JP2009031859A - Information collection system and information collection method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To easily collect information on guest software. <P>SOLUTION: This information collection system for collecting information related with a guest OS and/or an application installed in the guest OS operates on an OS different from the guest OS when the collection object of information is a guest OS, and operates on the OS different from the guest OS in which the application is installed when the collection object of information is an application. Then the system acquires information read by a virtual CPU, comprehends a code to be executed by the guest OS or application, replaces the comprehended code with an information collection code, and inserts the information collection code into a memory where the code is executed, thereby collecting the execution result of the information collection code executed by the guest OS or the application for collecting the information. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an information collection system and an information collection method.

  Conventionally, security software such as anti-virus software, host-type intrusion detection system (see Non-Patent Document 1), personal firewall, etc. operates on the OS if the protection target is an OS, and if the protection target is an application. , And operates on the OS in which the application is installed (hereinafter referred to as the protection target system). These security software monitors the behavior of an OS to be protected or an application running on the OS, and monitors the resources accessed by the OS and applications and the operations on the resources, thereby illegal behavior of an unauthorized program. Is preventing.

  However, some malware (eg, bots, viruses, Shellcode, etc., programs or modules that perform operations unintended by the software user) are checked for security software when activated in the target system. However, when security software is operating in the target system, there is malware having a function of forcibly stopping the security software (see Non-Patent Document 2).

  That is, when the security software is operated in the protection target system, the malware checks whether there is security software in the protection target system (in the target system for the malware) and forcibly stops it. In other words, if malware is allowed to enter the protected system, the malware can acquire the same authority as the security software in the protected system, so it can attack the security software. It becomes possible.

  For this reason, as shown in Non-Patent Document 3, research has been conducted in which the protection target system is operated as guest software on a virtual machine, and security software is supported by monitoring the inside of the guest software from the outside of the guest software. It has been broken. Here, the virtual machine is a computer that is virtually created by being installed in an OS (hereinafter referred to as a host OS) operating on the hardware of the computer. The guest software is an OS (hereinafter referred to as a guest OS) that operates on virtual hardware that constitutes a virtual machine or an application installed in the guest OS. In such research, information on guest software is collected from outside the guest software, the events occurring inside the guest software are captured from the collected information, and the collected information is inspected to check the abnormality of the guest software. A method for judging is disclosed.

“Outline and application of host-based IDS”, JNSA 2001 WG Activity Results, [online], [July 11, 2007 search], Internet <http://www.jnsa.org/active/houkoku/ IDSBasic.pdf> “Botnet Survey Results”, Black Hat Japan 2005, Telecom-ISAC Japan Satoshi Koyama “A Virtual Machine Introspection Based Architecture for Intrusion Detection”, Tal Garfinkel and Mendel Rosenblum, In the Internet Society ’s 2003 Symposium on Network and Distributed System Security, page 191-206, February 2003.

  By the way, as described below, the above-described conventional technique has a problem in that information relating to guest software cannot be easily collected. In collecting the necessary information from the guest software, it is usually necessary to accurately grasp the events that are occurring in the guest software, and the information that is needed anywhere in the memory or disk used by the guest software You must know exactly where it is located. That is, according to the technique of the prior art, it is necessary to completely grasp the data structure and file system of the OS and applications that operate as guest software. Therefore, the type of OS that operates as guest software and the version of the guest software Every time changes, the method of collecting information about guest software will have to change significantly. For example, since a data structure related to an OS such as Windows (registered trademark) is information that is not disclosed to the public, it is extremely difficult to collect necessary information from these guest software.

  Therefore, the present invention has been made to solve the above-described problems of the prior art, and the first is to provide an information collection system and an information collection method capable of easily collecting information about guest software. The purpose.

  A second object of the present invention is to provide an information collecting system and an information collecting method capable of accurately grasping an event occurring inside the guest software.

  In order to solve the above-described problems and achieve the object, the invention according to claim 1 is applied to a virtual machine that is a computer created virtually by being installed in a host OS that is an OS that operates on the hardware of the computer. In a configuration in which a guest OS that is an OS that operates on virtual hardware provided by the virtual machine is installed, information for collecting information on the guest OS and / or an application installed on the guest OS If it is a collection system and the information collection target is a guest OS, it operates on an OS different from the guest OS, and if the information collection target is an application, the guest OS on which the application is installed With information collection means that runs on an OS different from The information collecting means acquires information read by a virtual CPU provided by the virtual machine, grasps the code that the guest OS or the application is going to execute, and collects the grasped code to collect the information A memory in which the code is executed by the guest OS or the application from which the information is collected so that the information collection code is executed in the guest OS or the application. Code insertion means for inserting the information collection code into the space; and execution result collection means for collecting the information by collecting execution results of the information collection code executed by the guest OS or the application. It is characterized by that.

  In the invention according to claim 2, in the above invention, the code insertion unit collects the information as the information collection code using a library and / or a program in the guest OS or the application. An information collection code in which an instruction is described is inserted into the memory space.

  Further, in the invention according to claim 3, in the above invention, when the code insertion unit confirms abnormality in the guest OS or the application from the information collected by the execution result collection unit, As the information collection code, an information collection code in which an instruction for solving the abnormality is described is further inserted into the memory space.

  According to a fourth aspect of the present invention, in the above invention, the information collecting unit is read by a byte sequence storage unit that stores a predetermined byte sequence in advance and a virtual CPU provided by the virtual machine. Code block monitoring means for monitoring the code blocks executed by the guest OS or the application, and the code block monitoring means. It further comprises inspection means for inspecting whether or not the monitored code block matches a predetermined byte string stored by the byte string storage means.

  The invention according to claim 5 is the above invention, wherein the information collecting unit uses the information read by the virtual CPU provided by the virtual machine, so that the guest OS or the application is a system. The system further comprises special instruction monitoring means for monitoring a special instruction executed when a call is issued and monitoring issuance of the system call.

  According to a sixth aspect of the present invention, in the above-described invention, the code insertion unit, as the information collection code, for a system call monitored by the special instruction monitoring unit, a process that issued the system call, a system call An information collection code in which an instruction to collect one or more of a number and an argument passed to the system call is inserted into the memory space.

  The invention according to claim 7 is the above invention, wherein the information collecting means further comprises system call information obtaining means for obtaining information when a system call monitored by the special instruction monitoring means is issued, The execution result collecting unit collects the information by further using the information acquired by the system call information acquiring unit.

  In the invention according to claim 8, in the above invention, the information collection unit is a snap for acquiring a snapshot of the execution state of the guest OS or the application in response to a predetermined behavior of the guest OS or the application. The image processing apparatus further includes: a shot acquisition unit; and an execution restart unit that restarts the execution of the guest OS or the application using the snapshot acquired by the snapshot acquisition unit.

  The invention according to claim 9 is the above invention, wherein the information collection unit uses the guest OS or the application and / or the guest OS or the information collected by the execution result collection unit. An information transmission means for transmitting to software other than the application is further provided.

  The invention according to claim 10 provides a virtual hardware provided by the virtual machine to a virtual machine that is a computer created virtually by being installed in a host OS that is an OS operating on the hardware of the computer. An information collection system that collects information about a guest OS and / or an application installed on the guest OS in a configuration in which a guest OS that is an OS operating on the hardware is installed, If the OS is a guest OS, the information collection means operates on an OS different from the guest OS, and if the information collection target is an application, the information collection means operates on an OS different from the guest OS in which the application is installed The information collecting means includes a predetermined byte sequence. By acquiring information read into a virtual CPU provided by the virtual machine and byte code storage means stored in advance and grasping the code that the guest OS or the application intends to execute, the guest Code block monitoring means for monitoring a code block executed by the OS or the application and whether the code block monitored by the code block monitoring means matches a predetermined byte string stored by the byte string storage means And inspection means for inspecting the above.

  According to an eleventh aspect of the present invention, a virtual hardware provided by the virtual machine is installed on a virtual machine that is a computer created virtually by being installed in a host OS that is an OS operating on the hardware of the computer. An information collection system that collects information about a guest OS and / or an application installed on the guest OS in a configuration in which a guest OS that is an OS operating on the hardware is installed, If the OS is a guest OS, the information collection means operates on an OS different from the guest OS, and if the information collection target is an application, the information collection means operates on an OS different from the guest OS in which the application is installed The information collection means includes the virtual machine Special instruction monitoring that monitors the issuance of the system call by monitoring the special instruction that is executed when the guest OS or the application issues a system call by using the information read by the virtual CPU to be provided Means are provided.

  According to the twelfth aspect of the present invention, a virtual hardware provided by a virtual machine is provided to a virtual machine that is a computer created virtually by being installed in a host OS that is an OS operating on the hardware of the computer. An information collection method for collecting information related to a guest OS and / or an application installed in the guest OS in a configuration in which a guest OS that is an OS operating on hardware is installed. If it is a guest OS, it will run on an OS different from the guest OS, and if the information collection target is an application, it will run on an OS different from the guest OS in which the application is installed And the information collecting step is provided by the virtual machine. The information read by the virtual CPU is acquired, the code that the guest OS or the application is about to execute is grasped, and the grasped code is replaced with an information collection code in which an instruction for collecting the information is described. Code insertion that inserts the information collection code into a memory space in which the code is executed by the guest OS or application to be collected, so that the information collection code is executed by the guest OS or application And an execution result collecting step of collecting the information by collecting an execution result of the information collection code executed by the guest OS or the application.

  The invention according to claim 13 provides a virtual hardware provided by the virtual machine to a virtual machine that is a computer created virtually by being installed in a host OS that is an OS operating on the hardware of the computer. An information collection method for collecting information related to a guest OS and / or an application installed in the guest OS in a configuration in which a guest OS that is an OS operating on hardware is installed. If it is a guest OS, it will run on an OS different from the guest OS, and if the information collection target is an application, it will run on an OS different from the guest OS in which the application is installed And the information collecting step is provided by the virtual machine. A code block monitoring step of monitoring a code block executed by the guest OS or the application by acquiring information read by the virtual CPU and grasping a code that the guest OS or the application intends to execute And an inspection step for inspecting whether the code block monitored by the code block monitoring step matches the predetermined byte sequence stored by the byte sequence storage unit that stores the predetermined byte sequence in advance. , Including.

  According to the fourteenth aspect of the present invention, a virtual hardware provided by the virtual machine is installed in a virtual machine that is a computer created virtually by being installed in a host OS that is an OS operating on the hardware of the computer. An information collection method for collecting information related to a guest OS and / or an application installed in the guest OS in a configuration in which a guest OS that is an OS operating on hardware is installed. If it is a guest OS, it will run on an OS different from the guest OS, and if the information collection target is an application, it will run on an OS different from the guest OS in which the application is installed And the information collecting step is provided by the virtual machine. A special instruction monitoring step of monitoring a special instruction executed when the guest OS or the application issues a system call by using information read into the virtual CPU to monitor the issue of the system call It is characterized by including.

  According to the first or twelfth aspect of the present invention, a virtual machine provided by a virtual machine is a virtual machine that is a computer created virtually by being installed in a host OS that is an OS operating on the hardware of the computer. An information collection system for collecting information on a guest OS and / or an application installed on the guest OS in a configuration in which a guest OS that is an operating system operating on hardware is installed, If the OS is a guest OS, it operates on an OS different from the guest OS, and if the information collection target is an application, the virtual machine operates on an OS different from the guest OS on which the application is installed. Acquire information read by the virtual CPU provided The code that the guest OS or application intends to execute is grasped, and the grasped code is replaced with an information collecting code in which an instruction for collecting information is described, so that the information collecting code is executed in the guest OS or the application. By inserting the information collection code into the memory space where the code is executed by the guest OS or application to be collected, and collecting the execution result of the information collection code executed by the guest OS or application, Since information is collected, it is possible to easily collect information about guest software.

  According to the second aspect of the present invention, as the information collection code, an information collection code in which a command for collecting information using a library and / or program in the guest OS or application is described is inserted into the memory space. Therefore, it becomes possible to collect information about guest software easily and efficiently.

  According to the invention of claim 3, when an abnormality is confirmed in the guest OS or application from the collected information, an information collection code in which a command for solving the abnormality is described is used as the information collection code. Since it is further inserted into the memory space (for example, the code may be replaced and inserted), it becomes possible to easily collect information about the guest software, and when an abnormality is confirmed in the guest software Can also solve the anomaly.

  According to the invention of claim 4, a predetermined byte string is stored in advance, information read into a virtual CPU provided by the virtual machine is acquired, and the code that the guest OS or application is trying to execute is grasped. As a result, the code block executed by the guest OS or application is monitored, and it is checked whether the monitored code block matches the stored predetermined byte sequence. Thus, it is possible to easily collect information about guest software (for example, after acquiring information on processes operating on guest software).

  According to the invention of claim 5, a special instruction that is executed when the guest OS or the application issues a system call by using information read into a virtual CPU provided by the virtual machine. Since the system call issuance is monitored, it is possible to easily collect information about the guest software after accurately grasping the events inside the guest software.

  According to the invention of claim 6, as the information collection code, for the monitored system call, any one or more of the process that issued the system call, the system call number, and the argument passed to the system call are collected. Since the information collection code describing the instruction to be inserted is inserted into the memory space, it is possible to easily collect information about the guest software after accurately grasping the events inside the guest software.

  Further, according to the invention of claim 7, since the information at the time of issuing the monitored system call is acquired, and the information is collected by further using the acquired information, the phenomenon inside the guest software is accurately grasped. This makes it possible to easily collect information about guest software.

  According to the invention of claim 8, a snapshot of the execution state of the guest OS or application is acquired in response to a predetermined behavior of the guest OS or application, and the guest OS or application is acquired using the acquired snapshot. Since the execution of the program is resumed, it becomes possible to easily collect information about the guest software.

  According to the invention of claim 9, since the collected information is transmitted to the guest OS or application and / or software other than the guest OS or the application, it is possible to easily collect information about the guest software. Besides being possible, the collected information can be communicated to other software (such as raising alerts).

  According to the invention of claim 10 or 13, a virtual machine provided by a virtual machine is a virtual machine that is a computer created virtually by being installed in a host OS that is an OS operating on the hardware of the computer. An information collection system that collects information about a guest OS and / or an application installed on the guest OS in a configuration in which a guest OS that is an OS that operates on typical hardware is installed. If the collection target is a guest OS, it operates on an OS different from the guest OS, and if the information collection target is an application, it operates on an OS different from the guest OS on which the application is installed. Is stored in advance, and the virtual machine provides a temporary By acquiring information read into a typical CPU and grasping the code that the guest OS or application intends to execute, the code block executed by the guest OS or application is monitored, and the monitored code block is stored It is possible to check the event in the guest software accurately (for example, to acquire information on processes running on the guest software). Become.

  According to the invention of claim 11 or 14, a virtual machine provided by the virtual machine to a virtual machine that is a computer created virtually by being installed in a host OS that is an OS operating on the hardware of the computer. An information collection system that collects information about a guest OS and / or an application installed on the guest OS in a configuration in which a guest OS that is an OS that operates on typical hardware is installed. If the collection target is a guest OS, it runs on an OS different from the guest OS, and if the information collection target is an application, it runs on an OS different from the guest OS on which the application is installed. Information read into the virtual CPU provided by the machine To monitor the special instructions executed when the guest OS or the application issues a system call and monitor the issue of the system call, so that the events inside the guest software can be accurately grasped. Is possible.

  Exemplary embodiments of an information collection system and an information collection method according to the present invention will be described below in detail with reference to the accompanying drawings.

  In the following first embodiment, the main terms used in the first embodiment, the outline and features of the information collection system according to the first embodiment, the configuration of the information collection system and the processing procedure will be described in order, and finally the effects of the first embodiment will be described. Will be explained.

[Explanation of terms]
First, key terms used in the following examples will be described. A “virtual machine” is a computer that is virtually created on the actual hardware of the computer. Such a “virtual machine” is realized by a virtualization technology. Virtualization technology provides a virtual hardware interface for an OS (Operating System) that runs on the actual hardware of a computer, so that multiple OSs can run simultaneously on a single computer. It is a technology that makes it possible to do. Specifically, software called VMM (Virtual Machine Monitor) provides a virtual hardware interface to the OS, and provides virtual hardware to the OS running on the VMM.

  Here, in the following embodiments, an OS that operates on actual hardware is referred to as a “host OS”, and an OS that runs on the VMM is referred to as a “guest OS”. That is, the VMM that is one application installed in the “host OS” is a “virtual machine”, and the “guest OS” is an OS installed in the “virtual machine”. A plurality of “guest OSs” can operate on the “virtual machine”.

  By the way, guest software such as a “guest OS” operating on a “virtual machine” and an application installed in the “guest OS” can use various resources by using virtual resources provided by the “virtual machine”. To execute. The execution mechanism will be briefly described. First, the “virtual machine” converts the code executed by the guest software and passes it to the “host OS”, and the “host OS” executes the executed code for the passed code. The result is passed to the “virtual machine”, and the “virtual machine” converts the passed execution result and passes it to the guest software.

  If so, when collecting information about guest software, it is necessary to know exactly where the required information is located about the memory and disk of the “virtual machine” used by the guest software. A method of collecting information from the memory or disk of a “virtual machine” can be considered. However, in such a method, every time the type of OS that operates as guest software or the version of the guest software changes, the method for collecting information about the guest software must be changed greatly. The information collection system according to the present invention solves such a problem.

[Outline and Features of Information Collection System According to Embodiment 1]
Next, the outline and characteristics of the information collection system according to the first embodiment will be described with reference to FIG. FIG. 1 is a diagram for explaining the outline and features of the information collection system according to the first embodiment. In FIG. 1, a configuration example in which the information collection unit according to the present invention is mounted in a virtual machine (VMM) as an information collection module (guest software monitoring module) will be described. It is not limited. Other configuration examples will be described in the sixth embodiment.

  The information collection system according to the first embodiment is configured to collect information on guest software (guest OS, application installed in the guest OS) in a configuration in which the guest OS is installed in the virtual machine. The main feature is to collect information about software easily.

  Briefly describing this main feature, the information collection system according to the present invention includes an information collection unit. If the information collection target is a guest OS, the information collection unit operates on an OS different from the guest OS (the host OS in the first embodiment), and if the information collection target is an application, It operates on an OS (host OS in the first embodiment) that is different from the guest OS in which the application is installed. For example, as illustrated in FIG. 1, the information collection unit is implemented in a virtual machine as an information collection module (guest software monitoring module).

  In such a configuration, the information collection unit first acquires information read by a virtual CPU (Central Processing Unit) provided by the virtual machine and grasps the code that the guest OS or application is about to execute. The acquired code is replaced with an information collection code in which an instruction for collecting information about the guest software is described, and the code is collected by the guest software to be collected so that the information collection code is executed in the guest OS or application. Is inserted into a memory space (execution buffer) in which is executed (see (1) in FIG. 1).

  Then, the guest software executes the information collection code inserted into the memory space by the information collection unit (see (2) in FIG. 1).

  The information collecting unit collects information related to the guest software by collecting the execution result of the information collecting code executed by the guest software (see (3) in FIG. 1).

  As described above, the information collection system according to the first embodiment collects information on the memory and disk of the “virtual machine” used by the guest software without accurately knowing where the necessary information is arranged. Since it can be collected, it is possible to easily collect information about guest software.

[Configuration of Information Collection System According to Embodiment 1]
Then, the structure of the information collection system which concerns on Example 1 is demonstrated using FIGS. FIG. 2 is a block diagram illustrating the configuration of the information collection unit (attack detection system) in the first embodiment, FIG. 3 is a diagram for explaining the pattern DB, and FIG. 4 is a diagram for explaining the information collection module library. FIG. 5 is a diagram for explaining the information collection code.

  As illustrated in FIG. 1, in the information collection system according to the first embodiment, a virtual machine 100 is installed in a host OS 200 that operates on computer hardware, and a guest OS 30 is installed in the virtual machine 100. The information collecting unit 10 operates on an OS (on the host OS 200) different from the guest software (guest OS 30, application 31). Specifically, the information collection unit 10 is implemented in the virtual machine 100 as an information collection module. The virtual resource 20 is a virtual resource provided to operate the guest OS 30.

  As shown in FIG. 2, the information collection unit 10 according to the first embodiment includes a pattern DB 11, an information collection module library 12, a program monitoring unit 13, and a code insertion unit 14. The information collection unit 10 corresponds to the “information collection unit” described in the claims, the pattern DB 11 corresponds to the “byte string storage unit” described in the claims, and the program monitoring unit 13 The code insertion unit 14 corresponds to the “code block monitoring unit” and the “inspection unit” described in the claims, and the code insertion unit 14 includes the “code insertion unit” and the “execution result collection unit” described in the claims. Corresponding to

  The pattern DB 11 stores one or a plurality of signatures having a part of a byte sequence of the code as a pattern for a code known as a code including a vulnerability (code including a known vulnerability). . Specifically, the pattern DB 11 stores one or a plurality of signatures in advance by, for example, being registered in advance by a user of the information collection system, and the stored signatures are recorded by the program monitoring unit 13 described later. Used for processing. For example, the pattern DB 11 stores a signature as shown in FIG. 3 in advance.

  The information collection module library 12 stores a library group for the purpose of collecting guest software information using libraries and programs in the guest software. Specifically, the information collection module library 12 stores a library group in advance by, for example, being registered in advance by a user of the information collection system, and the stored library group is obtained by a code insertion unit 14 described later. Used for processing. For example, the information collection module library 12 stores in advance a library group as shown in FIG.

  Incidentally, as shown in FIG. 4B, the information collection module library 12 may include a guest software library search unit 12b and a guest software library execution unit 12c in each information collection module 12a. Good. The guest software library search unit 12b is used for the purpose of searching for a library in the guest software used for information collection from the memory or disk of the guest software. For example, a method of extracting from the part that manages memory information on the guest software, a method of searching the location of a specific library by scanning the memory space, and the like can be considered. The guest software library execution unit 12c is used for the purpose of actually calling a library in the guest software used for information collection.

  The program monitoring unit 13 performs an inspection by comparing a program block to be executed by the guest software with a signature. Specifically, the program monitoring unit 13 is executed on the guest software by acquiring information read into the virtual CPU provided by the virtual machine 100 and grasping the code that the guest software is going to execute. The program block is taken out and compared with the signature stored in the pattern DB 11 for inspection. Depending on the result of the inspection, whether or not the processing by the code insertion unit 14 is to be performed is determined. That is, the program monitoring unit 13 performs inspection by matching the program block and the signature, and if they match, the processing by the code insertion unit 14 is performed.

  The code insertion unit 14 describes an instruction for acquiring information read by the virtual CPU provided by the virtual machine 100 to grasp the code that the guest software is going to execute, and collecting information about the grasped code. The information collection code is inserted into the memory space where the code is executed by the guest software to be collected and executed by the guest software so that the information collection code is executed in the guest software. Collect information by collecting execution results. Specifically, when the program block and the signature match as a result of the inspection by the program monitoring unit 13, the code insertion unit 14 uses the library stored in the information collection module library 12 to use the code ( Information collection code). In addition, the code insertion unit 14 acquires information (for example, EIP (instruction pointer)) read by the virtual CPU provided by the virtual machine 100 and grasps which code the guest software is executing. . Then, the code insertion unit 14 replaces the grasped code with the created information collection code, inserts it into the memory space, and collects the execution results (FIG. 5 uses the information collection library “g_GetNameOfHandle” to collect the information collection code). Example). The code insertion unit 14 does not use the library stored by the information collection module library 12 and inserts, for example, the information collection code stored in advance as the information collection code to be inserted into the memory space of the virtual machine 100. May be.

  In the first embodiment, for example, the code insertion unit 14 transmits an information collection code (program) for checking whether a program block that the guest software will execute from now on can be an attack targeting a known vulnerability, a virtual machine It is inserted into 100 memory spaces (guest software execution space). In addition, for example, when the execution result of the information collection code indicates a judgment that “it can be an attack”, the code insertion unit 14 transmits an alert to both or one of the guest software and the host software. May be. In addition, for example, depending on the operation policy, the code insertion unit 14 may further insert and execute an information collection code that avoids attacks targeting the known vulnerabilities in the memory space of the virtual machine 100, Guest software may be protected from attacks on vulnerabilities.

[Processing Procedure of Information Collection System According to Embodiment 1]
Next, a processing procedure of the information collection system according to the first embodiment will be described with reference to FIG. FIG. 6 is a flowchart of a process procedure performed by the information collection system according to the first embodiment.

  First, the program monitoring unit 13 of the information collecting unit 10 monitors the execution block of guest software (step S101). Specifically, the program monitoring unit 13 is executed on the guest software by acquiring information read into the virtual CPU provided by the virtual machine 100 and grasping the code that the guest software is going to execute. Fetch program block.

  Next, the program monitoring unit 13 of the information collecting unit 10 determines whether or not it matches the signature (step S102). Specifically, the program monitoring unit 13 performs inspection by matching the program block extracted in step S101 with the signature stored in the pattern DB 11. If they do not match (No at Step S102), the program monitoring unit 13 returns to the process of monitoring the execution block of the guest software.

  On the other hand, if they match (Yes at step S102), then the code insertion unit 14 of the information collection unit 10 inserts an information collection code (survey code) (step S103). Specifically, the code insertion unit 14 acquires information read by the virtual CPU provided by the virtual machine 100 to grasp the code that the guest software is going to execute, and the guest software recognizes the grasped code. The program block to be executed is replaced with information collection code for checking whether or not an attack targeting a known vulnerability can be made, and the information collection code is inserted into the memory space of the virtual machine 100 (guest software execution space). .

  Then, the code insertion unit 14 of the information collection unit 10 determines whether or not it is an attack (step S104). Specifically, the code insertion unit 14 determines whether or not the execution result of the investigation code indicates a determination that “it can be an attack”. If it does not indicate a determination that “it can be an attack” (No in step S104), the program monitoring unit 13 returns to the process of monitoring the execution block of the guest software.

  On the other hand, if it indicates a determination that “it can be an attack” (Yes at Step S104), then the code insertion unit 14 transmits an alert (Step S105). Specifically, the code insertion unit 14 transmits an alert to both or one of the guest software and the host software.

  Furthermore, the code insertion unit 14 avoids an attack depending on the operation policy (step S106). Specifically, the code insertion unit 14 further inserts code and data that avoids an attack aimed at the known vulnerability into the memory space of the virtual machine 100 and executes the code or data, thereby preventing the vulnerability. Protect guest software from attacks.

  As described above, the information collection system according to the first embodiment collects information on the memory and disk of the “virtual machine” used by the guest software without accurately knowing where the necessary information is arranged. Since it can be collected, it is possible to easily collect information about guest software.

  In the first embodiment, the information collection system first determines whether or not the signature is matched with the signature in the program monitoring unit 13, and if it is determined to match, the code insertion unit 14 inserts the code However, the present invention is not limited to this. Regardless of the determination by the program monitoring unit 13, a method of inserting a code in the code insertion unit 14 or a method of inserting a code appropriately in the code insertion unit 14 without performing monitoring or determination by the program monitoring unit 13 in the first place. The present invention can be similarly applied. Further, the present invention can be similarly applied to a technique in which only the monitoring and determination by the program monitoring unit 13 is performed and the information collection code is not inserted in the code insertion unit 14.

  Also, in the first embodiment, a method is described in which the code insertion unit 14 inserts an information collection code for inspecting whether a program block can be an attack targeting a known vulnerability as the information collection code. However, the present invention is not limited to this. Any information collection code may be inserted as long as it is an information collection code to be executed by the guest software and collects information about the guest software.

  In the first embodiment, the code insertion unit 14 has described a technique for transmitting an alert or avoiding an attack in step S105 or step S106. However, these are appropriately selected according to an operation policy or the like. It only needs to be implemented. For example, the information collection system according to the present invention can be applied as a honeypot.

[Effect of Example 1]
As described above, according to the first embodiment, a virtual machine provided by a virtual machine is a virtual machine that is a computer created virtually by being installed in a host OS that is an OS operating on the hardware of the computer. An information collection system that collects information about a guest OS and / or an application installed on the guest OS in a configuration in which a guest OS that is an OS that operates on typical hardware is installed. If the collection target is a guest OS, it runs on an OS different from the guest OS, and if the information collection target is an application, it runs on an OS different from the guest OS on which the application is installed. Information read into the virtual CPU provided by the machine The code that the guest OS or application intends to execute is grasped, the grasped code is replaced with an information collecting code in which an instruction for collecting information is described, and the information collecting code is executed in the guest OS or the application As described above, the information collection code is inserted into the memory space where the code is executed by the guest OS or the application to be collected, and the execution result of the information collection code executed by the guest OS or the application is collected Since information is collected, it is possible to easily collect information about guest software.

  That is, according to the first embodiment, when the guest software operating on the virtual machine is monitored, an event occurring inside the guest software is grasped from outside the guest software, and information inside the guest software is efficiently acquired. It becomes possible. For this reason, by constructing an attack detection system using the present invention, it is possible to realize a system for monitoring guest software from a safe location based on detailed information about the guest software.

  In addition, according to the first embodiment, as the information collection code, the information collection code in which a command for collecting information using a library and / or program in the guest OS or application is described is inserted into the memory space. It becomes possible to collect information about guest software easily and efficiently.

  Further, according to the first embodiment, when an abnormality is confirmed in the guest OS or application from the collected information, an information collection code in which a command for solving the abnormality is described is stored in the memory as the information collection code. Since it is further inserted into the space (for example, the code may be replaced and inserted), in addition to being able to easily collect information about the guest software, when anomalies are confirmed in the guest software, It is also possible to resolve anomalies.

  Further, according to the first embodiment, a predetermined byte string is stored in advance, information read into a virtual CPU provided by the virtual machine is acquired, and the code that the guest OS or application is trying to execute is grasped. Therefore, the code block executed by the guest OS or application is monitored, and it is checked whether the monitored code block matches the stored predetermined byte sequence. In addition, it becomes possible to easily collect information related to the guest software (for example, after acquiring information of a process operating on the guest software).

  In other words, according to the first embodiment, the program currently executed by the guest software is grasped by checking whether or not the code currently executed by the guest software matches a specific pattern prepared in advance. It becomes possible.

  Further, according to the first embodiment, the collected information is transmitted to the guest OS or application and / or software other than the guest OS or the application, so that it is possible to easily collect information about the guest software. In addition, the collected information can be transmitted to other software (such as raising an alert).

  So far, as Example 1, the method of using the information collection system according to the present invention as a “attack detection system targeting a known vulnerability” has been described, but the present invention is not limited to this, The information collection system according to the present invention may be used as a “malware detection system”. Therefore, in the following, as Example 2, an example of “a malware detection system that operates in response to a request from a user” among “malware detection systems” will be described.

  First, the configuration of the information collection system according to the second embodiment will be described with reference to FIGS. FIG. 7 is a block diagram illustrating a configuration of the information collection unit (malware detection system) in the second embodiment, and FIG. 8 is a diagram for explaining the snapshot data storage unit. As illustrated in FIG. 7, the information collection unit 10 in the second embodiment is different from the information collection unit 10 in the first embodiment in that a snapshot data storage unit 15 and an execution control unit 16 are added. The execution control unit 16 corresponds to “snapshot acquisition unit” and “execution restart unit” described in the claims.

  The pattern DB 11 according to the second embodiment stores one or a plurality of signatures having a part of a byte string of the code as a pattern for the code representing the characteristics of the malware. Specifically, the pattern DB 11 stores one or more signatures in advance by, for example, being registered in advance by a user of the information collection system, and the stored signature is processed by the code insertion unit 14. Used.

  The snapshot data storage unit 15 stores a snapshot of the currently executed guest software at that time. Specifically, the snapshot data storage unit 15 stores the snapshot acquired by the execution control unit 16, and the stored snapshot is used for processing in which the execution state of the guest software is restored by the execution control unit 16 And so on. For example, as shown in FIG. 8, the snapshot data storage unit 15 creates registry data 15a, disk data 15b, stack data 15c, and heap area data as a snapshot of the currently executed guest software at that time. Save 15d etc.

  The execution control unit 16 receives a request from the user, acquires a snapshot of the currently executed guest software at that time, restores the guest software execution state, and executes the guest software. Specifically, when receiving a request from the user, the execution control unit 16 acquires a snapshot and stores it in the snapshot data storage unit 15. In addition, the execution control unit 16 uses the snapshot stored in the snapshot data storage unit 15 when the code insertion unit 14 determines that the guest software state is normal, and the like. Restore the execution state and run the guest software. In the second embodiment, as described in the description of the snapshot data storage unit 15, the execution control unit 16 stores registry data 15a, disk data 15b, stack data 15c, heap area data 15d, and the like as snapshots. Although the acquisition method will be described, the present invention is not limited to this. The present invention can be similarly applied to a method in which the execution control unit 16 acquires a part of these data or a method in which all of the data is acquired.

  The code insertion unit 14 according to the second embodiment inserts, for example, a code describing an instruction for collecting guest software information into the memory space of the virtual machine. For example, the code insertion unit 14 determines whether or not there is an abnormality in the state of the guest software by matching the collected guest software information with the signature stored in the pattern DB 11. In addition, for example, when the code execution result indicates that the guest software state is abnormal, the code insertion unit 14 transmits an alert to both or one of the guest software and the host software. You may do it. Further, for example, depending on the operation policy, the code insertion unit 14 deletes a computer resource that matches the signature of the pattern DB 11 on the guest software, or puts a code that cannot be executed into the memory space of the virtual machine. Furthermore, guest software may be protected from malware by inserting and executing it.

[Processing Procedure of Information Collection System According to Second Embodiment]
Next, a processing procedure of the information collection system according to the second embodiment will be described with reference to FIG. FIG. 9 is a flowchart of a process procedure performed by the information collection system according to the second embodiment.

  First, the execution control unit 16 of the information collection unit 10 monitors an external request (step S201). Specifically, since the malware detection system operates upon a request from the user, the execution control unit 16 waits for an external request.

  Then, the execution control unit 16 of the information collection unit 10 determines whether a request has been received (step S202). If the request has not been accepted (No at Step S202), the execution control unit 16 returns to the process of monitoring the request from the outside.

  On the other hand, when the request is accepted (Yes at Step S202), the execution control unit 16 saves the snapshot (Step S203). Specifically, the execution control unit 16 acquires a snapshot of the currently executed guest software at that time and stores it in the snapshot data storage unit 15.

  Subsequently, the code insertion unit 14 of the information collection unit 10 inserts an information collection code (survey code) (step S204). Specifically, the code insertion unit 14 inserts an information collection code for collecting guest software information into the memory space of the virtual machine.

  Then, the code insertion unit 14 of the information collection unit 10 determines whether there is an abnormality in the state of the guest software (step S205). Specifically, the code insertion unit 14 determines whether or not there is an abnormality in the state of the guest software by matching the guest software information collected in step S204 with the signature stored in the pattern DB 11. . When it is determined that there is no abnormality (No at Step S205), the execution control unit 16 restores the guest software execution state using the snapshot stored in the snapshot data storage unit 15, and the guest software The software is executed (step S206), and the process returns to step S201.

  On the other hand, if it is determined that there is an abnormality (Yes at Step S205), then the code insertion unit 14 transmits an alert (Step S207). Specifically, the code insertion unit 14 transmits an alert to both or one of the guest software and the host software.

  Further, the code insertion unit 14 takes measures such as deletion depending on the operation policy (step S208). Specifically, the code insertion unit 14 deletes a computer resource that matches the signature of the pattern DB 11 on the guest software, or further inserts a code that makes an inexecutable form into the memory space of the virtual machine. Run it to protect guest software from malware.

  Then, the execution control unit 16 restores the execution state of the guest software using the snapshot stored in the snapshot data storage unit 15, executes the guest software (step S209), and returns to step S201.

  As described above, the information collection system according to the second embodiment collects information without accurately knowing where the necessary information is arranged in the memory and disk of the “virtual machine” used by the guest software. Since it can be collected, it is possible to easily collect information about guest software.

[Effect of Example 2]
As described above, according to the second embodiment, in addition to the effects of the first embodiment, when the guest software operating on the virtual machine is monitored, an event occurring inside the guest software is grasped from outside the guest software. And it becomes possible to acquire the information inside the guest software efficiently. For this reason, by constructing a malware detection system using the present invention, it is possible to realize a system for monitoring guest software from a safe location based on detailed information about the guest software.

  Further, according to the second embodiment, a snapshot of the execution state of the guest OS or application is acquired in response to a predetermined behavior of the guest OS or application, and execution of the guest OS or application is resumed using the acquired snapshot. Therefore, it is possible to easily collect information about guest software.

  So far, as the second embodiment, a method of using the information collection system according to the present invention as a “malware detection system that operates in response to a request from a user” has been described, but the present invention is not limited to this. Instead, the information collection system according to the present invention may be used as a “malware detection system that detects execution of malware in guest software by monitoring system calls called by guest software”. Therefore, in the following, as Example 3, among “malware detection system”, in particular, an example of “malware detection system that detects execution of malware in guest software by monitoring a system call called by guest software” explain.

  For example, the code insertion unit 14 in the third embodiment collects, as guest software information, a code that collects an argument when calling a specific system call, information related to a memory or a disk, and the like of the virtual machine. Insert into memory space. The program monitoring unit 13 corresponds to “special instruction monitoring means” described in the claims.

[Processing Procedure of Information Collection System According to Embodiment 3]
The processing procedure of the information collection system according to the third embodiment will be described with reference to FIG. FIG. 10 is a flowchart of a process procedure performed by the information collection system according to the third embodiment.

  First, the program monitoring unit 13 of the information collecting unit 10 monitors the calling of system calls (step S301). Specifically, since this malware detection system operates upon execution of a specific privileged instruction for invoking a guestware system call, the program monitoring unit 13 is provided by the virtual machine 100. By using information read into the virtual CPU, a special instruction executed when the guest software issues a system call is monitored, and a call to the system call from within the guest software is monitored. Specifically, when the guest software issues a system call, a special instruction is read into the virtual CPU. Then, the virtual CPU issues a signal to notify the guest software that the special instruction has been read. In issuing this signal, a function is called from a virtual CPU, and the program monitoring unit 13 monitors the call of the system call from within the guest software by monitoring this call. Note that the present invention can be similarly applied to a method in which the program monitoring unit 13 monitors whether or not a special instruction is read into a virtual CPU.

  Then, the program monitoring unit 13 of the information collecting unit 10 determines whether or not a privileged instruction has been executed (step S302). When the privileged instruction is not executed (No at Step S302), the program monitoring unit 13 returns to the process of monitoring the call of the system call.

  On the other hand, when the privileged instruction is executed (Yes at Step S302), the execution control unit 16 saves the snapshot (Step S303). Specifically, the execution control unit 16 acquires a snapshot of the currently executed guest software at that time and stores it in the snapshot data storage unit 15. The execution control unit 16 may acquire a part of the registry data 15a, the disk data 15b, the stack data 15c, the heap area data 15d, or the like as a snapshot.

  Subsequently, the code insertion unit 14 of the information collection unit 10 inserts a survey code (step S304). Specifically, the code insertion unit 14 inserts a survey code for collecting guest software information into the memory space of the virtual machine. As a result, the code insertion unit 14 collects information such as the process that called the system call, the system call number, and an argument when the system call is called.

  Then, the code insertion unit 14 of the information collection unit 10 performs pattern matching and determines whether there is an abnormality in the state of the guest software (step S305). Specifically, the code insertion unit 14 determines whether or not there is an abnormality in the state of the guest software by matching the guest software information collected in step S304 with the signature stored in the pattern DB 11. . When it is determined that there is no abnormality (No at Step S305), the execution control unit 16 restores the guest software execution state using the snapshot stored in the snapshot data storage unit 15, The software is executed (step S306), and the process returns to step S301.

  On the other hand, if it is determined that there is an abnormality (Yes at Step S305), then the code insertion unit 14 transmits an alert (Step S307). Specifically, the code insertion unit 14 transmits an alert to both or one of the guest software and the host software.

  Furthermore, the code insertion unit 14 takes measures depending on the operation policy (step S308). Specifically, the code insertion unit 14 deletes a computer resource that matches the signature of the pattern DB 11 on the guest software, or further inserts a code that makes an inexecutable form into the memory space of the virtual machine. Run it to protect guest software from malware.

  Then, the execution control unit 16 restores the execution state of the guest software using the snapshot stored in the snapshot data storage unit 15, executes the guest software (step S309), and returns to step S301.

  As described above, the information collection system according to the third embodiment collects information without accurately knowing where the necessary information is arranged about the memory and disk of the “virtual machine” used by the guest software. Since it can be collected, it is possible to easily collect information about guest software.

  In the third embodiment, when the information collection system first monitors the call of the system call in the program monitoring unit 13 and determines that the privileged instruction is executed, the code insertion unit 14 inserts the code. However, the present invention is not limited to this. The present invention can be similarly applied to a technique in which only monitoring and determination by the program monitoring unit 13 are performed and no code is inserted in the code insertion unit 14.

[Effect of Example 3]
As described above, according to the third embodiment, in addition to the effects of the first and second embodiments, by using information read into a virtual CPU provided by the virtual machine, the guest OS or the application can be used. Monitors special instructions executed when a system call is issued and monitors the issue of the system call, so it is easy to collect information about the guest software after accurately understanding the events in the guest software. Is possible.

  In addition, as the information collection code, for the monitored system call, an information collection code that describes an instruction to collect one or more of the process that issued the system call, the system call number, and the argument passed to the system call Is inserted into the memory space, it is possible to easily collect information about the guest software after accurately grasping the events inside the guest software.

  So far, as Example 3, an example of a method of using the information collection system according to the present invention as a “malware detection system that detects execution of malware in guest software by monitoring system calls called by guest software” I have explained. In the fourth embodiment, the information collection system according to the present invention is further used as a “malware detection system that detects the execution of malware by performing a similar inspection when returning from a guest software system call”. An example will be described. The execution control unit 16 also corresponds to “system call information acquisition means” recited in the claims.

[Processing Procedure of Information Collection System According to Embodiment 4]
The processing procedure of the information collection system according to the fourth embodiment will be described with reference to FIG. FIG. 11 is a flowchart of a process procedure performed by the information collection system according to the fourth embodiment.

  First, as in the third embodiment, the program monitoring unit 13 of the information collecting unit 10 monitors the calling of system calls (step S401). Then, as in the third embodiment, the program monitoring unit 13 determines whether or not a privileged instruction has been executed (step S402). If the privileged instruction is not executed (No at Step S402), the program monitoring unit 13 returns to the process of monitoring the call of the system call.

  On the other hand, when the privileged instruction is executed (Yes at Step S402), the execution control unit 16 stores information related to the system call in the storage unit (Step S403). Specifically, the execution control unit 16 stores, as information related to the system call, for example, a process that called the system call, a system call number, an argument when the system call is called, a memory state, and the like.

  Subsequently, the program monitoring unit 13 of the information collecting unit 10 monitors the return from the system call (step S404). Then, the program monitoring unit 13 determines whether or not a privileged instruction for ending the system call has been executed (step S405). If the privileged instruction has not been executed (No at Step S405), the program monitoring unit 13 returns to the process of monitoring the return from the system call. Note that the program monitoring unit 13 may monitor and determine whether or not the execution authority has been changed, instead of a method of determining whether or not a privileged instruction for ending the system call has been executed.

  On the other hand, when a privileged instruction for ending the system call is executed (or catching the transition of the authority of the guest software, such as when the execution authority changes) (Yes in step S405), the execution control unit 16 The snapshot is saved (step S406). The execution control unit 16 may acquire a part of the registry data 15a, the disk data 15b, the stack data 15c, the heap area data 15d, or the like as a snapshot.

  Subsequently, the code insertion unit 14 of the information collection unit 10 inserts a survey code (step S407). Specifically, the code insertion unit 14 inserts a survey code for collecting guest software information into the memory space of the virtual machine. As a result, the code insertion unit 14 collects information such as the memory state of the guest software.

  Then, the code insertion unit 14 of the information collection unit 10 performs pattern matching and determines whether there is an abnormality in the state of the guest software (step S408). Specifically, the code insertion unit 14 additionally uses the information related to the system call stored in the storage unit in step S403 and the guest software information collected in step S407. It is determined whether or not there is an abnormality in the state of the guest software by matching the signature stored in the pattern DB 11. When it is determined that there is no abnormality (No at step S408), the execution control unit 16 restores the guest software execution state using the snapshot stored in the snapshot data storage unit 15, The software is executed (step S409), and the process returns to step S401.

  On the other hand, if it is determined that there is an abnormality (Yes at step S408), then, as in the third embodiment, the code insertion unit 14 transmits an alert (step S410), or takes measures depending on the operation policy. (Step S411) The execution control unit 16 restores the execution state of the guest software using the snapshot stored in the snapshot data storage unit 15, executes the guest software (Step S412), and Step S401. Return to.

  As described above, the information collection system according to the fourth embodiment collects information on the memory and disk of the “virtual machine” used by the guest software without accurately knowing where the necessary information is arranged. Since it can be collected, it is possible to easily collect information about guest software.

  In the fourth embodiment, when the information collection system first monitors the call of the system call and the return from the system call in the program monitoring unit 13 and determines that the privileged instruction is executed, the code is inserted. Although the method of inserting a code in the unit 14 has been described, the present invention is not limited to this. The present invention can be similarly applied to a technique in which only monitoring and determination by the program monitoring unit 13 are performed and no code is inserted in the code insertion unit 14.

  In the fourth embodiment, the information collection system monitors the return from the system call in the program monitoring unit 13 and determines that the privileged instruction for ending the system call has been executed. The method for inserting a code has been described in the above, but the present invention is not limited to this. It is also possible to combine with the method by the information collection system which concerns on Example 3. FIG. That is, the program monitoring unit 13 monitors the call of the system call, and after determining that the privileged instruction for calling the system call has been executed, first, the code insertion unit 14 inserts the code, and then the system call Even after determining that the privileged instruction for ending the system call has been executed, the code insertion unit 14 may insert a code multiple times, such as inserting a code.

[Effect of Example 4]
As described above, according to the fourth embodiment, in addition to the effects of the first to third embodiments, information at the time of issuing a monitored system call is acquired, and information is further collected using the acquired information. Therefore, it becomes possible to easily collect information about the guest software after grasping the events inside the guest software.

  So far, examples 3 and 4 have described an example of a method of using the information collection system according to the present invention as a malware detection system that detects execution of malware in association with a system call. In the fifth embodiment, an example of a technique of using the information collection system according to the present invention as a “malware detection system that detects execution of malware by monitoring a system call history called by guest software” will be described. .

  First, the configuration of the information collection system according to the fifth embodiment will be described with reference to FIG. FIG. 12 is a block diagram illustrating a configuration of an information collection unit (malware detection system) in the fifth embodiment. As shown in FIG. 12, the information collecting unit 10 in the fifth embodiment is different from the information collecting unit 10 in the second to fourth embodiments in that a system call history DB 17 is added.

  The pattern DB 11 according to the fifth embodiment stores one or more characteristic system call sequences of malware for determining whether or not it is malware as a signature. Specifically, the pattern DB 11 stores one or more signatures in advance by, for example, being registered in advance by a user of the information collection system, and the stored signature is processed by the code insertion unit 14. Used.

  For example, the pattern DB 11 stores in advance a signature as shown in FIG. Among the signatures shown in FIG. 13, “signature 3” is an example of the signature of the system call sequence. Two types of usage can be considered for the signature of the system call sequence stored in the pattern DB 11. One is a technique in which a dangerous system call sequence is provided as a signature, and is judged dangerous when it is matched. The other is a method in which a sequence of system calls in a normal state is provided as a signature, and it is determined to be dangerous when a call sequence different from the signature occurs.

  In the fifth embodiment, the execution control unit 16 obtains a snapshot and restores the execution state of the guest software, as well as the second to fourth embodiments. Store in the call history DB 17.

[Processing Procedure of Information Collection System According to Embodiment 5]
Next, a processing procedure of the information collection system according to the fifth embodiment will be described with reference to FIG. FIG. 14 is a flowchart of a process procedure performed by the information collection system according to the fifth embodiment.

  First, as in the third embodiment, the program monitoring unit 13 of the information collecting unit 10 monitors the calling of a system call (step S501). Then, as in the third embodiment, the program monitoring unit 13 determines whether or not a privileged instruction has been executed (step S502). When the privileged instruction is not executed (No at Step S502), the program monitoring unit 13 returns to the process of monitoring the call of the system call.

  On the other hand, when the privileged instruction is executed (Yes at Step S502), the execution control unit 16 saves the snapshot (Step S503) as in the third embodiment. The execution control unit 16 may acquire a part of the registry data 15a, the disk data 15b, the stack data 15c, the heap area data 15d, or the like as a snapshot.

  Then, the execution control unit 16 of the information collection unit 10 stores the system call information called in step S501 in the system call history DB 17 (step S504).

  Subsequently, the code insertion unit 14 of the information collection unit 10 inserts a survey code (step S505). Specifically, the code insertion unit 14 inserts a survey code for collecting guest software information into the memory space of the virtual machine. As a result, the code insertion unit 14 collects information such as argument information of the system call.

  Then, the code insertion unit 14 performs pattern matching and determines whether or not the guest software state is abnormal (step S506). Specifically, the code insertion unit 14 additionally uses the system call information (system call sequence or the like) stored in the storage unit in step S504 or the guest software information collected in step S505. Then, by matching these information with the signature stored in the pattern DB 11, it is determined whether or not the guest software state is abnormal. When it is determined that there is no abnormality (No at step S506), the execution control unit 16 restores the guest software execution state using the snapshot stored in the snapshot data storage unit 15, The software is executed (step S507), and the process returns to step S501.

  On the other hand, if it is determined that there is an abnormality (Yes in step S506), then, as in the third embodiment, the code insertion unit 14 transmits an alert (step S508) or takes measures depending on the operation policy. (Step S509), the execution control unit 16 restores the execution state of the guest software using the snapshot stored in the snapshot data storage unit 15, and executes the guest software (Step S510). Return to.

  As described above, the information collection system according to the fifth embodiment collects information on the memory and disk of the “virtual machine” used by the guest software without accurately knowing where the necessary information is arranged. Since it can be collected, it is possible to easily collect information about guest software.

  In the fifth embodiment, when the information collection system first monitors the system call invocation in the program monitoring unit 13 and determines that the privileged instruction is executed, the code insertion unit 14 inserts the code. However, the present invention is not limited to this. The present invention can be similarly applied to a technique in which only monitoring and determination by the program monitoring unit 13 are performed and no code is inserted in the code insertion unit 14.

[Other embodiments]
Various embodiments of the present invention have been described so far, but the present invention may be implemented in various different forms other than the above-described embodiments.

[System configuration, etc.]
So far, as the first to fifth embodiments, the configuration example in which the information collection unit in the present invention is implemented in the virtual machine (VMM) as the information collection module (guest software monitoring module) has been described (see FIG. 1). ), The present invention is not limited to such a configuration. For example, as illustrated in FIG. 15, in a state where a plurality of guest OSs are operating on a virtual machine, the information collection unit according to the present invention is configured as an application including an information collection module, The configuration example implemented in a different OS (in FIG. 15, another guest OS), or as shown in FIG. 16, the information collection unit according to the present invention is implemented in the host OS as an application including an information collection module. The present invention can be similarly applied to a configuration example.

  In addition, among the processes described in this embodiment, all or part of the processes described as being performed automatically can be performed manually, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above-described document and drawings can be arbitrarily changed unless otherwise specified.

  Each component of each device illustrated (for example, FIG. 2 and the like) is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

  The information collection method described in this embodiment can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. This program can be distributed via a network such as the Internet. The program can also be executed by being recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD and being read from the recording medium by the computer.

  As described above, the information collection system and the information collection method according to the present invention provide information on guest software (guest OS, application installed in the guest OS) in a configuration in which the guest OS is installed in the virtual machine. It is useful for collecting information, and is particularly suitable for easily collecting information about guest software.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a diagram for explaining an overview and characteristics of an information collection system according to a first embodiment. It is a block diagram which shows the structure of the information collection part (attack detection system) in Example 1. FIG. It is a figure for demonstrating pattern DB. It is a figure for demonstrating an information collection module library. It is a figure for demonstrating an information collection code. 5 is a flowchart illustrating a processing procedure performed by the information collection system according to the first embodiment. It is a block diagram which shows the structure of the information collection part (malware detection system) in Example 2. FIG. It is a figure for demonstrating a snapshot data storage part. 12 is a flowchart illustrating a processing procedure performed by the information collection system according to the second embodiment. 12 is a flowchart illustrating a processing procedure performed by the information collection system according to the third embodiment. 10 is a flowchart illustrating a processing procedure performed by an information collection system according to a fourth embodiment. It is a block diagram which shows the structure of the information collection part (malware detection system) in Example 5. FIG. It is a figure for demonstrating pattern DB in Example 5. FIG. 10 is a flowchart illustrating a processing procedure performed by an information collection system according to a fifth embodiment. It is a block diagram which shows the structure of the information collection system which concerns on Example 6. FIG. It is a block diagram which shows the structure of the information collection system which concerns on Example 6. FIG.

Explanation of symbols

100 Virtual Machine 10 Information Collection Unit 11 Pattern DB
DESCRIPTION OF SYMBOLS 12 Information collection module library 12a Information collection module 12b Guest software library search part 12c Guest software library execution part 13 Program monitoring part 14 Code insertion part 15 Snapshot data preservation | save part 15a Registry data 15b Disk data 15c Stack data 15d Heap area data 16 Execution Control unit 17 System call history DB
20 Virtual resources 30 Guest OS
31 Application 200 Host OS

Claims (14)

A guest OS, which is an OS that operates on virtual hardware provided by the virtual machine, is installed in a virtual machine that is virtually created by being installed in a host OS, which is an OS that operates on the computer hardware. Is an information collection system that collects information on the guest OS and / or an application installed on the guest OS in a configuration in which is installed.
If the information collection target is a guest OS, it operates on an OS different from the guest OS. If the information collection target is an application, the information is collected on an OS different from the guest OS on which the application is installed. Equipped with operating information gathering means,
The information collecting means includes
An instruction for acquiring information read by a virtual CPU provided by the virtual machine, grasping the code that the guest OS or the application intends to execute, and collecting the information of the grasped code is described. The information collection code is replaced with the information collection code in the memory space where the code is executed by the guest OS or application to be collected, so that the information collection code is executed in the guest OS or application. A code insertion means for inserting
An execution result collecting means for collecting the information by collecting an execution result of the information collection code executed by the guest OS or the application;
An information collection system characterized by comprising:   The code insertion means inserts, as the information collection code, an information collection code in which an instruction to collect the information using a library and / or program in the guest OS or the application is described in the memory space The information collecting system according to claim 1, wherein:   The code insertion means describes an instruction for resolving the abnormality as the information collection code when abnormality is confirmed in the guest OS or the application from the information collected by the execution result collection means. The information collection system according to claim 1, wherein the information collection code thus inserted is further inserted into the memory space. The information collecting means includes
Byte sequence storage means for storing a predetermined byte sequence in advance;
Monitor the code block executed by the guest OS or the application by acquiring information read by the virtual CPU provided by the virtual machine and grasping the code that the guest OS or the application intends to execute Code block monitoring means to perform,
Inspection means for inspecting whether the code block monitored by the code block monitoring means matches a predetermined byte string stored by the byte string storage means;
The information collecting system according to claim 1, further comprising: The information collecting means includes
By using the information read into the virtual CPU provided by the virtual machine, the guest OS or the application monitors the special instruction executed when issuing the system call to monitor the issue of the system call. The information collection system according to claim 1, further comprising a special command monitoring unit that performs the operation.   The code insertion means, as the information collection code, for a system call monitored by the special instruction monitoring means, any one of a process that issued the system call, a system call number, and an argument passed to the system call, 6. The information collecting system according to claim 5, wherein an information collecting code in which an instruction for collecting a plurality of instructions is described is inserted into the memory space. The information collecting means includes
Further comprising system call information acquisition means for acquiring information when a system call monitored by the special instruction monitoring means is issued;
The information collection system according to claim 5, wherein the execution result collection unit collects the information by further using the information acquired by the system call information acquisition unit. The information collecting means includes
Snapshot acquisition means for acquiring a snapshot of the execution state of the guest OS or the application triggered by a predetermined behavior of the guest OS or the application;
Execution resuming means for resuming execution of the guest OS or the application using the snapshot acquired by the snapshot acquisition means;
The information collection system according to claim 1, further comprising: The information collecting means includes
The information collected by the said execution result collection means is further provided to the guest OS or the said application, and / or the software other than the said guest OS or the said application, The information transmission means characterized by the above-mentioned. The information collection system as described in any one of 1-8. A guest OS, which is an OS that operates on virtual hardware provided by the virtual machine, is installed in a virtual machine that is virtually created by being installed in a host OS, which is an OS that operates on the computer hardware. Is an information collection system that collects information on the guest OS and / or an application installed on the guest OS in a configuration in which is installed.
If the information collection target is a guest OS, it operates on an OS different from the guest OS. If the information collection target is an application, the information is collected on an OS different from the guest OS on which the application is installed. Equipped with operating information gathering means,
The information collecting means includes
Byte sequence storage means for storing a predetermined byte sequence in advance;
Monitor the code block executed by the guest OS or the application by acquiring information read by the virtual CPU provided by the virtual machine and grasping the code that the guest OS or the application intends to execute Code block monitoring means to perform,
Inspection means for inspecting whether the code block monitored by the code block monitoring means matches a predetermined byte string stored by the byte string storage means;
An information collection system characterized by comprising: A guest OS, which is an OS that operates on virtual hardware provided by the virtual machine, is installed in a virtual machine that is virtually created by being installed in a host OS, which is an OS that operates on the computer hardware. Is an information collection system that collects information on the guest OS and / or an application installed on the guest OS in a configuration in which is installed.
If the information collection target is a guest OS, it operates on an OS different from the guest OS. If the information collection target is an application, the information is collected on an OS different from the guest OS on which the application is installed. Equipped with operating information gathering means,
The information collecting means includes
By using the information read into the virtual CPU provided by the virtual machine, the guest OS or the application monitors the special instruction executed when issuing the system call to monitor the issue of the system call. An information collection system comprising special instruction monitoring means for performing A guest OS, which is an OS that operates on virtual hardware provided by the virtual machine, is installed in a virtual machine that is virtually created by being installed in a host OS, which is an OS that operates on the computer hardware. Is an information collection method for collecting information related to the guest OS and / or an application installed in the guest OS,
If the information collection target is a guest OS, it operates on an OS different from the guest OS. If the information collection target is an application, the information is collected on an OS different from the guest OS on which the application is installed. Including a working information gathering process,
The information collecting step includes
An instruction for acquiring the information read by the virtual CPU provided by the virtual machine, grasping the code that the guest OS or the application intends to execute, and collecting the information of the grasped code is described. The information collection code is replaced with the information collection code in the memory space where the code is executed by the guest OS or application to be collected, so that the information collection code is executed in the guest OS or application. A code insertion process for inserting
An execution result collection step for collecting the information by collecting an execution result of the information collection code executed by the guest OS or the application;
An information collection method characterized by including A guest OS, which is an OS that operates on virtual hardware provided by the virtual machine, is installed in a virtual machine that is virtually created by being installed in a host OS, which is an OS that operates on the computer hardware. Is an information collection method for collecting information related to the guest OS and / or an application installed in the guest OS,
If the information collection target is a guest OS, it operates on an OS different from the guest OS. If the information collection target is an application, the information is collected on an OS different from the guest OS on which the application is installed. Including a working information gathering process,
The information collecting step includes
Monitor the code block executed by the guest OS or the application by acquiring information read by the virtual CPU provided by the virtual machine and grasping the code that the guest OS or the application intends to execute A code block monitoring process to perform,
An inspection step of checking whether the code block monitored by the code block monitoring step matches a predetermined byte sequence stored by a byte sequence storage unit that stores a predetermined byte sequence in advance;
An information collection method characterized by including A guest OS, which is an OS that operates on virtual hardware provided by the virtual machine, is installed in a virtual machine that is virtually created by being installed in a host OS, which is an OS that operates on the computer hardware. Is an information collection method for collecting information related to the guest OS and / or an application installed in the guest OS,
If the information collection target is a guest OS, it operates on an OS different from the guest OS. If the information collection target is an application, the information is collected on an OS different from the guest OS on which the application is installed. Including a working information gathering process,
The information collecting step includes
By using the information read into the virtual CPU provided by the virtual machine, the guest OS or the application monitors the special instruction executed when issuing the system call to monitor the issue of the system call. An information collecting method characterized by including a special command monitoring step.

Images