Generate the script for carrying out analyzing reading to designated virtual machine internal memory when running based on described Volatility framework; Described script obtains the related content of target process by the memory address space of the Domain 0 after mapping.
5. method as claimed in claim 2, wherein, the communication realized between Xen inner nuclear layer and Domain 0 layer comprises:
Based on Xen kernel provide _ _ HYPERVISOR_domctl hypercalls and Xen kernel are the mechanism of each Operation Definition for the data structure of Parameter transfer, add in Xen kernel and realize exiting the traffic operation of event and corresponding Parameter transfer data structure about process creation and process between Domain 0 and Xen kernel;
Xen inner nuclear layer communicates based on the described traffic operation added and corresponding Parameter transfer data structure with Domain 0 layer.
6. method as claimed in claim 2, wherein, the method comprises further: arrange message queue;
The packet intercepting and capturing turnover target virtual machine is gone forward side by side after row relax, and result data are put into described message queue;
Data are extracted from described message queue, data according to extracting process, comprise: determine that the network of the current active in target virtual machine connects and affiliated process, the network connection of described current active and the relevant information of affiliated process thereof is reconstructed in the outside of target virtual machine, and by the parasitic process in the described relevant information determination target virtual machine of analysis reconstruct.
7. method as claimed in claim 6, wherein,
The described packet intercepting and capturing turnover target virtual machine is gone forward side by side after row relax, result data are put into described message queue comprise: assist journey to intercept and capture the packet of turnover target virtual machine by first group of producer, extract connection summary info and put into first task queue; Assist journey from first task queue, obtain link summary info by first group of consumer, after completing relevant treatment, result data are sent in described message queue;
And/or,
Described from described message queue extraction data, carry out process according to the data extracted and comprise: assist journey to monitor described message queue by second group of producer, data therefrom puts into the second task queue; Assist journey from the second task queue, obtain data by second group of consumer to go forward side by side row relax.
8. method as claimed in claim 1 or 2, wherein, the described outside at target virtual machine reconstructs the network connection of described current active and the relevant information of affiliated process thereof, is comprised by the parasitic process analyzed in the described relevant information determination target virtual machine of reconstruct:
The relevant information that the network reconstructing the current active that the process in described target virtual machine is held in the outside of described target virtual machine connects; Whether network for current active connects, be abnormal connection by its relevant information and corresponding safety detection rule being carried out this network of matching judgment connects; Connect for abnormal if judge that a network connects, then determine that the process belonging to the connection of this network is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL);
And/or,
For each target process, in the management of process structure of described target virtual machine outside this target process of reconstruct in described target virtual machine inside; By analyzing the management of process structure of reconstruct, determine whether this target process is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL).
9. a virtual machine malicious act detection system, wherein, this system comprises:
Process behavior detection module, is suitable for the establishment of the process in target virtual machine that monitors and exits event, and notifying safety monitoring module;
Safety monitoring module, the notice being suitable for exiting according to process creation and process event safeguards a trusted process list of recording actual motion process in described target virtual machine; There is the related data structures of the progress information in target virtual machine by traversal record, obtain one or more untrusted process lists of the process in record object virtual machine; And by comparing trusted process list and untrusted process list, judge the hidden process in target virtual machine;
Sniffer, is suitable for the packet intercepting and capturing turnover target virtual machine, according to intercepted and captured packet, determines that the network of the current active in target virtual machine connects and affiliated process;
Virtual machine is examined oneself module, and the network being suitable for reconstructing in the outside of target virtual machine described current active connects and the relevant information of affiliated process;
Safety monitoring module, is further adapted for the parasitic process in the described relevant information determination target virtual machine by analyzing reconstruct.
10. system as claimed in claim 9, wherein,
Described process behavior detection module is positioned at Xen inner nuclear layer;
Described safety monitoring module is positioned at management domain Domain 0 layer;
Described sniffer is positioned at the virtual bridge place of Domain 0 layer;
Described virtual machine module of examining oneself is positioned at Domain 0 layer;
Described safety detection module comprises: hidden process detection module and parasitic process detection module;
Hidden process detection module, the notice being suitable for exiting according to process creation and process event safeguards described trusted process list, and obtain one or more untrusted process list, by comparing the hidden process that trusted process list and untrusted process list are judged in target virtual machine;
Parasitic process detection module, is suitable for the parasitic process in the described relevant information determination target virtual machine by analyzing reconstruct.
CN201510149761.8A 2015-03-31 2015-03-31 A kind of virtual machine malicious act detection method and system Active CN104715201B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510149761.8A CN104715201B (en) 2015-03-31 2015-03-31 A kind of virtual machine malicious act detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510149761.8A CN104715201B (en) 2015-03-31 2015-03-31 A kind of virtual machine malicious act detection method and system

Publications (2)

Publication Number Publication Date
CN104715201A true CN104715201A (en) 2015-06-17
CN104715201B CN104715201B (en) 2018-02-27

Family

ID=53414519

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510149761.8A Active CN104715201B (en) 2015-03-31 2015-03-31 A kind of virtual machine malicious act detection method and system

Country Status (1)

Country Link
CN (1) CN104715201B (en)

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105468967A (en) * 2015-11-19 2016-04-06 国云科技股份有限公司 Xen-based hidden process detection method aiming at Linux virtual machine malicious code attack
CN105718303A (en) * 2016-01-20 2016-06-29 国家电网公司 Virtual machine anomaly detecting method, device and system
CN106059826A (en) * 2016-07-08 2016-10-26 中国电子科技集团公司电子科学研究院 Method and device for monitoring virtualization platform
CN106682496A (en) * 2016-12-06 2017-05-17 北京奇虎科技有限公司 Code injection attack detection method and device
CN106909436A (en) * 2015-12-23 2017-06-30 财团法人工业技术研究院 Produce the method and system of the dependency relation of virtual machine message queue application program
CN107463430A (en) * 2017-08-03 2017-12-12 哈尔滨工业大学 A kind of virutal machine memory dynamic management system and method based on internal memory and Swap spaces
CN107608752A (en) * 2016-07-12 2018-01-19 中国科学院信息工程研究所 The threat information response examined oneself based on virtual machine and method of disposal and system
CN107851153A (en) * 2015-07-14 2018-03-27 比特梵德知识产权管理有限公司 Use asynchronous abnormal computer safety system and the method for testing oneself
CN108270722A (en) * 2016-12-30 2018-07-10 阿里巴巴集团控股有限公司 A kind of attack detection method and device
CN109033839A (en) * 2018-08-10 2018-12-18 天津理工大学 A kind of malware detection method based on dynamic multiple features
CN109582437A (en) * 2018-10-29 2019-04-05 中国科学院信息工程研究所 A kind of the malicious process detection method and system of the perception of type based on memory
CN109597675A (en) * 2018-10-25 2019-04-09 中国科学院信息工程研究所 Virtual machine Malware behavioral value method and system
US10318731B2 (en) 2016-11-22 2019-06-11 Institute For Information Industry Detection system and detection method
CN110377518A (en) * 2019-07-17 2019-10-25 招商银行股份有限公司 Whole process scan method, device, equipment and readable storage medium storing program for executing
CN110519180A (en) * 2019-07-17 2019-11-29 华东计算技术研究所(中国电子科技集团公司第三十二研究所) Network card virtualization queue scheduling method and system
CN110941477A (en) * 2019-12-13 2020-03-31 紫光云(南京)数字技术有限公司 Xen platform-based virtual machine detection method
CN111444510A (en) * 2018-12-27 2020-07-24 北京奇虎科技有限公司 CPU vulnerability detection method and system based on virtual machine
CN112861129A (en) * 2021-01-28 2021-05-28 四川效率源信息安全技术股份有限公司 Method for detecting hidden malicious program process in Windows operating system
CN113946825A (en) * 2021-12-22 2022-01-18 北京微步在线科技有限公司 Memory horse processing method and system
CN113987498A (en) * 2021-11-05 2022-01-28 哈尔滨理工大学 Method for traversing user address space based on real-time response
CN114826706A (en) * 2022-04-13 2022-07-29 哈尔滨理工大学 Malicious flow detection method based on computer memory forensics technology
CN115481397B (en) * 2022-08-31 2023-06-06 中国人民解放军战略支援部队信息工程大学 Code injection attack evidence obtaining detection method and system based on memory structure reverse analysis

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1896903A (en) * 2005-07-15 2007-01-17 联想(北京)有限公司 Virtual-machine system for supporting trusted evaluation and method for realizing trusted evaluation
CN101770551A (en) * 2008-12-30 2010-07-07 中国科学院软件研究所 Method for processing hidden process based on hardware simulator
CN102521537A (en) * 2011-12-06 2012-06-27 北京航空航天大学 Detection method and device for hidden process based on virtual machine monitor
CN103065084A (en) * 2012-12-27 2013-04-24 武汉大学 Windows hidden process detection method performed at external machine of virtual machine
US20130238786A1 (en) * 2012-03-08 2013-09-12 Empire Technology Development Llc Secure migration of virtual machines
CN103617391A (en) * 2011-09-14 2014-03-05 北京奇虎科技有限公司 Method, device and virtual machine for detecting malicious programs

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1896903A (en) * 2005-07-15 2007-01-17 联想(北京)有限公司 Virtual-machine system for supporting trusted evaluation and method for realizing trusted evaluation
CN101770551A (en) * 2008-12-30 2010-07-07 中国科学院软件研究所 Method for processing hidden process based on hardware simulator
CN103617391A (en) * 2011-09-14 2014-03-05 北京奇虎科技有限公司 Method, device and virtual machine for detecting malicious programs
CN102521537A (en) * 2011-12-06 2012-06-27 北京航空航天大学 Detection method and device for hidden process based on virtual machine monitor
US20130238786A1 (en) * 2012-03-08 2013-09-12 Empire Technology Development Llc Secure migration of virtual machines
CN103065084A (en) * 2012-12-27 2013-04-24 武汉大学 Windows hidden process detection method performed at external machine of virtual machine

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107851153B (en) * 2015-07-14 2021-03-30 比特梵德知识产权管理有限公司 Computer security system and method using asynchronous self-test exceptions
CN107851153A (en) * 2015-07-14 2018-03-27 比特梵德知识产权管理有限公司 Use asynchronous abnormal computer safety system and the method for testing oneself
CN105468967A (en) * 2015-11-19 2016-04-06 国云科技股份有限公司 Xen-based hidden process detection method aiming at Linux virtual machine malicious code attack
CN106909436A (en) * 2015-12-23 2017-06-30 财团法人工业技术研究院 Produce the method and system of the dependency relation of virtual machine message queue application program
CN106909436B (en) * 2015-12-23 2020-07-21 财团法人工业技术研究院 Method and system for generating correlation of virtual machine message queue application program
CN105718303A (en) * 2016-01-20 2016-06-29 国家电网公司 Virtual machine anomaly detecting method, device and system
CN106059826A (en) * 2016-07-08 2016-10-26 中国电子科技集团公司电子科学研究院 Method and device for monitoring virtualization platform
CN107608752B (en) * 2016-07-12 2020-10-16 中国科学院信息工程研究所 Threat information response and disposal method and system based on virtual machine introspection
CN107608752A (en) * 2016-07-12 2018-01-19 中国科学院信息工程研究所 The threat information response examined oneself based on virtual machine and method of disposal and system
US10318731B2 (en) 2016-11-22 2019-06-11 Institute For Information Industry Detection system and detection method
CN106682496A (en) * 2016-12-06 2017-05-17 北京奇虎科技有限公司 Code injection attack detection method and device
CN108270722A (en) * 2016-12-30 2018-07-10 阿里巴巴集团控股有限公司 A kind of attack detection method and device
CN107463430A (en) * 2017-08-03 2017-12-12 哈尔滨工业大学 A kind of virutal machine memory dynamic management system and method based on internal memory and Swap spaces
CN107463430B (en) * 2017-08-03 2020-10-02 哈尔滨工业大学 Dynamic management system and method for virtual machine memory based on memory and Swap space
CN109033839A (en) * 2018-08-10 2018-12-18 天津理工大学 A kind of malware detection method based on dynamic multiple features
CN109597675B (en) * 2018-10-25 2020-12-22 中国科学院信息工程研究所 Method and system for detecting malicious software behaviors of virtual machine
CN109597675A (en) * 2018-10-25 2019-04-09 中国科学院信息工程研究所 Virtual machine Malware behavioral value method and system
CN109582437A (en) * 2018-10-29 2019-04-05 中国科学院信息工程研究所 A kind of the malicious process detection method and system of the perception of type based on memory
CN111444510A (en) * 2018-12-27 2020-07-24 北京奇虎科技有限公司 CPU vulnerability detection method and system based on virtual machine
CN110377518B (en) * 2019-07-17 2023-07-25 招商银行股份有限公司 Full-flow scanning method, device, equipment and readable storage medium
CN110519180A (en) * 2019-07-17 2019-11-29 华东计算技术研究所(中国电子科技集团公司第三十二研究所) Network card virtualization queue scheduling method and system
CN110377518A (en) * 2019-07-17 2019-10-25 招商银行股份有限公司 Whole process scan method, device, equipment and readable storage medium storing program for executing
CN110941477A (en) * 2019-12-13 2020-03-31 紫光云(南京)数字技术有限公司 Xen platform-based virtual machine detection method
CN112861129A (en) * 2021-01-28 2021-05-28 四川效率源信息安全技术股份有限公司 Method for detecting hidden malicious program process in Windows operating system
CN113987498A (en) * 2021-11-05 2022-01-28 哈尔滨理工大学 Method for traversing user address space based on real-time response
CN113946825B (en) * 2021-12-22 2022-04-26 北京微步在线科技有限公司 Memory horse processing method and system
CN113946825A (en) * 2021-12-22 2022-01-18 北京微步在线科技有限公司 Memory horse processing method and system
CN114826706A (en) * 2022-04-13 2022-07-29 哈尔滨理工大学 Malicious flow detection method based on computer memory forensics technology
CN114826706B (en) * 2022-04-13 2024-01-30 哈尔滨理工大学 Malicious flow detection method based on computer memory evidence obtaining technology
CN115481397B (en) * 2022-08-31 2023-06-06 中国人民解放军战略支援部队信息工程大学 Code injection attack evidence obtaining detection method and system based on memory structure reverse analysis

Also Published As

Publication number Publication date
CN104715201B (en) 2018-02-27

Similar Documents

Publication Publication Date Title
CN104715201A (en) Method and system for detecting malicious acts of virtual machine
Rastogi et al. Cimplifier: automatically debloating containers
Watson et al. CHERI: A hybrid capability-system architecture for scalable software compartmentalization
Bartel et al. Static analysis for extracting permission checks of a large scale framework: The challenges and solutions for analyzing android
Fu et al. Exterior: Using a dual-vm based external shell for guest-os introspection, configuration, and recovery
Jin et al. A VMM-based intrusion prevention system in cloud computing environment
US9825908B2 (en) System and method to monitor and manage imperfect or compromised software
Mysore et al. Understanding and visualizing full systems with data flow tomography
Park et al. {StreamBox-TZ}: Secure stream analytics at the edge with {TrustZone}
CN105184166A (en) Kernel-based Android application real-time behavior analysis method and system
Srivastava et al. Automatic discovery of parasitic malware
Fu et al. {HYPERSHELL}: A Practical Hypervisor Layer Guest {OS} Shell for Automated {In-VM} Management
CN103064784A (en) Memory leak detection method facing Xen environment during operation and implement system thereof
CN104715202A (en) Hidden process detecting method and hidden process detecting device in virtual machine
CN103886259A (en) Kernel-level rootkit detecting and processing method based on Xen virtualization environment
CN109597675A (en) Virtual machine Malware behavioral value method and system
Araujo et al. Compiler-instrumented, Dynamic {Secret-Redaction} of Legacy Processes for Attacker Deception
CN104732145A (en) Parasitic course detection method and device in virtual machine
Di Pietro et al. CloRExPa: Cloud resilience via execution path analysis
Inoue et al. Automatically bridging the semantic gap using C interpreter
Xing et al. OB‐IMA: out‐of‐the‐box integrity measurement approach for guest virtual machines
Krishnan et al. Trail of bytes: New techniques for supporting data provenance and limiting privacy breaches
Lin Toward guest OS writable virtual machine introspection
Laurén et al. Virtual machine introspection based cloud monitoring platform
Scull Pupo et al. Practical information flow control for web applications

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20220727

Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.

TR01 Transfer of patent right