A Security Detection Framework Based on Virtual Machine Introspection

doi:10.3969/j.issn.1000-3428.2016.03.033

Abstract

Abstract:

In order to detect and stop malicious stream that is disguised as legitimate application stream,a security framework based on virtual machine introspection technique is proposed.It uses hardware events combined with virtual machine introspection and memory analysis,authorizes outgoing application stream only if the data is truly based on user intent,and detects the behavior of malware software running application protocols or injecting legal procedure to prevent malicious data stream.The viability of this framework is demonstrated by implementing it along with support for email client application Outlook Express,proving its ability on security monitoring for PC to ensure the legitimacy of the network stream.

Key words: virtual machine introspection, user intent, network data stream, hardware event, memory analysis

摘要：

为检测并阻止伪装成合法应用程序数据流的恶意网络流量,提出一种基于虚拟机自省技术的安全框架,将硬件事件监控、虚拟机自省和内存分析相结合,依照用户真实意图对输出的应用程序数据流进行授权,以检测恶意软件正常运行应用程序协议或注入合法程序的行为,并阻止恶意数据流的发送。在邮件客户端Outlook Express上的实验结果验证了该框架的有效性,并通过性能评测表明其可用于个人计算机实施安全检测,以确保网络流量的合法性。

关键词: 虚拟机自省, 用户意图, 网络数据流, 硬件事件, 内存分析

CLC Number:

TP316.4

LIU Zheyuan,XU Jun,WANG Xing,GAO Hui. A Security Detection Framework Based on Virtual Machine Introspection[J]. Computer Engineering, doi: 10.3969/j.issn.1000-3428.2016.03.033.

刘哲元,徐隽,汪兴,高辉. 一种基于虚拟机自省的安全检测框架[J]. 计算机工程, doi: 10.3969/j.issn.1000-3428.2016.03.033.

/ / Recommend / Download Citations

URL: http://www.ecice06.com/EN/10.3969/j.issn.1000-3428.2016.03.033

http://www.ecice06.com/EN/Y2016/V42/I3/182

References

参考文献［1］Cui W,Katz R H,Tan Waitian.Design and Implementation of an Extrusionbased Breakin Detector for Personal Computers［C］//Proceedings of the 21st Annual Computer Security Applications Conference.Washington D.C.,USA:IEEE Press,2005:110. ［2］Gummadi R,Balakrishnan H,Maniatis P.et al.NotaBot(NAB):Improving Service Availability in the Face of Botnet Attacks［C］//Proceedings of the 6th USENIX Symposium on Networked Systems Design and Implementation.New York,USA:ACM Press,2009:207220. ［3］Gu G,Porras P,Yegneswaran V,et al.BotHunter:Detecting Malware Infection through IDSdriven Dialog Correlation［C］//Proceedings of the 16th USENIX Security Symposium.Berkeley,USA:USENIX Association,2007:1220. ［4］Gu G,Perdisci R,Zhang J,et al.BotMiner:Clustering Analysis of Network Traffic for Protocol and Structureindependent Botnet Detection［C］//Proceedings of the 17th Conference on Security Symposium.Berkeley,USA:USENIX Association,2008:139154. ［5］Garfinkel T,Rosenblum M.A Virtual Machine Introspection based Architecture for Intrusion Detection［C］//Proceedings of Network and Distributed Systems Security Symposium.Washington D.C.,USA:IEEE Press,2003. ［6］Smith S W.Trusted Computing Platform:Design and Applications［M］.Berlin,Germany:Springer,2004. ［7］刘哲元,慕德俊.安全虚拟环境中的进程执行精确监控［J］.西安电子科技大学学报,2012,39(6):181186. ［8］Baliga A,Iftode L,Chen X.Automated Containment of Rootkit Attacks［J］.Computer & Security,2008,27(7):323334. ［9］Payne B D,Sailer R,Perez R,et al.A Layered Approach to Simplified Access Control in Virtualized Systems［J］.ACM SIGOPS Operating Systems Review,2007,41(4):1219. ［10］Wine H Q.Run Windows Applications on Linux,BSD and Mac OS X［EB/OL］.［20141218］.http://www.winehq.org. ［11］Squid:Optimising Web Delivery［EB/OL］.［20141218］.http://www.squidcac.he.org. ［12］Purcell K.Technology’s Impact on Workers［EB/OL］.［20141218］.http://www.pewinternet.org/files/2014/12/PI_Web25WorkTech_12.30.141.pdf. ［13］Sleator D D,Tarjan R E.Selfadjusting Binary Search Trees［J］.Journal of the ACM,1985,32(3):652686. ［14］Smith R.An Overview of the Tesseract OCR Engine［C］//Proceedings of the 9th International Conference on Document Analysis and Recognition.Washington D.C.,USA:IEEE Press,2007:629633. ［15］Levenshtein V I.Binary Codes Capable of Correcting Deletions,Insertions and Reversals［J］.Soviet Physics Doklady,1966,10(8):707710. ［16］Prox SMTP:An SMTP Filter［EB/OL］.［20141218］.http://memberwebs.com/stef/software/ proxsmtp. ［17］Resnick P.Internet Message Format［Z］.2010. ［18］Freed N,Borenstein N.MIMEPart One:Format of Internet Message Bodies［Z］.1996. ［19］Shneiderman B.Designing the User Interface:Strategies for Effective Humancomputer Interaction［M］.Upper Saddle River,USA:AddisonWesley Professional,1998. ［20］Colp P,Matthews C,Aiello B,et al.VM Snapshots［EB/OL］.［20141218］.https://cwiki.apache.org/confluence/display/cloudstack/vm+snapshots. 编辑陆燕菲

[1]	GAO Yongbing, LI Yuxuan, GAO Juntian, MA Zhanfei. Research on Weibo Text Generation Technology Based on User Intention [J]. Computer Engineering, 2022, 48(1): 119-126.
[2]	QIAN Qin,DONG Bu-yun,TANG Zhe,FU Xiao,MAO Bing. Study of Memory Forensics Technology Oriented to Windows Operating System [J]. Computer Engineering, 2014, 40(8): 310-.
[3]	CAO Sihua; HE Hongjun;. Improved BLP Model Based on User Intension [J]. Computer Engineering, 2006, 32(23): 171-173.

Please choose a citation manager

Content to export