CN102147843A - Rootkit intrusion detection and system recovery method based on inner core invariant protection - Google Patents
Rootkit intrusion detection and system recovery method based on inner core invariant protection Download PDFInfo
- Publication number
- CN102147843A CN102147843A CN 201110124261 CN201110124261A CN102147843A CN 102147843 A CN102147843 A CN 102147843A CN 201110124261 CN201110124261 CN 201110124261 CN 201110124261 A CN201110124261 A CN 201110124261A CN 102147843 A CN102147843 A CN 102147843A
- Authority
- CN
- China
- Prior art keywords
- snapshot
- module
- kernel
- disk
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
Aiming at the problems that inner core level rootkit intrusion is very difficult to identify and the computer system is difficult to recover after the intrusion, the invention provides a rootkit intrusion detection and system recovery method based on inner core invariant protection of a data structure of an operating system. According to the method, an Xen virtual machine is utilized as an implementation platform, and the inner core invariant of the data structure of the operating system is utilized as a system feature code, thus the rootkit intrusion is detected; and a virtual machine system snapshot rollback technology is utilized to carry out system security recovery on the intruded system.
Description
Technical field
The invention belongs to the computer system security field, specifically carry out intrusion detection and system's disaster recovery at kernel level rootkit intrusion behavior.
Background technology
Rootkit is that the invador is used for hiding self vestige and the tool set that keeps access rights.Kernel level rootkit reaches the purpose of its malice by retouching operation system kernel code and data, makes operating system itself become trustless, has caused great potential safety hazard.Than user class rootkit, kernel level rootkit destructive power is stronger, and disguise is higher, and technical difficulty is bigger, more difficult defence.In recent years, at intrusion detection and system recovery research having caused domestic and international researcher's the extensive concern of kernel level rootkit, corresponding countermeasure is also more and more.
Intrusion detection as its name suggests, is exactly the detection to intrusion behavior.It therefrom finds whether to have in network or the system behavior of violating security strategy and the sign of being attacked by analyzing to some key point acquisition of information in computer network or the computer system and to it.Along with kernel level rootkit technology rapid development, the detection of invading at kernel level rootkit becomes very difficult, belongs to the cutting edge technology of security fields.Up-to-date kernel level rootkit reaches the purpose of its malice by dynamic non-control class data structure in the retouching operation system kernel.At this type of up-to-date kernel level rootkit that also is not detected invasion, the instrument that simply scans based on the rogue program condition code and verify based on abnormal behaviour can't well detect this invasion, therefore needs to propose new technology and remedies this defective.Based on this, first technology point of the present invention has also just been arranged, the intrusion detection of protecting based on operating system nucleus data structure invariant on the virtual platform.
The complicacy of computer system itself makes various system vulnerabilities emerge in an endless stream; Moreover the high speed development of invasion technology makes that making up the reliable computer system of safe enough becomes illusion.In the face of invaded computer system, needing a kind of technology can be from the reliabilty and availability of recovery system in the middle of this disaster.System recovery a kind of effective means that improves computer system security and availability that comes to this.Invade specific to rogue program, system recovery technique is based on redundant resource, by rational system hardware and software architecture, under effective management of system software, adopt method shieldings such as intrusion detection, isolation and disaster recovery, reduce and eliminate the influence of invasion to computer system.Based on a kind of like this idea, second technology point of the present invention arranged, the invasion based on the backrush of high performance system snapshot on the virtual platform recovers.
Summary of the invention
The present invention is directed to existing Intrusion Detection Technique and recovery technology and can't defend the situation of up-to-date kernel level rootkit invasion fully, proposed kernel level rootkit intrusion detection and the system recovery method protected based on operating system data structure invariant on a kind of virtual platform.
Intrusion detection provided by the invention and system recovery system, it is characterized in that: this system's combined with virtual technology, operating system nucleus data structure invariant detection technique and system's snapshot restore technology are that invasion detects and system recovery platform to kernel level rootkit with the Xen virtual machine.
Current, the resource extent of computing system is constantly expanded, and processing power strengthens fast, and the resource kind becomes increasingly abundant, and application demand is also versatile and flexible.Intel Virtualization Technology can the multiple computational resource of dynamic organization, realizes the scalable computing system framework of transparence, thereby can make up the computing environment that satisfies multiple application flexibly, improves the service efficiency of computational resource.The present invention is platform construction intrusion detection and recovery system with the Xen virtual machine, not only can fully realize system detail by Intel Virtualization Technology, and helps this system use practical requirement in a large amount of environment of disposing of Intel Virtualization Technology.
System-level virtual one deck virtual machine manager software that between hardware and software, is provided with, hardware resource is divided with abstract, for the software systems on upper strata provide several virtual computation environmentals, support the virtual machine that several are independently carried out simultaneously, be also referred to as client operating system.Xen is the virtual machine manager of increasing income at the x86 architecture, is designed and developed by the researchist of univ cambridge uk.It is virtual that Xen adopts " half is virtual " technology that hardware system is carried out, and half virtual design of its exquisiteness makes operation client operating system thereon can obtain to approach to operate in the performance on the bare machine.The operating system that operates on the Xen is referred to as virtual Domain, and these virtual Domain are divided into privileged domain (Dom0) and non-privileged domain (DomU).Dom0 sets up along with the startup of Xen as the assistant of Xen, is that first operates in the virtual Domain on the Xen, is responsible for assisting the Xen virtual machine manager that virtual machine is managed, and can carry out the mandate of device access to other territory.DomU is meant the virtual Domain except Dom0, and with respect to Dom0, DomU has been subjected to many restrictions, and wherein most important is that visit to hardware device needs Dom0 to authorize.Can reduce system performance loss based on Xen structure intrusion detection and recovery system, and the mechanism of examining oneself that Xen provides makes total system transparent to detected client computer.
Kernel level rootkit intruding detection system is based on the constant protection of operating system nucleus data structure, is different from based on the scanning of rogue program condition code or based on the detection system of abnormal behaviour checking.Intrusion detection based on the scanning of rogue program condition code needs ex ante analysis rogue program itself, so some up-to-date unknown malicious intrusions can't detect; On behalf of the hiding unit of the main behavior of rootkit, the intrusion detection based on abnormal behaviour checking usually find out corresponding rootkit by searching some, to the bad division of defining of this behavior, causes that easily invasion judges by accident or fail to judge.Operating system nucleus data structure invariant does not change in the operational process of total system all the time, is used as the operating system features sign indicating number that makes up intruding detection system.
Invasion recovers based on the dummy machine system snapshot restore, is different from removing of being adopted in early days and the reset mode of resetting total system, also is different from the checkpoint recovery technology.The dummy machine system snapshot restore is used to virtual machine technique, can customize its implementation, is deployed in the virtualized environment.The present invention takes a kind of system's snapped volume technology of increment type, realizes that in conjunction with redirecting technique and copy-on-write technology invasion recovers.
Description of drawings
Fig. 1: intrusion detection and recovery system frame diagram.
Fig. 2: monitoring module frame diagram.
Fig. 3: memory image design drawing on the virtual machine.
Fig. 4: disk snapshot design drawing on the virtual machine.
Specific implementation process
The present invention is further detailed explanation below in conjunction with accompanying drawing:
As shown in Figure 1, from overall framework, total system is divided into the intrusion detection module and invasion recovers two parts of module.Intrusion detection module 1 is in the client layer of Dom0 in the whole deploying virtual machine, and the kernel rootkit at DomU is carried out intrusion detection; Invasion recovers to introduce dummy machine system snapshot restore technology, and invasion recovers module and is made up of jointly CPU state snapshot module 21, memory image module 22, disk snapshot module 23 and snapshot document module 24 again.The realization of total system runs through client layer, system layer and the virtual machine manager of privileged domain, is responsible for being broken at DomU the availability and the reliability of back recovery system.
(Direct Kernel Object Manipulation, DKOM) technology is used for hiding the vestige of himself usually by kernel level rootkit in directly kernel objects processing.Be to utilize the condition code of the rogue program that manual analysis comes out to come the kernel internal memory is scanned mostly at present at the detection of this type of rootkit.Yet these manual rogue program condition codes that provide have unhealthy and strong and weak shortcoming targetedly, make existing kernel level rootkit be easy to walk around it.The kernel data structure invariant puts forward under a kind of like this background just.In the operational process of operating system, kernel is being safeguarded thousands of various kernel data structure, exists various complicated mutual relationships between the various data structures again.So-called operating system nucleus data structure invariant i.e. certain constant logical relation between its immovable all the time data structure of value or data structure in the operational process of system, is a kind of system invariants as the element in the immovable subsystem call table all the time; In process control, the element in the runqueue chained list is included in the all-tasks chained list a kind of like this logical relation all the time and also represents it is a system invariants.At concrete kernel rootkit attack, can generate concrete corresponding kernel data structure invariant, as shown in table 1.This invariant relation is in case determine that it all will not change in the operational process of whole operation system.The present invention comes operating system nucleus data structure invariant is protected with the virtual machine mechanism of examining oneself, thereby realizes the intrusion detection of kernel rootkit.
Table 1 kernel rootkit intrusion behavior and corresponding kernel data structure invariant relation statistics thereof
Virtual machine technique has shielded hardware details, for the upper strata provides abstract hardware interface, has removed the correlativity of operating system and hardware; By hardware resource is divided, allow a plurality of systems using system resource simultaneously, thereby can improve resource utilization; Simultaneously, virtual machine manager is monitored the behavior between the virtual machine and is isolated, and helps to make up safe and reliable computing environment; Virtual machine manager is grasped underlying resource, can catch the good working condition with monitor privileges territory or non-privileged domain client computer, and this has brought convenience for the management of virtual machine.It is exactly a kind of function of monitoring client state that virtual machine provides that internal memory is examined oneself.So-called virutal machine memory is examined oneself and is meant the process that a virtual machine is checked the internal memory of another virtual machine.Internal memory is examined oneself and is had a wide range of applications, and monitors (rdma read content) and control (writing memory content) another operating system because it allows you to stand in a protected territory.Libxc (Xen Control Library) storehouse is the C language library that Xen carries, by encapsulation among the Dom0 /proc/xen/privcmd and/dev/xen/evtchn and/ IOCTL interface that dev/xen/gntdev provides, provide some to be simple and easy to the API of usefulness, make user program to communicate with virtual machine manager easily, thereby can easily whole internal memory be examined oneself and whole magnetic disk be monitored.The XenAccess storehouse encapsulates and provides than it the libxc storehouse more conveniently directly examines oneself to internal memory and the ability of disk monitoring.The ability of utilizing the XenAccess storehouse to provide, the software on a virtual machine can be visited the memory headroom of another virtual machine.The XenAccess storehouse is in the more top layer of system than the libxc storehouse, can conduct interviews by interior nuclear symbol, virtual address or the physical address kernel memory address to destination object.
As shown in Figure 2, intruding detection system is made up of monitoring strategies storehouse 11 and monitoring module 12; Monitoring comprise to virutal machine memory examine oneself 121 and to the monitoring 122 of disk, realize by means of the mechanism of examining oneself in XenAccess storehouse.Operating system nucleus data structure invariant in the conclusive table 1 as can be known, these invariants relation mainly is divided into two classes: a class is the constant relation, and a class is to belong to relation.Policy library 11 is responsible for formulating detailed detection strategy at concrete invariant, and the strategy in the monitoring module 12 fetch strategy storehouses carries out concrete intrusion detection.Carry out concrete instance analysis with regard to the detection of two class invariants relation below.As polluting at the entropy pond, its invariant relation is a relation that is constantly equal to.Address according to the system kernel symbol that System.map provided, can find the address of related data structure, the data structure that provides according to the kernel source code, utilize the examine oneself mechanism of XenAccess storehouse to client machine system, can have access to the corresponding pairing value of data structure, and contrast with the original value of preserving, can judge corresponding invariant relation and whether be damaged.All constant relation can both realize monitoring to the invariant relation by this kind method.Kernel level rootkit realizes by the chain rupture to runqueue hiding of process.For managing process, the thing that linux kernel utilizes process descriptors structure (task_struct) that each process is done is clearly described.Linux kernel is supported a kind of doubly linked list, and the descriptor of all processes is linked, and we are referred to as the all-task chained list to this chained list.By this structure, can guarantee when kernel needs, all processes to be traveled through and accurately locate.The init_task structure is the gauge outfit of this doubly linked list.In addition, each CPU in the system has its operation queue, and all runqueue structures leave in the every CPU variable of runqueues.Grand this_rq () produces the address of local cpu operation queue.Therefore all can move process must belong to certain process in all processes in the system, and in process control, the element in the runqueue chained list is included in the all-tasks chained list a kind of like this logical relation all the time and represents a system invariants.Kernel rootkit has destroyed this invariant relation to process hiding.By global variable that System.map provided address and the ability of examining oneself that provided of XenAccess storehouse in the kernel internal memory, can realize traversal to runqueue and two chained lists of all-tasks, by whether being damaged, whether there is corresponding kernel rootkit to invade thereby monitor according to the runqueue ∈ all-tasks relation that can monitor.
The present invention tries hard to realize the high performance system snapped volume in conjunction with copy-on-write technology, redirecting technique and incremental system snapped volume technology, makes every effort to the high-performance of the system that realizes and recovers.System's snapshot of a client computer comprises the content of three aspects: the content of register, memory image and disk snapshot.
The processing stage of snapshot, snapshot of every preservation all needs to check the state of virtual machine, notes the status information of virtual machine.Need the information of record to comprise processor operation rank, instruction pointer, unusual and interruption, content of registers; In addition, owing to the state of CPU all is virtually to come, also to write down the temporal information of VCPU.In the Xen virtual machine, there is a data structure that is referred to as to share information page.Sharing information page and collect the information relevant with global state, mainly is the information relevant with VCPU and virtual machine state, comprising VCPU status information, clock information and event channel (virtual interruption) status information etc.Therefore in the snapshot generative process, only need record to share the content of information page, just can write down the whole state of whole virtual machine except that internal memory and external unit.Shared information page has been defined by structure, occupies the size (4KB) of a page in internal memory.In log-on message page data structure start_info, there is a shared_info field to preserve the machine physical address of sharing information page.In the operational process of whole virtual machine, shared information page can be simultaneously by Xen and client operating system visit.Because share information page in the controlled scope of Xen, therefore when snapshot generates, the content that need simply open up the space of a 4KB size and preserve this shared information page gets final product.
The each content of all in snapshot, preserving whole internal memory of simple memory image implementation method.Consider that existing memory size is bigger, and the modification of twice snapshot between at interval may not be many especially, as shown in Figure 3, the present invention introduces the memory image that the copy-on-write technology realizes a kind of increment type.When generating memory image for the first time, the content that saves as all pages of client computer distribution arrives memory image file 241.In the operational process of client computer, safeguard that the page which page an internal memory monitoring bitmap 221 writes down was modified.In the operational process of system, when having revised certain memory pages, the position of memory pages correspondence can be put 1 in the bitmap, writes down the memory pages that is modified and the content of these pages simultaneously.When generating new memory image, only need to check the modification (in the operational process of client computer, using bitmap to come mark) of internal memory, record demons 222 are responsible for covering memory pages corresponding in system's snapshot with the content of the memory pages that is modified.After memory image generates, the bitmap that is used for preserving the page state can be initialised (clear 0).Utilize paging mechanism, Xen can guarantee the effectively isolation on internal memory of each virtual Domain.Xen must guarantee that any two non-privileged domain can not have access to same internal memory virtual Domain, and with this, more new capital of each page or page directory must be through the affirmation of Xen, with the page table of guaranteeing that each virtual Domain can only draw oneself up.Therefore bitmap is implemented in the purpose that the Xen administration and supervision authorities can arrive monitoring.The preservation of page content realizes by means of the XenAccess storehouse.In brief, the realization of memory image can be summarized as: the bottom that stands in virtual machine, in virtual machine manager, come the write operation of internal memory is monitored, whenever having recorded when internally depositing into capable write operation, the bitmap of this internal memory correspondence of mark, and by copy-on-write (copy on write, COW) a privately owned write data of maintenance, i.e. COW reflection; When new snapshot generates, only need synchronous COW reflection to get final product.When this method makes every effort to avoid generate because of each snapshot to the performance loss that is caused of duplicating of unmodified page.
Guest virtual machine drives through the front and back end that is arranged in privileged domain the visit of external memory and acts on behalf of execution, so the front and back end drives and becomes the desirable place that the external memory write operation is redirected.The front and back end drives per minute and joins a pending-req, and we can obtain the data in magnetic disk address and the action type of request visit from the pending-req structure.As shown in Figure 4, in driving, the front and back end safeguards a disk monitoring bitmap 231, the more new situation of a disk block of each bit representation of bitmap.When the pending-req request that intercepts is write operation, then mark is carried out in position corresponding in the bitmap, this moment, the write operation redirection module 232 was responsible for distributing a new disk to fill new content soon, and with fast number paired the storing of new and old disk of correspondence.When the reliable snapshot of the system in a Geju City generates a new system reliable snapshot, only need to revise mapping table, and do not need the particular content of the data block of revising is copied one time again.
When having detected kernel level rootkit invasion, system start-up snapshot restore function.In the operational process of whole Xen system, it is constant sharing the position that information page deposits in the machine internal memory.After client computer was finished recovery or migration, constant machine physical address can make client computer conveniently find shared information page and be remapped in the address space of oneself.This has also made things convenient for simultaneously the recovery action of snapshot, under the state that system hangs up, the content of the shared_info structure that writes down in the snapshot is replaced the part of correspondence in the shared drive page or leaf that original target virtual machine clients and Xen Virtual Machine Manager shared.Client computer is needing from suspended state rejuvenation and will share the address space that information page is mapped to oneself, and therefore amended shared information page can access embodiment.The content of the page that writes down in the snapshot is covered simultaneously the kernel memory content of this system by means of the XenAccess storehouse.Adjust the fast mapping table of disk, make it backrush, rerun system, make the recovering state of whole client machine system arrive healthy savepoint state to revising preceding old disk block mapping relations.So far, the snapshot restore of total system is finished.By memory image is introduced the copy-on-write technology, disk snapshot is used redirecting technique, with the part of disk original contents as snapshot itself, adopt a kind of form of increment to generate new system's snapshot, make every effort to reduce of the loss of invasion recovery system to system performance.The service that moves on the client computer in the whole snapshot restore process is not interrupted, and is transparent to the user on the client computer therefore.
Claims (3)
1. kernel rootkit intrusion detection and system recovery method based on an operating system data structure invariant protection, it is characterized in that: this method comprises Intrusion Detection Technique and system recovery technique.
Intrusion detection module (1) makes up intrusion detection based on the protection of operating system nucleus data structure invariant based on the Xen virtual platform.Intruding detection system is made up of monitoring strategies storehouse (11) and monitoring module (12).
Policy library (11) is responsible for analyzing the behavior that typical kernel rootkit invasion is taked, and extracts corresponding kernel invariant at it, and formulates detailed detection strategy at concrete invariant;
Strategy in monitoring module (12) the fetch strategy storehouse (11) carries out concrete intrusion detection.Monitoring (12) comprises the examining oneself (121) and to the monitoring (122) of disk, realize by means of the mechanism of examining oneself in XenAccess storehouse of virutal machine memory, is responsible for respectively to the monitoring of client internal memory with to the monitoring of client computer disk.
System's snapshot of a client computer comprises state, memory image and the disk snapshot of the content of three aspects: CPU.System recovery is made up of CPU block of state (21), memory image module (22), disk snapshot module (23) and snapshot document module (24).These several modules are responsible for generating a client machine system snapshot jointly.
CPU block of state (21) is responsible for all states of record client computer VCPU when each snapshot generates, leave in the snapshot document (24), the content of being responsible for taking out corresponding VCPU in the snapshot document in the snapshot restore stage, cover in the kernel ground in original content;
Memory image module (22) is made up of internal memory monitoring bitmap module (221), record demons (222) and memory image file (241) again.Internal memory monitoring bitmap module (221) is responsible between twice snapshot the write operation to client computer kernel internal memory; Record demons (222) are responsible for the page content of record change; Generate constantly at snapshot, the modification page content that memory image module (22) is responsible for write down demons (222) record covers in the memory image of initial preservation to upgrade snapshot contents, recovery kernel memory content during snapshot restore;
Disk snapshot module (23) is made up of disk monitoring bitmap module (231) and write operation redirection module (232).Disk monitoring bitmap module (231) is responsible for the write operation of monitoring to the client computer disk block; Write operation redirection module (232) be responsible for to distribute a new disk block to fill new content, and with new and old disk block number paired the storing of correspondence.Disk snapshot module (23) is upgraded mapping table to generate new disk snapshot when snapshot generates, be to adjust mapping table equally in the snapshot restore stage, makes client machine system recover the state of disk block.
2. intrusion detection as claimed in claim 1 and invasion restoration methods, it is characterized in that extracting typical operating system kernel data structure invariant as the system features sign indicating number, but not adopt the rogue program condition code, and be applicable to virtual platform, utilize examine oneself mechanism and administrative mechanism in the Intel Virtualization Technology, kernel rootkit is carried out intrusion detection and system recovery, make every effort to eliminate to greatest extent the potential safety hazard of computer system in the network environment and transparent all application programs.
3. intrusion detection as claimed in claim 1 or 2 and invasion restoration methods is characterized in that:
(1) realization of entire method is a platform with the Xen virtual machine, and in view of Xen virtual machine widespread deployment in actual applications, this method has great application potential.
(2) analyze concrete kernel rootkit intrusion behavior, extract relative operation system kernel data structure invariant, utilize the virtual machine mechanism of examining oneself to guarantee that the invariant relation is not changed, and in time finds intrusion behavior and transparent to upper layer application.
(3) according to the monitored results of detection module, combined with virtual machine system snapshot backrush technology can in time be recovered invaded system, and the security of system after the recovery is reliable, and whole rejuvenation is transparent to upper layer application.System's snapping technique is realized with the virtual platform that turns in conjunction with copy-on-write technology and redirecting technique.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110124261 CN102147843A (en) | 2011-05-16 | 2011-05-16 | Rootkit intrusion detection and system recovery method based on inner core invariant protection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110124261 CN102147843A (en) | 2011-05-16 | 2011-05-16 | Rootkit intrusion detection and system recovery method based on inner core invariant protection |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102147843A true CN102147843A (en) | 2011-08-10 |
Family
ID=44422106
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201110124261 Pending CN102147843A (en) | 2011-05-16 | 2011-05-16 | Rootkit intrusion detection and system recovery method based on inner core invariant protection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102147843A (en) |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102375957A (en) * | 2011-11-10 | 2012-03-14 | 西安电子科技大学 | Defense method for kernel-level return-oriented rootkits |
| CN102520881A (en) * | 2011-12-02 | 2012-06-27 | 中标软件有限公司 | Virtual machine snapshot management method and system of cloud computing platform |
| CN102662830A (en) * | 2012-03-20 | 2012-09-12 | 湖南大学 | Code reuse attack detection system based on dynamic binary translation framework |
| CN102821094A (en) * | 2012-07-09 | 2012-12-12 | 深圳市深信服电子科技有限公司 | Method and system for secure data processing in virtual desktop |
| CN103077351A (en) * | 2012-12-20 | 2013-05-01 | 北京奇虎科技有限公司 | Anti-detection system of virtual machine system |
| CN103150508A (en) * | 2013-03-08 | 2013-06-12 | 北京理工大学 | Rootkit behavior identification method based on multidimensional across view |
| CN103150506A (en) * | 2013-02-17 | 2013-06-12 | 北京奇虎科技有限公司 | Method and device for detecting rogue program |
| CN103473508A (en) * | 2013-09-17 | 2013-12-25 | 肖楠 | Security verification method during kernel operation of operation system |
| CN103886259A (en) * | 2014-03-19 | 2014-06-25 | 四川大学 | Kernel-level rootkit detecting and processing method based on Xen virtualization environment |
| CN103907101A (en) * | 2011-10-13 | 2014-07-02 | 迈克菲公司 | System and method for kernel ROOTKIT protection in a hypervisor environment |
| CN104750534A (en) * | 2013-12-26 | 2015-07-01 | 华为技术有限公司 | Method, device and system for triggering self-examination of virtual machine |
| CN104750536A (en) * | 2013-12-30 | 2015-07-01 | 华为技术有限公司 | Virtual machine introspection (VMI) implementation method and device |
| CN105590054A (en) * | 2014-11-11 | 2016-05-18 | 航天恒星科技有限公司 | Virtual machine process monitoring method, device and system |
| CN106371763A (en) * | 2016-08-23 | 2017-02-01 | 浪潮(北京)电子信息产业有限公司 | Snapshot storage method and apparatus, disk and computer |
| CN106559406A (en) * | 2015-09-30 | 2017-04-05 | 东软集团股份有限公司 | Physical network safety equipment and its control method and device |
| CN106778257A (en) * | 2016-12-08 | 2017-05-31 | 北京国电通网络技术有限公司 | A kind of anti-release apparatus of virtual machine |
| CN107203410A (en) * | 2017-04-14 | 2017-09-26 | 华中科技大学 | A kind of VMI method and system based on redirection of system call |
| US9946562B2 (en) | 2011-10-13 | 2018-04-17 | Mcafee, Llc | System and method for kernel rootkit protection in a hypervisor environment |
| CN108446160A (en) * | 2018-01-29 | 2018-08-24 | 中国电子科技网络信息安全有限公司 | A kind of virtual machine hides process detection method and system |
| CN110674496A (en) * | 2019-09-24 | 2020-01-10 | 杭州安恒信息技术股份有限公司 | Method and system for program to counter invading terminal and computer equipment |
| CN111580932A (en) * | 2020-05-12 | 2020-08-25 | 西安交通大学 | Virtual machine disk online migration redundancy removing method |
-
2011
- 2011-05-16 CN CN 201110124261 patent/CN102147843A/en active Pending
Cited By (36)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103907101B (en) * | 2011-10-13 | 2017-02-15 | 迈克菲公司 | System and method for kernel ROOTKIT protection in a hypervisor environment |
| US9946562B2 (en) | 2011-10-13 | 2018-04-17 | Mcafee, Llc | System and method for kernel rootkit protection in a hypervisor environment |
| US9465700B2 (en) | 2011-10-13 | 2016-10-11 | Mcafee, Inc. | System and method for kernel rootkit protection in a hypervisor environment |
| CN103907101A (en) * | 2011-10-13 | 2014-07-02 | 迈克菲公司 | System and method for kernel ROOTKIT protection in a hypervisor environment |
| CN102375957B (en) * | 2011-11-10 | 2014-05-14 | 西安电子科技大学 | Defense method for kernel-level return-oriented rootkits |
| CN102375957A (en) * | 2011-11-10 | 2012-03-14 | 西安电子科技大学 | Defense method for kernel-level return-oriented rootkits |
| CN102520881A (en) * | 2011-12-02 | 2012-06-27 | 中标软件有限公司 | Virtual machine snapshot management method and system of cloud computing platform |
| CN102662830A (en) * | 2012-03-20 | 2012-09-12 | 湖南大学 | Code reuse attack detection system based on dynamic binary translation framework |
| CN102821094B (en) * | 2012-07-09 | 2016-05-04 | 深圳市深信服电子科技有限公司 | Data safety processing method in virtual desktop and system |
| CN102821094A (en) * | 2012-07-09 | 2012-12-12 | 深圳市深信服电子科技有限公司 | Method and system for secure data processing in virtual desktop |
| CN103077351A (en) * | 2012-12-20 | 2013-05-01 | 北京奇虎科技有限公司 | Anti-detection system of virtual machine system |
| CN103077351B (en) * | 2012-12-20 | 2016-06-01 | 北京奇虎科技有限公司 | The reverse-examination examining system of dummy machine system |
| CN103150506A (en) * | 2013-02-17 | 2013-06-12 | 北京奇虎科技有限公司 | Method and device for detecting rogue program |
| CN103150506B (en) * | 2013-02-17 | 2016-03-30 | 北京奇虎科技有限公司 | The method and apparatus that a kind of rogue program detects |
| CN103150508B (en) * | 2013-03-08 | 2015-10-21 | 北京理工大学 | Based on the rootkit behavior discrimination method of multidimensional cross-view |
| CN103150508A (en) * | 2013-03-08 | 2013-06-12 | 北京理工大学 | Rootkit behavior identification method based on multidimensional across view |
| CN103473508A (en) * | 2013-09-17 | 2013-12-25 | 肖楠 | Security verification method during kernel operation of operation system |
| CN103473508B (en) * | 2013-09-17 | 2016-07-27 | 肖楠 | Safe verification method when operating system nucleus runs |
| CN104750534B (en) * | 2013-12-26 | 2018-10-30 | 华为技术有限公司 | The method, apparatus and system that triggering virtual machine is examined oneself |
| CN104750534A (en) * | 2013-12-26 | 2015-07-01 | 华为技术有限公司 | Method, device and system for triggering self-examination of virtual machine |
| US10007785B2 (en) | 2013-12-30 | 2018-06-26 | Huawei Technologies Co., Ltd. | Method and apparatus for implementing virtual machine introspection |
| CN104750536A (en) * | 2013-12-30 | 2015-07-01 | 华为技术有限公司 | Virtual machine introspection (VMI) implementation method and device |
| CN104750536B (en) * | 2013-12-30 | 2018-08-21 | 华为技术有限公司 | A kind of method and apparatus realized virtual machine and examined oneself |
| CN103886259A (en) * | 2014-03-19 | 2014-06-25 | 四川大学 | Kernel-level rootkit detecting and processing method based on Xen virtualization environment |
| CN103886259B (en) * | 2014-03-19 | 2016-09-21 | 四川大学 | Kernel level rootkit based on Xen virtualized environment detection and processing method |
| CN105590054A (en) * | 2014-11-11 | 2016-05-18 | 航天恒星科技有限公司 | Virtual machine process monitoring method, device and system |
| CN106559406A (en) * | 2015-09-30 | 2017-04-05 | 东软集团股份有限公司 | Physical network safety equipment and its control method and device |
| CN106559406B (en) * | 2015-09-30 | 2019-09-17 | 东软集团股份有限公司 | Physical network safety equipment and its control method and device |
| CN106371763A (en) * | 2016-08-23 | 2017-02-01 | 浪潮(北京)电子信息产业有限公司 | Snapshot storage method and apparatus, disk and computer |
| CN106778257A (en) * | 2016-12-08 | 2017-05-31 | 北京国电通网络技术有限公司 | A kind of anti-release apparatus of virtual machine |
| CN107203410A (en) * | 2017-04-14 | 2017-09-26 | 华中科技大学 | A kind of VMI method and system based on redirection of system call |
| CN107203410B (en) * | 2017-04-14 | 2020-02-14 | 华中科技大学 | VMI method and system based on system call redirection |
| CN108446160A (en) * | 2018-01-29 | 2018-08-24 | 中国电子科技网络信息安全有限公司 | A kind of virtual machine hides process detection method and system |
| CN110674496A (en) * | 2019-09-24 | 2020-01-10 | 杭州安恒信息技术股份有限公司 | Method and system for program to counter invading terminal and computer equipment |
| CN111580932A (en) * | 2020-05-12 | 2020-08-25 | 西安交通大学 | Virtual machine disk online migration redundancy removing method |
| CN111580932B (en) * | 2020-05-12 | 2023-04-07 | 西安交通大学 | Virtual machine disk online migration redundancy removal method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102147843A (en) | Rootkit intrusion detection and system recovery method based on inner core invariant protection | |
| Cheng et al. | A lightweight live memory forensic approach based on hardware virtualization | |
| Srinivasan et al. | Process out-grafting: an efficient" out-of-vm" approach for fine-grained process execution monitoring | |
| Gu et al. | Process implanting: A new active introspection framework for virtualization | |
| Krishnan et al. | Trail of bytes: efficient support for forensic analysis | |
| Fu et al. | Exterior: Using a dual-vm based external shell for guest-os introspection, configuration, and recovery | |
| US20170132084A1 (en) | System and method for security and privacy aware virtual machine checkpointing | |
| CN103310152B (en) | Kernel state Rootkit detection method based on system virtualization technology | |
| CN105393255A (en) | Process evaluation for malware detection in virtual machines | |
| Liu et al. | Cpu transparent protection of os kernel and hypervisor integrity with programmable dram | |
| Shi et al. | ShadowMonitor: An effective in-VM monitoring framework with hardware-enforced isolation | |
| Lombardi et al. | KvmSec: a security extension for Linux kernel virtual machines | |
| Tian et al. | Kruiser: Semi-synchronized Non-blocking Concurrent Kernel Heap Buffer Overflow Monitoring. | |
| Wang et al. | Hypervisor-based protection of sensitive files in a compromised system | |
| Zhou et al. | Hardware-based workload forensics: Process reconstruction via TLB monitoring | |
| Wang et al. | Making information hiding effective again | |
| Zhan et al. | A high-performance virtual machine filesystem monitor in cloud-assisted cognitive IoT | |
| Mankin et al. | Dione: a flexible disk monitoring and analysis framework | |
| Choi et al. | Cloud-BlackBox: Toward practical recording and tracking of VM swarms for multifaceted cloud inspection | |
| Chan | A framework for live forensics | |
| Krishnan et al. | Trail of bytes: New techniques for supporting data provenance and limiting privacy breaches | |
| Cox et al. | Secure, consistent, and high-performance memory snapshotting | |
| Wang et al. | Exploring efficient and robust virtual machine introspection techniques | |
| Tsifountidis | Virtualization security: Virtual machine monitoring and introspection | |
| Upadhyay et al. | Windows virtualization architecture for cyber threats detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20110810 |