CN104715201B - A kind of virtual machine malicious act detection method and system - Google Patents
A kind of virtual machine malicious act detection method and system Download PDFInfo
- Publication number
- CN104715201B CN104715201B CN201510149761.8A CN201510149761A CN104715201B CN 104715201 B CN104715201 B CN 104715201B CN 201510149761 A CN201510149761 A CN 201510149761A CN 104715201 B CN104715201 B CN 104715201B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- target virtual
- target
- network connection
- domain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 108
- 238000000034 method Methods 0.000 claims abstract description 620
- 230000008569 process Effects 0.000 claims abstract description 580
- 230000003071 parasitic effect Effects 0.000 claims abstract description 90
- 238000012544 monitoring process Methods 0.000 claims description 66
- 230000006399 behavior Effects 0.000 claims description 31
- 230000002159 abnormal effect Effects 0.000 claims description 26
- 230000006870 function Effects 0.000 claims description 26
- 230000007246 mechanism Effects 0.000 claims description 21
- 238000012545 processing Methods 0.000 claims description 16
- 230000005540 biological transmission Effects 0.000 claims description 14
- 238000000605 extraction Methods 0.000 claims description 14
- 238000004891 communication Methods 0.000 claims description 12
- 238000013507 mapping Methods 0.000 claims description 12
- 238000004458 analytical method Methods 0.000 claims description 10
- 230000000694 effects Effects 0.000 claims description 8
- 230000024241 parasitism Effects 0.000 claims description 7
- 239000000284 extract Substances 0.000 claims description 6
- 238000007689 inspection Methods 0.000 claims description 5
- 230000000875 corresponding effect Effects 0.000 description 40
- 238000007726 management method Methods 0.000 description 35
- 238000010586 diagram Methods 0.000 description 11
- 239000011800 void material Substances 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 8
- 238000002347 injection Methods 0.000 description 7
- 239000007924 injection Substances 0.000 description 7
- 238000013461 design Methods 0.000 description 4
- 238000004321 preservation Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 239000003795 chemical substances by application Substances 0.000 description 3
- 239000000203 mixture Substances 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 239000008186 active pharmaceutical agent Substances 0.000 description 2
- 230000003542 behavioural effect Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 235000013399 edible fruits Nutrition 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 238000002834 transmittance Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000001035 drying Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 238000000465 moulding Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000011112 process operation Methods 0.000 description 1
- 230000006798 recombination Effects 0.000 description 1
- 238000005215 recombination Methods 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Abstract
The invention discloses a kind of virtual machine malicious act detection method and system.Methods described includes:Monitor the establishment of process in target virtual machine and exit event, safeguard the trusted process list of actual motion process in a record target virtual machine, there are the related data structures of the progress information in target virtual machine by traversal record, obtain the untrusted process list of the process in record target virtual machine, by comparing trusted process list and untrusted process list, the hidden process in target virtual machine is judged;The packet of disengaging target virtual machine is intercepted and captured, the network connection and its affiliated process for determining the current active in target virtual machine pass through the parasitic process in analyzing the relevant information of reconstruct to determine target virtual machine in the outside network connection for reconstructing the current active of target virtual machine and its relevant information of affiliated process.Technical scheme, hidden process that can be in complete detection virtual machine and parasitic process.
Description
Technical field
The present invention relates to field of computer technology, and in particular to a kind of virtual machine malicious act detection method and system.
Background technology
Virtualization technology realizes the virtualization of the IT resources such as calculating, storage, network, is cloud computing Industry Quick Development
Basis.Virtual machine (Virtual Machine) is a kind of most basic service form that cloud environment externally provides, and cloud service provides
Business to personal, organizing user provide single virtual machine or multiple virtual robot arms into virtual network, to meet user to easily dimension
Protect, the demand of the elastic cloud service of high availability.In virtualized environment, service and be supplied to user to make in the form of virtual machine
With cloud service provider can only obtain the CPU, internal memory, magnetic of target virtual machine using interfaces such as Libvirt outside virtual machine
The resource allocations such as disk, network and the information used, the granularity of the process behavior run in virtual machine can not be monitored, once it is empty
Plan machine is controlled by the Malware that attacker is implanted into, and its safety or even cloud platform to virtual machine in same virtual network is in itself
Safety and stablization are all huge threats, therefore safety monitoring when being run to virtual machine turns into cloud service provider and user
Joint demand.There are the following problems in the technology in terms of the monitoring of virtual machine malicious act at present:
1. the Agent that many safety monitoring instruments need to rely on virtual machine internal solves the problems, such as semantic gap, this is one
Determine to destroy the isolation in virtualization architecture in degree, and can not also realize the transparency of the security tool to virtual machine;
2. it is at present the hiding characteristic of Malware to virtual machine malicious act monitoring more attention, to having become master
That flows is limited without process, portless, the Malware behavior monitoring effect without file;
3. synthetically consider in terms of lacking the behavior inside network and main frame to Malware, to network level exception row
For detection carried out mostly in mainframe network stream granularity, granularity is thicker.
The content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome above mentioned problem or at least in part solve on
State a kind of the virtual machine malicious act detection method and system of problem.
According to one aspect of the present invention, there is provided a kind of virtual machine malicious act detection method, wherein, this method bag
Include:
Monitor the establishment of process in target virtual machine and exit event, safeguard that records a reality in the target virtual machine
The trusted process list of operation process;There are the related data structures of the progress information in target virtual machine by traversal record, obtain
One or more untrusted process lists of the process in target virtual machine must be recorded;By comparing trusted process list and can not
Believe process list, judge the hidden process in target virtual machine;
The packet of disengaging target virtual machine is intercepted and captured, according to the packet intercepted and captured, is determined current in target virtual machine
The network connection of activity and its affiliated process;Target virtual machine the outside network connection for reconstructing the current active and its
The relevant information of affiliated process;The relevant information by analyzing reconstruct determines the parasitic process in target virtual machine.
Alternatively,
Process creation and process in Xen inner nuclear layers monitoring target virtual machine exit event, and notify management domain
0 layer of Domain;The notice that event is exited according to process creation and process in 0 layer of Domain safeguards the trusted process list,
And one or more untrusted process lists are obtained, judge mesh by comparing trusted process list and untrusted process list
Mark the hidden process in virtual machine;The packet of disengaging target virtual machine is intercepted and captured at 0 layer of Domain virtual bridge;
The network connection of 0 layer of reconstruct current active of Domain and its relevant information of affiliated process, and by analyzing reconstruct
The relevant information determines the parasitic process in target virtual machine.
Alternatively, the outside network connection for reconstructing the current active in target virtual machine and its affiliated process
Relevant information includes:By calling the relevant interface function and configuration file mechanism of the offer of Libvmi storehouses, obtain described current
The network connection of activity and its relevant information of affiliated process.
Alternatively, the outside network connection for reconstructing the current active in target virtual machine and its affiliated process
Relevant information includes:The related content of the target process in the internal memory of target virtual machine is obtained, is specially:Mapped using Libvmi
Memory address space corresponding to the target process of the target virtual machine to Domain 0 memory address space, so as to for
Volatility frameworks provide address space and supported;The target that is used for during to operation of the generation based on the Volatility frameworks
Virutal machine memory analyze the script of reading;The script obtains mesh by the memory address space of the Domain 0 after mapping
The related content of mark process.
Alternatively, realize that the communication between 0 layer of Xen inner nuclear layers and Domain includes:There is provided based on Xen kernels _ _
HYPERVISOR_domctl hypercalls and the machine that Xen kernels are the data structure that each Operation Definition is used for parameter transmission
System, the communication behaviour for realizing and exiting event between Domain 0 and Xen kernels on process creation and process is added in Xen kernels
Make and corresponding parameter transmits data structure;The traffic operation based on addition of 0 layer of Xen inner nuclear layers and Domain and
Corresponding parameter is transmitted data structure and communicated.
Alternatively, this method further comprises:Message queue is set;Intercept and capture the packet of disengaging target virtual machine and progress
After processing, result data are put into the message queue;
Data are extracted from the message queue, are handled according to the data of extraction, including:Determine in target virtual machine
The network connection of current active and its affiliated process, in the outside network connection for reconstructing the current active of target virtual machine
And its relevant information of affiliated process, and determine that the parasitism in target virtual machine enters by analyzing the relevant information reconstructed
Journey.
Alternatively,
After the intercepting and capturing pass in and out the packet of target virtual machine and handled, result data are put into the message
Queue includes:Journey is assisted to intercept and capture the packet of disengaging target virtual machine by first group of producer, extraction connection summary info is put into the
In one task queue;Assist journey to obtain link summary info from first task queue by first group of consumer, complete relevant treatment
Afterwards, result data are sent in the message queue;And/or it is described extract data from the message queue, according to carrying
The data taken, which carry out processing, to be included:Journey is assisted to monitor the message queue by second group of producer, data therefrom is put into second
In task queue;Assisted journey to obtain data from the second task queue by second group of consumer and handled.
Alternatively, the outside network connection for reconstructing the current active in target virtual machine and its affiliated process
Relevant information, determine that the parasitic process in target virtual machine includes by the relevant information for analyzing reconstruct:
The net for the current active that process in the outside reconstruct target virtual machine of the target virtual machine is held
The relevant information of network connection;A network connection for current active, by by its relevant information and corresponding safety detection
Whether the network connection of rule progress matching judgment is abnormal connection;If it is judged that a network connection connects to be abnormal, then
It is the parasitic process for being injected into malicious code or being injected into malice dynamic link library (DLL) to determine the process belonging to the network connection;
And/or
For each target process, the target process is reconstructed outside the target virtual machine in the target virtual machine
The management of process structure in portion;By analyzing the management of process structure of reconstruct, determine whether the target process is to be injected into malice generation
Code or the parasitic process for being injected into malice dynamic link library (DLL).
According to another aspect of the present invention, there is provided a kind of virtual machine malicious act detecting system, wherein, the system bag
Include:
Process behavior detection module, it is adapted to monitor for the establishment of process in target virtual machine and exits event, and notifies safety
Monitoring modular;
Safety monitoring module, the notice suitable for exiting event according to process creation and process safeguard one and record the target
The trusted process list of actual motion process in virtual machine;There is the correlation of the progress information in target virtual machine by traversal record
Data structure, obtain one or more untrusted process lists of the process in record target virtual machine;And can by comparing
Believe process list and untrusted process list, judge the hidden process in target virtual machine;
Sniffer, suitable for intercepting and capturing the packet of disengaging target virtual machine, according to the packet intercepted and captured, determine destination virtual
The network connection of current active in machine and its affiliated process;
Virtual machine is examined oneself module, suitable in the outside network connection for reconstructing the current active of target virtual machine and its institute
The relevant information of category process;
Safety monitoring module, it is further adapted for determining posting in target virtual machine by analyzing the relevant information of reconstruct
Raw process.
Alternatively, the process behavior detection module is located at Xen inner nuclear layers;The safety monitoring module is located at management domain
0 layer of Domain;The sniffer is located at 0 layer of Domain virtual bridge;Virtual machine module of examining oneself is located at Domain
0 layer;The safety monitoring module includes:Hidden process detection module and parasitic process detection module;Hidden process detection module,
Notice suitable for exiting event according to process creation and process safeguards the trusted process list, and obtains one or more not
Trusted process list, by compare trusted process list and untrusted process list judge in target virtual machine hide into
Journey;Parasitic process detection module, suitable for determining the parasitic process in target virtual machine by the relevant information of analysis reconstruct.
Alternatively, the virtual machine is examined oneself module, suitable for by call relevant interface function that Libvmi storehouses provide and
Configuration file mechanism, obtain the network connection of the current active and its relevant information of affiliated process.
Alternatively, the virtual machine is examined oneself module, the correlation of the target process in internal memory suitable for obtaining target virtual machine
Content, it is specially:Using Libvmi map the target process of the target virtual machine corresponding to memory address space arrive
Domain 0 memory address space, supported so as to provide address space for Volatility frameworks;Generation is based on described
The target virtual machine internal memory being used for during to operation of Volatility frameworks analyze the script of reading, is passed through by the script
The memory address space of Domain 0 after mapping obtains the related content of target process.
Alternatively, provided based on Xen kernels _ _ HYPERVISOR_domctl hypercalls and Xen kernels be each
Operation Definition is used for the mechanism of the data structure of parameter transmission, adds and is realized between Domain 0 and Xen kernels in Xen kernels
The traffic operation of event is exited on process creation and process and corresponding parameter transmits data structure;
Process behavior detection module positioned at Xen inner nuclear layers and the safety monitoring module positioned at 0 layer of Domain, based on adding
The traffic operation added and corresponding parameter are transmitted data structure and communicated.
Alternatively, the system further comprises:Message queue module, sniffer and the inspection of parasitic process are arranged on suitable for preserving
The message queue surveyed between module;Sniffer is intercepted and captured the packet of disengaging target virtual machine and handled, by result number
According to being put into the message queue;Parasitic process detection module is extracted data from the message queue and handled.
Alternatively, the producer of sniffer assists journey to intercept and capture the packet of disengaging target virtual machine, extracts connection summary info
It is put into the task queue of sniffer;The consumer of sniffer assists journey to obtain link summary letter from the task queue of sniffer
Breath, after completing relevant treatment, result data are sent in the message queue;And/or in parasitic process detection module
The producer assist journey to monitor the message queue, data therefrom is put into the task queue of parasitic process detection module;Post
Consumer in raw process detection module assists journey to obtain task from the task queue of parasitic process detection module and handle.
Alternatively, the safety monitoring module, is further adapted for,
The net for the current active that process in the outside reconstruct target virtual machine of the target virtual machine is held
The relevant information of network connection;A network connection for current active, by by its relevant information and corresponding safety detection
Whether the network connection of rule progress matching judgment is abnormal connection;If it is judged that a network connection connects to be abnormal, then
It is the parasitic process for being injected into malicious code or being injected into malice dynamic link library (DLL) to determine the process belonging to the network connection;
And/or
For each target process, the target process is reconstructed outside the target virtual machine in the target virtual machine
The management of process structure in portion;By analyzing the management of process structure of reconstruct, determine whether the target process is to be injected into malice generation
Code or the parasitic process for being injected into malice dynamic link library (DLL).
According to the establishment of process in this monitoring target virtual machine of the present invention and event is exited, is safeguarded described in a record
The trusted process list of actual motion process in target virtual machine, there is progress information in target virtual machine by traversal record
Related data structures, one or more untrusted process lists of the process in record target virtual machine are obtained, can by comparing
Believe process list and untrusted process list, judge the hidden process in target virtual machine;And intercept and capture disengaging destination virtual
The packet of machine, according to the packet intercepted and captured, determine the network connection of current active in target virtual machine and its affiliated
Process is in the outside network connection for reconstructing the current active of target virtual machine and its relevant information of affiliated process by dividing
The relevant information of analysis reconstruct determines the technical scheme of the parasitic process in target virtual machine, can be in complete detection virtual machine
Hidden process and parasitic process, and independent of the Agent in virtual machine, belong to external detection pattern, will not be to virtual
Machine produces the influence in performance, has the preferably transparency.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by the embodiment of the present invention.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, it is various other the advantages of and benefit it is common for this area
Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention
Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 shows a kind of flow chart of virtual machine malicious act detection method according to an embodiment of the invention;
Fig. 2 shows a kind of frame diagram of virtual machine malicious act detection scheme according to an embodiment of the invention;
Fig. 3 shows a kind of design structure of virtual machine malicious act detection scheme according to an embodiment of the invention
Figure;
Fig. 4 shows the precedence diagram of the restructuring procedure in one embodiment of the invention;
Fig. 5 shows communication sequence figure internuclear in Domain 0 and Xen according to an embodiment of the invention;
Fig. 6 shows the transmittance process schematic diagram of intercepted data bag according to an embodiment of the invention;
What Fig. 7 showed process-level network behavior according to an embodiment of the invention monitoring realizes that class diagram is intended to;
Fig. 8 show it is according to an embodiment of the invention injection behavior monitoring realize class diagram be intended to;
Fig. 9 shows a kind of structure chart of virtual machine malicious act detecting system according to an embodiment of the invention.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
Completely it is communicated to those skilled in the art.
Fig. 1 shows a kind of flow chart of virtual machine malicious act detection method according to an embodiment of the invention.Such as
Shown in Fig. 1, this method includes:
Step S110, monitor the establishment of process in target virtual machine and exit event, safeguard that records the target void
The trusted process list of actual motion process in plan machine;There is the dependency number of the progress information in target virtual machine by traversal record
According to structure, one or more untrusted process lists of the process in record target virtual machine are obtained;By comparing trusted process
List and untrusted process list, judge the hidden process in target virtual machine;
Step S120, the packet of disengaging target virtual machine is intercepted and captured, according to the packet intercepted and captured, determines target virtual machine
In current active network connection and its affiliated process;In the outside network for reconstructing the current active of target virtual machine
Connection and its relevant information of affiliated process;Determine that the parasitism in target virtual machine enters by the relevant information for analyzing reconstruct
Journey.
Method shown in Fig. 1, hidden process that can be in complete detection virtual machine and parasitic process, and independent of virtual
Agent in machine, belong to external detection pattern, the influence in performance will not be produced to virtual machine, is had preferably transparent
Property.
In one embodiment of the invention, in the method shown in Fig. 1, in Xen inner nuclear layers monitoring target virtual machine
Process creation and process exit event, and notify 0 layer of management domain Domain;According to process creation and enter in 0 layer of Domain
The notice that journey moves back outgoing event safeguards the trusted process list, and obtains one or more untrusted process lists, passes through ratio
The hidden process in target virtual machine is judged compared with trusted process list and untrusted process list;In the virtual of 0 layer of Domain
The packet of disengaging target virtual machine is intercepted and captured at bridge;Network connection and its institute in 0 layer of reconstruct current active of Domain
The relevant information of category process, and the relevant information reconstructed by analysis determine the parasitic process in target virtual machine.
Xen is operated between hardware and VME operating system, the money such as unified management physical machine CPU, internal memory and I/O equipment
Source, virtualization pool is configured to, and Virtual base facilities services, i.e. virtual machine are externally provided, these virtual machines are shared hard
Part resource.Domain 0 is management domain, has very high privilege.
Fig. 2 shows a kind of frame diagram of virtual machine malicious act detection scheme according to an embodiment of the invention.Fig. 3
Show a kind of design structure diagram of virtual machine malicious act detection scheme according to an embodiment of the invention.Such as Fig. 2 and Fig. 3
It is shown, realize virtual machine malicious act monitoring technology in Xen virtualized environments, basic design scheme is by control module, virtual
Machine examine oneself module, safety monitoring module, sniffer and process behavior monitoring modular composition.The function of modules and between
Contact it is as follows:
Process behavior monitoring modular:Positioned at Xen inner nuclear layers, it is responsible for intercepting and capturing and transmits the establishment of process in virtual machine and exit
Behavior, the shared drive for being used for parameter transmission between Xen kernels and Domain 0 is safeguarded, and by the messaging that event occurs to control
Molding block;
Control module:Positioned at Domain 0, the interface for controlling the monitoring system is externally provided, it is complete when receiving monitoring request
The standards such as network packet sniffer are set into establishment Domain 0 and Xen kernels shared drive, event channel and at virtual bridge
The work of standby property, and pass the request onto safety monitoring module;
Safety monitoring module:The monitoring request to certain virtual machine is obtained at control module, is passed in and out at sniffer
The flow information of the virtual machine, safety inspection is carried out to the affiliated process of the flow according to set strategy, now needs to use void
Plan machine module of examining oneself solves the problems, such as semantic gap;
Virtual machine is examined oneself module:What the module solved is the problem of internal process view is reconstructed outside virtual machine, for peace
Full monitoring modular provides the interface for accessing the interior management structure of virtual machine and obtaining system API addresses.
Virtual machine malicious act monitoring system workflow proposed by the present invention is by 0 layer of Domain, the mould of Xen inner nuclear layers
Block is coordinated to complete.When the system is operated, it is deployed in the Technology of Network Sniffer at virtual bridge and intercepts the data for passing in and out certain virtual machine
(src_ip, src_port, dst_ip, dst_ip) four-tuple (is represented source ip, source port, purpose by bag, sniffer by processing
Ip and destination interface) safety monitoring module is sent to, safety monitoring module can perform the inspection of following safe condition:
1) safety monitoring module can operationally monitor the establishment of each process and reactive power optimization in target virtual machine in real time,
The trusted process list of virtual machine internal actual motion is preserved, is relatively determined whether by the process list obtained with other approach
With the presence of hidden process;
2) produce whether network behavior process is by Malware according to set security strategy, safety monitoring module detection
The parasitic process of injection.
Virtual machine module of examining oneself is that the basis of monitoring function is realized outside virtual machine, and the module is the parasitic process on upper strata
Detection module and hidden process detection module, which provide, obtains virtual machine internal management structure and the specified API addresses of operating system
Interface.
In one embodiment of the invention, in the outside of target virtual machine described in the step S120 of method shown in Fig. 1
Reconstructing the network connection of the current active and its relevant information of affiliated process includes:Pass through the phase for calling Libvmi storehouses to provide
Interface function and configuration file mechanism are closed, obtains the network connection of the current active and its relevant information of affiliated process.
Libvmi provide access virtual machine in designated address space some basic interfaces, conventional interface function and its
Function, as shown in table 1:
#
| Interface name | Interface function |
| vmi_init | Libvmi connections are created, initialize related data structures |
| vmi_destroy | Libvmi connections are closed, discharge related resource |
| vmi_get_offset | The offset of specific data structure member variable is obtained from configuration file libvmi.conf |
| vmi_read_addr_va | Read the content at the specified address of target virtual machine process |
| vmi_read_addr_pa | Read the content in the specified physical address of target virtual machine |
| vmi_read_str_va | Read the character string at the specified address of target virtual machine process |
| windows_symbol_to_address | It is the address in internal memory by derived variable, function name conversion in windows |
Table 1
Libvmi defines one group of variable name and its corresponding value using the mode of configuration file for designated virtual machine, these changes
Amount is very flexible, can be position, OS Type and some important data structure offsets of debugging file etc., I
Said so that target virtual machine OS Type is Windows XP SP3 systems and the SP1 system versions of windows 7 as an example
The content of the bright configuration file, as shown in table 2:
Table 2
Wherein, win_pdbase corresponds to the _ skew of the DirectoryTableBase variables of KPROCESS data structures
Amount.Win_pid correspond to _ EPROCESS data structures in UniqueProcessId variables offset, win_tasks pairs
The offset of ActiveProcessLinks variables in Ying Yu _ EPROCESS data structures, the variable are pointed to by _ EPROCESS
The doubly linked list of structure composition;Win_pname correspond to _ EPROCESS data structures in ImageFileName member variables
Offset;Win_peb correspond to _ EPROCESS data structures in Peb member variables skew.
Need to realize the semantic function of rebuilding using above-mentioned interface function and configuration file mechanism, below with reconstruct
The realization principle of declarative semantics Reconstruction of The Function exemplified by EPROCESS chained lists:
The doubly linked list being made up of EPROCESS data structures maintains the related many information of the process run in system,
Therefore the data structure is reconstructed to solving the problems, such as that semantic gap has important meaning.For the ease of being safeguarded virtually in Domain 0
The necessary information of process in machine, the structure ProcNode of an expression progress information is realized, contain the correlation of process
Information, such as id, EPROCESS address of process, page directory address information etc., particular content is shown as shown in table 3:
Table 3
Fig. 4 shows the precedence diagram of the restructuring procedure in one embodiment of the invention.Referring to 4, it can be seen that virtual machine is certainly
Save module outside portion and the list information that refresh_proc_list interfaces obtain process is provided, it is main in the function implementation process
The interface such as vmi_get_offset, vmi_read_addr_va for calling libvmi storehouses to provide.
In another embodiment of the present invention, in the outside of target virtual machine described in the step S120 of method shown in Fig. 1
Reconstructing the network connection of the current active and its relevant information of affiliated process includes:In the internal memory for obtaining target virtual machine
The related content of target process, it is specially:Internal memory corresponding to the target process of the target virtual machine is mapped using Libvmi
Address space is supported to Domain 0 memory address space so as to provide address space for Volatility frameworks;Generate base
Analyze the script of reading in target virtual machine internal memory when being used for operation of the Volatility frameworks;The script
The related content of target process is obtained by the memory address space of the Domain 0 after mapping.
Volatility is a famous Open Framework in internal memory evidence obtaining field, is supported to Linux, Mac, Windows
Etc. the analysis and processing of the core dump file of system, its Plugin Mechanism provided simplifies carries out secondary development using the framework
Flow, the Semantics Reconstruction to virtual machine run-time memory data is realized in embodiments of the invention based on the framework.In order to
Volatility is supported the analysis of virutal machine memory during to operation, be using Libvmi in embodiments of the invention
Volatility provides a compatible address space.Libvmi is to virtualize one kind that community provides to researcher to increase income
Virtual machine examine oneself instrument, read-write to designated virtual machine address space can also be realized and to particular event based on the instrument
Monitoring, and further realize the recombination function to management of process structure in virtual machine, but realize that this function is needed to not
The system administration structure of same type operating system carries out conversed analysis, determines offset of the target variable in upper layer data structure,
Lack versatility, therefore Libvmi mapping designated virtual machine address spaces of the invention of only using are into Domain 0
Volatility frameworks provide the function of address space.
Figure it is seen that the detection of the hidden process proposed in the embodiment of the present invention and the detection of parasitic process are realized
Maximum difference is that hidden process detection needs the cooperations of Domain0 and Xen kernel portions to realize in method, it is therefore desirable to
Realize both event notices and information communication mechanism.
In an embodiment of the present invention, realize that the communication between 0 layer of Xen inner nuclear layers and Domain includes:Based in Xen
Core provide _ _ HYPERVISOR_domctl hypercalls and Xen kernels be number that each Operation Definition is used for parameter transmission
According to the mechanism of structure, addition is realized in Xen kernels exits thing between Domain 0 and Xen kernels on process creation and process
The traffic operation of part and corresponding parameter transmit data structure;Then 0 layer of Xen inner nuclear layers and Domain are based on described in addition
Traffic operation and corresponding parameter are transmitted data structure and communicated.
Specifically in order to realize controls of the Domain 0 to the process behavior detection module of Xen kernel portions, use
Xen kernels provide _ _ HYPERVISOR_domctl hypercalls, the hypercalls are that management domain provides and manages virtual machine
Interface, including virtual machine creating (corresponding parameter be XEN_DOMCTL_createdomain), virtual machine destroy that (correspondingly parameter is
The operation such as XEN_DOMCTL_destroydomain) is completed by the hypercalls, and Xen kernels are that each operation defines
Corresponding Action number and the data structure for parameter transmission, based on the mechanism, we with the addition of in Xen kernels as
Under new action type and parameter transfer structure:
Dom_xen_comm data structures play very important effect during Domain 0 and Xen kernel communications,
It is the intermediate structure being in communication with each other.
Fig. 5 shows communication sequence figure internuclear in Domain 0 and Xen according to an embodiment of the invention.Such as Fig. 5
Shown, request monitors the process creation of certain virtual machine, exits event, and Xen kernels carry out event notice and message to Domain 0
Transmit.
Established in Domain 0 and the Trusted List of maintenance process, Domain 0 need to receive the process of Xen kernel transmission
The announcement information for creating/exiting, it is as follows that communication data structure used is defined for this:
Domain 0 can be set up using the method for foregoing description and Xen kernels are used for the page of parameter transmission,
Struct nt_pro_info are i.e. as data structure used in transmission, it can be seen that in the data structure, definition is got over
Virtual machine ID and the page directory address as Process identifier corresponding to the type of part, event, Domain 0 event handling
Part carries out addition, deletion action accordingly according to the type of event to the process chained list of preservation.
In one embodiment of the invention, the detection method of hidden process includes:Intercept and capture the process in designated virtual machine
Event is exited, and intercepts and captures the process creation event in the designated virtual machine;According in the designated virtual machine of intercepting and capturing
Process exits records the trusted process row of truly operation process in the designated virtual machine with process creation event, maintenance one
Table;There are the related data structures of the progress information in the designated virtual machine by traversal record, acquisition records the specified void
One or more untrusted process lists of process in plan machine;By comparing trusted process list and untrusted process list,
Judge the hidden process in the designated virtual machine.
Wherein, the related data structures of the progress information having by traversal record in the designated virtual machine, obtain
Recording one or more untrusted process lists of the process in the designated virtual machine includes:By traveling through kernel address space
One or more of in _ EPROCESS data structures, PspCidTable handle tables or csrss.exe handle tables, accordingly
Obtain one or more groups of progress informations in the virtual machine;It is corresponding according to the one or more groups of progress informations obtained, generation
One or more untrusted process lists.
Wherein, the process intercepted and captured in designated virtual machine, which exits event, includes:Acquisition process exits key position address;
Wherein, the processing that system exits to process can all call NtTerminateProcess service routines in kernel,
NtTerminateProcess service routines can will move out process _ EPROCESS management structures after completing to close process operation
Address unwind in the chained list of management of process structure composition and be discharged into specified address, specify address to be exited as process this
Key position address;Monitoring process exits key position address and performs event, shows one when the code of the address is called
Process will terminate, from the address obtain the process of exiting _ EPROCESS management structure address.
Wherein, acquisition process exits key position address and included:Obtain the ground of NtTerminateProcess service routines
Location, key position address is exited according to the address acquisition process according to NtTerminateProcess service routines;The acquisition
The address of NtTerminateProcess service routines includes:Obtain the ground of KeServiceDescriptorTable data structures
Location;Address and the determination of SSDT tables are obtained from KeServiceDescriptorTable data structures
Offset of the NtTerminateProcess service routines in SSDT tables;Obtained at the amount of specifying Offsets of SSDT tables
The address of NtTerminateProcess service routines.
Wherein, the address acquisition process according to according to NtTerminateProcess service routines exits key position
Address includes:The address of the address offset 0x13c relative to NtTerminateProcess service routines is obtained, the address is
The address of ecx registers.
Wherein, the monitoring process exits key position address execution event and included:When void occurs for the designated virtual machine
When plan machine enters VM_ENTRY events:Address in specified debugging address register in the VCPU of the designated virtual machine is arranged to
Process exits key position address;In debugging control register in the VCPU of the set designated virtual machine with the specified tune
Examination address register correspondingly performs control bit;In the virtual machine control domain VMCS data structure of the set designated virtual machine
TRAP_debug control bits;When virtual machine, which occurs, for the designated virtual machine exits VM_EXIT events:If debug abnormal thing
Part then judges to produce whether abnormal address is address that process exits key position, is to read process with exiting key position
Preserved in location exit process _ EPROCESS management structure address.
Wherein, the process creation event intercepted and captured in the designated virtual machine includes:Safeguard that one is specified on described
The current operation process list of virtual machine;The process switching event occurred inside the designated virtual machine is monitored, when monitoring this
The value in the VCPU of designated virtual machine CR3 registers is obtained during event;Value in the CR3 registers is laggard to switch
The relevant information of journey;Value in the CR3 registers for judging to obtain whether there is in the current operation process list, if
A process is created in the absence of then explanation, the value obtained in the CR3 registers is added into the current operation process list
In;When intercept and capture it is described specify it is virtual in process exit event when, delete what this was exited from the current operation process list
Process.
Wherein, the process switching event occurred inside the monitoring designated virtual machine includes:The specified void is set
CPU_BASED_CR3_LOAD_EXITING control bits in the virtual machine control domain VMCS data structure of plan machine;The control bit position
Control domain is performed in the virtual machine for processor event of VMCS data structure, is determined when virtual machine performs Move to CR3
Virtual machine whether occurs when instruction is process switching and exits VM_EXIT events.
Wherein, it is described to safeguard that a trusted process list for recording true operation process in the designated virtual machine includes:
When intercepting and capturing a process creation event in the designated virtual machine, the process is judged whether in trusted process list, such as
The process be not added in trusted process list then by fruit;When the process intercepted and captured in the designated virtual machine exits event
When, the process is deleted from trusted process list.
In one embodiment of the invention, in the parasitic process detection scheme in detecting virtual machine, it is based on
Volatility realizes examining oneself for virtual machine.Virtual machine based on Libvmi scheme of examining oneself realizes to enter inside outside virtual machine
The access of journey address space specified location data, but this scheme needs to carry out different operating system conversed analysis with true
Set the goal the offset of data object, is inconvenient;And internal memory forensics analysis frameworks of the Volatility as maturation, it is right
Each OS Type provides general support, and the framework is realized based on Python, and its address space mechanisms provided makes
It has good autgmentability.The present invention is using the interface that Libvmi is that Volatility provides that address space uses, and general is virtually
The run-time memory of machine is abstracted Volatility input file.Realize that the address space that extension Volatility is supported is to pass through
Inherit BaseAddressSpace classes and realize the interfaces such as read, zread, get_available_addresses to complete.
The parasitic process detection scheme proposed in the embodiment of the present invention is driven by the network behavior of process, i.e. virtual machine
In the critical processes specified the detection of sneak case can be just carried out when producing network behavior to the process for producing network traffics.Work as void
When plan machine produces increasing network traffics, it can be led using the synchronization process pattern of " packet, processing, next packet "
Substantial amounts of packet loss problem is caused, and can cause to reconstruct belonging to next packet because the delay for handling a upper packet is long
Progress information failure the problem of.To proposing following solution in this embodiments of the invention:
Message queue is set;After intercepting and capturing the packet of disengaging target virtual machine and being handled, result data are put
Enter the message queue;Data are extracted from the message queue, are handled according to the data of extraction, including:Determine target void
The network connection of current active in plan machine and its affiliated process, the current active is reconstructed in the outside of target virtual machine
Network connection and its relevant information of affiliated process, and the relevant information by analyzing reconstruct are determined in target virtual machine
Parasitic process.
Wherein, after the intercepting and capturing pass in and out the packet of target virtual machine and handled, result data are put into institute
Stating message queue includes:Assist journey to intercept and capture the packet of disengaging target virtual machine by first group of producer, extract connection summary info
It is put into first task queue;Assist journey to obtain link summary info from first task queue by first group of consumer, complete phase
After the processing of pass, result data are sent in the message queue.It is described to extract data from the message queue, according to carrying
The data taken, which carry out processing, to be included:Journey is assisted to monitor the message queue by second group of producer, data therefrom is put into second
In task queue;Assisted journey to obtain data from the second task queue by second group of consumer and handled.
Fig. 6 shows the transmittance process schematic diagram of intercepted data bag according to an embodiment of the invention.Can be with based on Fig. 6
There are two kinds of packet delivery mechanisms:
(1) intercepted data bag is only retained in sniffer, extraction connection summary, detection procedure abnormal network connect three bases
Function, and association's journey (Coroutine) of lightweight in asynchronous event processing is introduced to improve the efficiency of processing, producer association
Journey intercepts and captures the network traffics of target virtual machine, extraction connection summary info and the task team being put into sniffer at virtual bridge
In row, consumer assists journey to obtain connection summary from task queue, completes process in associated virtual machine and detects connection legitimacy
Work, and the task requests by testing result or further detected are sent in the RabbitMQ message queues specified;For
Process belonging to as UDP connections life cycle of shorter connection is extracted in time, and this module has used Priority Queues machine
System ensures that the connection of the type is preferentially handled;
(2) be between sniffer and parasitic process detection module loose coupling relation, both pass through RabbitMQ message team
The transmission of row mechanism needs the safe condition of the affiliated process of network connection checked, result that sniffer monitors network behavior or
The progress information of injection behavior to be detected reaches parasitic process detection module by message queue.In order to improve parasitic process processing
Efficiency, equally used association's journey technology in parasitic process detection module, the producer assists the RabbitMQ teams that journey monitoring is specified
Row, obtain new task and are put into the task queue of this module, and consumer assists journey to obtain task from task queue and handle.
In one embodiment of the invention, work as described in the outside reconstruct shown in Fig. 1 described in method in target virtual machine
Preceding movable network connection and its relevant information of affiliated process, destination virtual is determined by the relevant information for analyzing reconstruct
Parasitic process in machine includes one or both of the following two kinds method:
The first parasitic process detection method:Entering in the outside reconstruct target virtual machine of the target virtual machine
The relevant information of the network connection for the current active that journey is held;A network connection for current active, by by its phase
Closing information, whether the network connection is abnormal connection with corresponding safety detection rule progress matching judgment;If it is judged that one
Network connection connects to be abnormal, it is determined that the process belonging to the network connection is to be injected into malicious code or be injected into malice dynamically
Chained library DLL parasitic process;
Second of parasitic proceeding method:For each target process, the target is reconstructed outside the target virtual machine and is entered
Management of process structure of the journey inside the target virtual machine;By analyzing the management of process structure of reconstruct, determine that the target is entered
Whether journey is the parasitic process for being injected into malicious code or being injected into malice dynamic link library (DLL).
In one embodiment of the invention, the parasitic process detection method of the first described is the network row of process-level
For detection, realized by NetAnomalyDetector classes.Fig. 7 shows process-level net according to an embodiment of the invention
Network behavior monitoring realizes that class diagram is intended to.Referring to Fig. 7, such is equally using Dlllist as base class to call Volatility frames
Interface in frame, there is provided parsing access control rule, monitoring designated virtual machine, the TCP/UDP link informations of reconstruction progress, inspection
Whether the packet that survey process is sent meets the functional interfaces such as access control rule.
In one embodiment of the invention, described second of parasitic process detection method is the injection of process-level
Behavioral value.Fig. 8 show it is according to an embodiment of the invention injection behavior monitoring realize class diagram be intended to.As depicted in figure 8,
Injecting codes block detection function is mainly realized in InjectionDetector classes, in order that with Volatility frameworks
The interface of offer, inherit DllList classes, and have invoked _ EPROCESS classes in obtain three functions of DLL lists, based on this
Realize the function to DLL injections and code injection behavioral value.
In one embodiment of the invention, the parasitic process detection method of the first described specifically includes:Intercept and capture disengaging
The packet of designated virtual machine;According to the packet intercepted and captured, the network connection of the current active in designated virtual machine is determined;
The phase of the network connection for the current active that the outside process reconstructed in the designated virtual machine of the designated virtual machine is held
Close information;A network connection for current active, by by its relevant information and corresponding safety detection rule carry out
With judging whether the network connection is abnormal connection;If it is judged that a network connection connects to be abnormal, it is determined that the network
Process belonging to connection is the parasitic process for being injected into malicious code or being injected into malice dynamic link library (DLL).
Wherein, the current active that the process in the outside reconstruct designated virtual machine of the designated virtual machine is held
The relevant information of network connection include:Using Libvmi with mapping internal memory corresponding to the target process of the designated virtual machine
Supported to Domain 0 memory address space so as to provide address space for Volatility frameworks in location space;Generation is based on
The designated virtual machine internal memory being used for during to operation of the Volatility frameworks analyze the script of reading;The script leads to
The Domain 0 crossed after mapping memory address space obtains the related content of the target process.
Wherein, the process in the outside reconstruct designated virtual machine of the designated virtual machine is held current
The relevant information of the network connection of activity includes:Find the section of the preservation tcpip.sys module informations in Windows systems
Point;_ AddrObjTable and _ TCBTable address is obtained from the node of the preservation tcpip.sys module informations;Time
The single-track link table that AddrObjTable and _ TCBTable is pointed to is gone through, obtains what the process in the designated virtual machine was held
The relevant information of the network connection of current active.
Wherein, the node of the preservation tcpip.sys module informations found in Windows systems includes:From kernel
The pointer of FS registers acquisition _ KPCR data structures under pattern;KdVersionBlock variables from _ KPCR data structures
The pointer of middle reading _ DBGKD_GET_VERSION64 data structures;From _ DBGKD_GET_VERSION64 data structures
The doubly linked list cephalomere dot address of preserving module information is obtained in PsloadedModuleList member variables;Traversal
The doubly linked list that PsloadedModuleList is pointed to, find the node for preserving tcpip.sys module informations.
Wherein, it is described according to the packet intercepted and captured, the network connection of the current active in designated virtual machine is determined, and
The network connection for the current active that process in the outside reconstruct designated virtual machine of the designated virtual machine is held
Relevant information includes:Set up record queue and process queue;Wherein, record queue safeguards the current active of the designated virtual machine
Network connection information, including:The identifying of network connection, corresponding process, processing time and safety detection result;It is described enter
Journey queue preserves the process list of the designated virtual machine.
Wherein, for the packet of each intercepting and capturing, following flow is performed:Judge in record queue whether the existing data
The network connection information of current active corresponding to bag, if there is then according to existing safety detection result carry out respective handling,
The relevant information of the network connection for the current active held if there is no the process then reconstructed in the designated virtual machine;Root
The process belonging to it is determined according to the relevant information of the network connection of the current active of reconstruct, and judges whether deposited in process queue
In the process, if there is no then by process renewal into process queue, if there is the then safety according to corresponding to the process
Detected rule judges whether the network connection of the current active is abnormal connection;Located accordingly according to safety detection result
Reason;Record queue is arrived into the renewal of the network connection of the current active, corresponding process, processing time and safety detection result
In.
Wherein, a network connection for current active, by by its relevant information and corresponding safety detection
Whether the network connection of rule progress matching judgment is that abnormal connection includes:For entering for the single application program of access type
Journey, extract the network behavior generation lawful acts rule that the intrinsic possibility of the application program performs;The network of current active is connected
The relevant information connect lawful acts rule corresponding with its affiliated process is matched, and if there is no occurrence, is then judged as different
Often connection.
Wherein, for a network connection of current active, by the way that its relevant information and corresponding safety detection is regular
Whether the network connection of progress matching judgment is that abnormal connection includes:The acquiescence comprising one or more occurrences is pre-set to refuse
Rule absolutely, and pre-set the acquiescence permission rule comprising one or more occurrences;For a network of current active
Connection, first judged according to its affiliated process using being rejected by default rule or allow rule using acquiescence;If refused using acquiescence
Rule absolutely, then by the relevant information of the network connection of the current active and the occurrence progress in the extra permission rule of definition
Match somebody with somebody, if there is the item of matching, it is determined that the network connection is normal connection, if there is no the item of matching, it is determined that the net
Network is connected as abnormal connection;If using acquiescence to allow rule, by the relevant information of the network connection of the current active with determining
The occurrence of the extra refusal rule of justice is matched, if there is the item of matching, it is determined that and the network connection connects to be abnormal,
If there is no the item of matching, it is determined that the network connection is normal connection.
In one embodiment of the invention, described second parasitic process detection method specifically includes:It is determined that specify
One or more of virtual machine process is as target process;For each target process, the weight outside the designated virtual machine
Management of process structure of the structure target process inside the designated virtual machine;By analyzing the management of process structure of reconstruct, really
Whether the fixed target process is the parasitic process for being injected into malicious code or being injected into malice dynamic link library (DLL).
Wherein, one or more of described determination designated virtual machine process includes as target process:Specified described
One or more processes of generation network behavior in virtual machine are as target process.
The management of process structure that the target process is reconstructed outside designated virtual machine inside the designated virtual machine
Including:Obtain the related content of the target process in the internal memory of the designated virtual machine.
Wherein, the related content of the target process in the internal memory for obtaining the designated virtual machine includes:Use
The memory address that Libvmi maps memory address space corresponding to the target process of the designated virtual machine to Domain 0 is empty
Between, supported so as to provide address space for Volatility frameworks;Generation is used for fortune based on the Volatility frameworks
Designated virtual machine internal memory during row analyze the script of reading;The memory address that the script passes through the Domain 0 after mapping
Space obtains the related content of the target process.
Wherein, the related content of the target process in the internal memory for obtaining the designated virtual machine includes:From positioned at
The process context block PEB of user address space obtains the DLL information of target process loading;With from positioned at kernel address space
The DLL information of target process loading is obtained in virtual address descriptor VAD structures.
Wherein, the process context block PEB from positioned at user address space obtains the DLL information of target process loading
Including:The DLL information of target process loading is obtained by recording the doubly linked list that DLL information nodes form from three in PEB;
Wherein, three doubly linked lists divide the table to be:According to the InLoadOrderList of loading sequence sequence, according to the order in internal memory
The InMemoryOrderList of the sequence and InInitOrderList to be sorted according to initialization order.
Wherein, it is described to obtain the target process from positioned at the virtual address descriptor VAD structures of kernel address space and add
The DLL information of load includes:EPROCESS chained lists are traveled through, obtain the EPROCESS addresses of the target process;From the target process
The address VadRoot of the root node of VAD trees is obtained in EPROCESS data structures in EPROCESS addresses;Use preorder traversal
Algorithm travels through to VAD trees, and extraction is not empty VAD nodes with execution authority and FileName;Saved according to the VAD of extraction
The DLL information of acquisition of information target process loading in point.
Wherein, the DLL information of target process loading is obtained from the process context block PEB positioned at user address space, with
And the feelings of the DLL information of target process loading are obtained from positioned at the virtual address descriptor VAD structures of kernel address space
Under condition, it is determined as follows whether the target process is the parasitic process for being injected into malice DLL:If a DLL from
Being not present in the DLL information that PEB is obtained, and exist in the DLL information obtained from VAD structures, then the DLL is malice DLL,
The target process is the parasitic process for being injected into malice DLL.
Wherein, the management of process structure by analyzing reconstruct, determines whether the target process is to be injected into malice generation
Code is injected into the parasitic process of malice dynamic link library (DLL) and included:In the data of the management of process structure of the reconstruct, such as
There is the header structure of PE formatted files in fruit, then the mesh using the content corresponding to the header structure of the PE formatted files as safety monitoring
Mark.
Wherein, the process that the target process is reconstructed outside the designated virtual machine inside the designated virtual machine
Management structure includes:Obtain in the internal memory of the designated virtual machine in different executable memory blocks with the target process
Related executable code;The management of process structure by analyzing reconstruct, determine whether the target process is to be injected into evil
Meaning code is injected into the parasitic process of malice dynamic link library (DLL) and included:Calculate respectively in the different memory blocks can
The entropy of code is performed, if the executable code for thering is entropy to be more than predetermined threshold value being calculated, it is determined that the target process
To be injected into malicious code or being injected into malice DLL parasitic process.
The structure chart of the virtual machine malicious act detecting system in the present invention is provided based on the above embodiments.
Fig. 9 shows a kind of structure chart of virtual machine malicious act detecting system according to an embodiment of the invention.Such as
Shown in Fig. 9, the virtual machine malicious act detecting system 900 includes:
Process behavior detection module 910, it is adapted to monitor for the establishment of process in target virtual machine and exits event, and notifies to pacify
Full monitoring modular;
Safety monitoring module 920, the notice suitable for exiting event according to process creation and process are safeguarded described in a record
The trusted process list of actual motion process in target virtual machine;There is the progress information in target virtual machine by traversal record
Related data structures, obtain one or more untrusted process lists of the process in record target virtual machine;And pass through ratio
Compared with trusted process list and untrusted process list, the hidden process in target virtual machine is judged;
Sniffer 930, suitable for intercepting and capturing the packet of disengaging target virtual machine, according to the packet intercepted and captured, determine target
The network connection of current active in virtual machine and its affiliated process;
Virtual machine is examined oneself module 940, suitable for target virtual machine the outside network connection for reconstructing the current active and
The relevant information of its affiliated process;
Safety monitoring module 920, it is further adapted for determining in target virtual machine by analyzing the relevant information of reconstruct
Parasitic process.
In one embodiment of the invention, the process behavior detection module 910 is located at Xen inner nuclear layers;The safety
Monitoring modular 920 is located at 0 layer of management domain Domain;The sniffer 930 is located at the virtual bridge of Domain0 layers;The void
Plan machine module 940 of examining oneself is located at 0 layer of Domain;
The safety monitoring module 920 includes:Hidden process detection module 921 and parasitic process detection module 922;
Hidden process detection module 921, the notice suitable for exiting event according to process creation and process are safeguarded described credible
Process list, and one or more untrusted process lists are obtained, arranged by comparing trusted process list and untrusted process
Table judges the hidden process in target virtual machine;
Parasitic process detection module 922, determined suitable for the relevant information by analyzing reconstruct in target virtual machine
Parasitic process.
In one embodiment of the invention, the virtual machine is examined oneself module 940, suitable for by calling Libvmi storehouses to provide
Relevant interface function and configuration file mechanism, obtain the network connection of the current active and its related letter of affiliated process
Breath.
In one embodiment of the invention, the virtual machine is examined oneself module 940, suitable for obtaining the internal memory of target virtual machine
In target process related content, be specially:Mapped using Libvmi corresponding to the target process of the target virtual machine
Memory address space is supported to Domain 0 memory address space so as to provide address space for Volatility frameworks;It is raw
Into the target virtual machine internal memory being used for during to operation based on the Volatility frameworks analyze the script of reading, by institute
State the related content that script obtains target process by the memory address space of the Domain 0 after mapping.
In one embodiment of the invention, based on Xen kernels provide _ _ HYPERVISOR_domctl hypercalls with
And the mechanism that Xen kernels are the data structure that each Operation Definition is used for parameter transmission, added in Xen kernels and realize Domain
The traffic operation of event is exited on process creation and process and corresponding parameter transmits data structure between 0 and Xen kernels;
Process behavior detection module 910 positioned at Xen inner nuclear layers and the safety monitoring module 920 positioned at 0 layer of Domain, based on addition
The traffic operation and corresponding parameter transmit data structure communicated.
In one embodiment of the invention, the system 900 further comprises:Message queue module 950, set suitable for preserving
Put the message queue between sniffer and parasitic process detection module;
Sniffer 930 is intercepted and captured the packet of disengaging target virtual machine and handled, and result data is put into described
Message queue;Parasitic process detection module 922 is extracted data from the message queue and handled.
In one embodiment of the invention, the producer of sniffer 930 assists journey to intercept and capture the data for passing in and out target virtual machine
Bag, extraction connection summary info are put into the task queue of sniffer;The consumer of sniffer 930 assists task of the journey from sniffer
Link summary info is obtained in queue, after completing relevant treatment, result data are sent in the message queue.With/
Or, the producer in parasitic process detection module 922 assists journey to monitor the message queue, data therefrom is put into parasitic process
In the task queue of detection module;Consumer in parasitic process detection module 922 assists journey appointing from parasitic process detection module
Task is obtained in business queue and is handled.
In one embodiment of the invention, the safety monitoring module 920, is further adapted in the target virtual machine
The relevant information of the network connection of current active held of the outside process reconstructed in the target virtual machine;For current
One network connection of activity, by by its relevant information and the rule progress matching judgment network connection of corresponding safety detection
Whether it is abnormal connection;If it is judged that network connection connects to be abnormal, it is determined that the process belonging to the network connection is
It is injected into malicious code or is injected into the parasitic process of malice dynamic link library (DLL);And/or for each target process, in institute
State and management of process structure of the target process inside the target virtual machine is reconstructed outside target virtual machine;Reconstructed by analyzing
Management of process structure, determine whether the target process is to be injected into malicious code or be injected into malice dynamic link library (DLL)
Parasitic process.
The related content of the system 900 is identical with the content in foregoing embodiment of the method, no longer repeats one by one here.
In summary, according to the present invention this monitoring target virtual machine in process establishment and exit event, safeguard one
The individual trusted process list for recording actual motion process in the target virtual machine, has in target virtual machine by traversal record
The related data structures of progress information, one or more untrusted process lists of the process in record target virtual machine are obtained,
By comparing trusted process list and untrusted process list, the hidden process in target virtual machine is judged;And intercept and capture into
Go out the packet of target virtual machine, according to the packet intercepted and captured, determine the network connection of the current active in target virtual machine
And its affiliated process is in the correlation of the outside network connection and its affiliated process for reconstructing the current active of target virtual machine
Information determines the technical scheme of the parasitic process in target virtual machine by analyzing the relevant information of reconstruct, can examine comprehensively
The hidden process surveyed in virtual machine and parasitic process, and independent of the Agent in virtual machine, belong to external detection pattern,
The influence in performance will not be produced to virtual machine, there is the preferably transparency.
It should be noted that:
Algorithm and display be not inherently related to any certain computer, virtual bench or miscellaneous equipment provided herein.
Various fexible units can also be used together with teaching based on this.As described above, required by constructing this kind of device
Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that it can utilize various
Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the specification that this place provides, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention
Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect,
Above in the description to the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
The application claims of shield features more more than the feature being expressly recited in each claim.It is more precisely, such as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following embodiment are expressly incorporated in the embodiment, wherein each claim is in itself
Separate embodiments all as the present invention.
Those skilled in the art, which are appreciated that, to be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any
Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so to appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power
Profit requires, summary and accompanying drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation
Replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
One of meaning mode can use in any combination.
The all parts embodiment of the present invention can be realized with hardware, or to be run on one or more processor
Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that it can use in practice
Microprocessor or digital signal processor (DSP) realize virtual machine malicious act detecting system according to embodiments of the present invention
In some or all parts some or all functions.The present invention is also implemented as described herein for performing
The some or all equipment or program of device (for example, computer program and computer program product) of method.So
Realization the present invention program can store on a computer-readable medium, or can have one or more signal shape
Formula.Such signal can be downloaded from internet website and obtained, and either be provided or with any other shape on carrier signal
Formula provides.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of some different elements and being come by means of properly programmed computer real
It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame
Claim.
The invention discloses A1, a kind of virtual machine malicious act detection method, wherein, this method includes:
Monitor the establishment of process in target virtual machine and exit event, safeguard that records a reality in the target virtual machine
The trusted process list of operation process;There are the related data structures of the progress information in target virtual machine by traversal record, obtain
One or more untrusted process lists of the process in target virtual machine must be recorded;By comparing trusted process list and can not
Believe process list, judge the hidden process in target virtual machine;
The packet of disengaging target virtual machine is intercepted and captured, according to the packet intercepted and captured, is determined current in target virtual machine
The network connection of activity and its affiliated process;Target virtual machine the outside network connection for reconstructing the current active and its
The relevant information of affiliated process;The relevant information by analyzing reconstruct determines the parasitic process in target virtual machine.
A2, the method as described in A1, wherein,
Process creation and process in Xen inner nuclear layers monitoring target virtual machine exit event, and notify management domain
0 layer of Domain;The notice that event is exited according to process creation and process in 0 layer of Domain safeguards the trusted process list,
And one or more untrusted process lists are obtained, judge mesh by comparing trusted process list and untrusted process list
Mark the hidden process in virtual machine;The packet of disengaging target virtual machine is intercepted and captured at 0 layer of Domain virtual bridge;
The network connection of 0 layer of reconstruct current active of Domain and its relevant information of affiliated process, and by analyzing reconstruct
The relevant information determines the parasitic process in target virtual machine.
A3, the method as described in A1 or A2, wherein, the outside net for reconstructing the current active in target virtual machine
Network connects and its relevant information of affiliated process includes:
By calling the relevant interface function and configuration file mechanism of the offer of Libvmi storehouses, the current active is obtained
Network connection and its relevant information of affiliated process.
A4, the method as described in A1 or A2, wherein, the outside net for reconstructing the current active in target virtual machine
Network connects and its relevant information of affiliated process includes:
The related content of the target process in the internal memory of target virtual machine is obtained, is specially:Described in being mapped using Libvmi
Memory address space corresponding to the target process of target virtual machine to Domain 0 memory address space, so as to for
Volatility frameworks provide address space and supported;The target that is used for during to operation of the generation based on the Volatility frameworks
Virutal machine memory analyze the script of reading;The script obtains mesh by the memory address space of the Domain 0 after mapping
The related content of mark process.
A5, the method as described in A2, wherein, realize that the communication between 0 layer of Xen inner nuclear layers and Domain includes:
There is provided based on Xen kernels _ _ HYPERVISOR_domctl hypercalls and Xen kernels be each Operation Definition
For the mechanism of the data structure of parameter transmission, add and realized between Domain 0 and Xen kernels on process in Xen kernels
Create and process exits the traffic operation of event and corresponding parameter transmits data structure;
0 layer of Xen inner nuclear layers and the Domain traffic operation and corresponding parameter based on addition transmit data structure
Communicated.
A6, the method as described in A 2, wherein, this method further comprises:Message queue is set;
After intercepting and capturing the packet of disengaging target virtual machine and being handled, result data are put into the message team
Row;
Data are extracted from the message queue, are handled according to the data of extraction, including:Determine in target virtual machine
The network connection of current active and its affiliated process, in the outside network connection for reconstructing the current active of target virtual machine
And its relevant information of affiliated process, and determine that the parasitism in target virtual machine enters by analyzing the relevant information reconstructed
Journey.
A7, the method as described in A6, wherein,
After the intercepting and capturing pass in and out the packet of target virtual machine and handled, result data are put into the message
Queue includes:Journey is assisted to intercept and capture the packet of disengaging target virtual machine by first group of producer, extraction connection summary info is put into the
In one task queue;Assist journey to obtain link summary info from first task queue by first group of consumer, complete relevant treatment
Afterwards, result data are sent in the message queue;
And/or
Described to extract data from the message queue, carrying out processing according to the data of extraction includes:By second group of producer
Journey is assisted to monitor the message queue, data therefrom is put into the second task queue;Journey is assisted from second by second group of consumer
Data are obtained in task queue and are handled.
A8, the method as described in A1 or A2, wherein, the outside net for reconstructing the current active in target virtual machine
Network connects and its relevant information of affiliated process, and the relevant information by analyzing reconstruct determines the parasitism in target virtual machine
Process includes:
The net for the current active that process in the outside reconstruct target virtual machine of the target virtual machine is held
The relevant information of network connection;A network connection for current active, by by its relevant information and corresponding safety detection
Whether the network connection of rule progress matching judgment is abnormal connection;If it is judged that a network connection connects to be abnormal, then
It is the parasitic process for being injected into malicious code or being injected into malice dynamic link library (DLL) to determine the process belonging to the network connection;
And/or
For each target process, the target process is reconstructed outside the target virtual machine in the target virtual machine
The management of process structure in portion;By analyzing the management of process structure of reconstruct, determine whether the target process is to be injected into malice generation
Code or the parasitic process for being injected into malice dynamic link library (DLL).
The invention discloses B9, a kind of virtual machine malicious act detecting system, wherein, the system includes:
Process behavior detection module, it is adapted to monitor for the establishment of process in target virtual machine and exits event, and notifies safety
Monitoring modular;
Safety monitoring module, the notice suitable for exiting event according to process creation and process safeguard one and record the target
The trusted process list of actual motion process in virtual machine;There is the correlation of the progress information in target virtual machine by traversal record
Data structure, obtain one or more untrusted process lists of the process in record target virtual machine;And can by comparing
Believe process list and untrusted process list, judge the hidden process in target virtual machine;
Sniffer, suitable for intercepting and capturing the packet of disengaging target virtual machine, according to the packet intercepted and captured, determine destination virtual
The network connection of current active in machine and its affiliated process;
Virtual machine is examined oneself module, suitable in the outside network connection for reconstructing the current active of target virtual machine and its institute
The relevant information of category process;
Safety monitoring module, it is further adapted for determining posting in target virtual machine by analyzing the relevant information of reconstruct
Raw process.
B10, the system as described in B9, wherein, the process behavior detection module is located at Xen inner nuclear layers;The safety prison
Survey module and be located at 0 layer of management domain Domain;The sniffer is located at 0 layer of Domain virtual bridge;The virtual machine is certainly
Save module and be located at 0 layer of Domain;The safety monitoring module includes:Hidden process detection module and parasitic process detection module;
Hidden process detection module, the notice suitable for exiting event according to process creation and process safeguard the trusted process list, with
And one or more untrusted process lists are obtained, judge target by comparing trusted process list and untrusted process list
Hidden process in virtual machine;Parasitic process detection module, suitable for determining target void by analyzing the relevant information of reconstruct
Parasitic process in plan machine.
B11, the system as described in B9 or B10, wherein,
The virtual machine is examined oneself module, suitable for the relevant interface function and configuration file by calling Libvmi storehouses to provide
Mechanism, obtain the network connection of the current active and its relevant information of affiliated process.
B12, the system as described in B9 or B10, wherein,
The virtual machine is examined oneself module, the related content of the target process in internal memory suitable for obtaining target virtual machine, tool
Body is:Memory address space corresponding to the target process of the target virtual machine is mapped in Domain 0 using Libvmi
Address space is deposited, is supported so as to provide address space for Volatility frameworks;Generation is based on the Volatility frameworks
Target virtual machine internal memory during for operation analyze the script of reading, passes through the Domain 0 after mapping by the script
Memory address space obtain target process related content.
B13, the system as described in B10, wherein,
There is provided based on Xen kernels _ _ HYPERVISOR_domctl hypercalls and Xen kernels be each Operation Definition
For the mechanism of the data structure of parameter transmission, add and realized between Domain 0 and Xen kernels on process in Xen kernels
Create and process exits the traffic operation of event and corresponding parameter transmits data structure;
Process behavior detection module positioned at Xen inner nuclear layers and the safety monitoring module positioned at 0 layer of Domain, based on adding
The traffic operation added and corresponding parameter are transmitted data structure and communicated.
B14, the system as described in B10, wherein, the system further comprises:Message queue module, it is arranged on suitable for preserving
Message queue between sniffer and parasitic process detection module;
Sniffer is intercepted and captured the packet of disengaging target virtual machine and handled, and result data are put into the message
Queue;
Parasitic process detection module is extracted data from the message queue and handled.
B15, the system as described in B14, wherein,
The producer of sniffer assists journey to intercept and capture the packet of disengaging target virtual machine, extracts connection summary info and is put into sniff
In the task queue of device;The consumer of sniffer assists journey to obtain link summary info from the task queue of sniffer, completes phase
After the processing of pass, result data are sent in the message queue;
And/or
The producer in parasitic process detection module assists journey to monitor the message queue, and data therefrom is put into parasitism and entered
In the task queue of journey detection module;Consumer in parasitic process detection module assists task of the journey from parasitic process detection module
Task is obtained in queue and is handled.
Systems of the B16 as described in B9 or B10, wherein, the safety monitoring module, it is further adapted for,
The net for the current active that process in the outside reconstruct target virtual machine of the target virtual machine is held
The relevant information of network connection;A network connection for current active, by by its relevant information and corresponding safety detection
Whether the network connection of rule progress matching judgment is abnormal connection;If it is judged that a network connection connects to be abnormal, then
It is the parasitic process for being injected into malicious code or being injected into malice dynamic link library (DLL) to determine the process belonging to the network connection;
And/or
For each target process, the target process is reconstructed outside the target virtual machine in the target virtual machine
The management of process structure in portion;By analyzing the management of process structure of reconstruct, determine whether the target process is to be injected into malice generation
Code or the parasitic process for being injected into malice dynamic link library (DLL).
Claims (16)
1. a kind of virtual machine malicious act detection method, wherein, this method includes:
Monitor the establishment of process in target virtual machine and exit event, safeguard one and record actual motion in the target virtual machine
The trusted process list of process;There are the related data structures of the progress information in target virtual machine by traversal record, remembered
Record one or more untrusted process lists of the process in target virtual machine;By compare trusted process list and it is insincere enter
Cheng Liebiao, judge the hidden process in target virtual machine;
The packet of disengaging target virtual machine is intercepted and captured, according to the packet intercepted and captured, determines the current active in target virtual machine
Network connection and its affiliated process;In the outside network connection for reconstructing the current active of target virtual machine and its affiliated
The relevant information of process;The relevant information by analyzing reconstruct determines the parasitic process in target virtual machine.
2. the method for claim 1, wherein
Process creation and process in Xen inner nuclear layers monitoring target virtual machine exit event, and notify management domain Domain 0
Layer;
The notice that event is exited according to process creation and process in 0 layer of Domain safeguards the trusted process list, and obtains
One or more untrusted process lists, judge target virtual machine by comparing trusted process list and untrusted process list
In hidden process;
The packet of disengaging target virtual machine is intercepted and captured at 0 layer of Domain virtual bridge;
In the network connection of 0 layer of reconstruct current active of Domain and its relevant information of affiliated process, and pass through analysis
The relevant information of reconstruct determines the parasitic process in target virtual machine.
3. method as claimed in claim 1 or 2, wherein, the outside reconstruct current active in target virtual machine
The relevant information of network connection and its affiliated process includes:
By calling the relevant interface function and configuration file mechanism of the offer of Libvmi storehouses, the network of the current active is obtained
Connection and its relevant information of affiliated process.
4. method as claimed in claim 1 or 2, wherein, the outside reconstruct current active in target virtual machine
The relevant information of network connection and its affiliated process includes:
The related content of the target process in the internal memory of target virtual machine is obtained, is specially:The target is mapped using Libvmi
Memory address space corresponding to the target process of virtual machine to Domain 0 memory address space, so as to being Volatility
Framework provides address space and supported;The target virtual machine internal memory that is used for during to operation of the generation based on the Volatility frameworks
Analyze the script of reading;The script obtains the phase of target process by the memory address space of the Domain 0 after mapping
Hold inside the Pass.
5. method as claimed in claim 2, wherein, realize that the communication between 0 layer of Xen inner nuclear layers and Domain includes:
There is provided based on Xen kernels _ _ HYPERVISOR_domctl hypercalls and Xen kernels be that each Operation Definition is used for
The mechanism of the data structure of parameter transmission, add and realized between Domain 0 and Xen kernels on process creation in Xen kernels
The traffic operation of event is exited with process and corresponding parameter transmits data structure;
0 layer of Xen inner nuclear layers and the Domain traffic operation and corresponding parameter based on addition transmit data structure and carried out
Communication.
6. method as claimed in claim 2, wherein, this method further comprises:Message queue is set;
After intercepting and capturing the packet of disengaging target virtual machine and being handled, result data are put into the message queue;
Data are extracted from the message queue, are handled according to the data of extraction, including:Determine current in target virtual machine
The network connection of activity and its affiliated process, target virtual machine the outside network connection for reconstructing the current active and its
The relevant information of affiliated process, and the relevant information reconstructed by analysis determine the parasitic process in target virtual machine.
7. method as claimed in claim 6, wherein,
After the intercepting and capturing pass in and out the packet of target virtual machine and handled, result data are put into the message queue
Including:Journey is assisted to intercept and capture the packet of disengaging target virtual machine by first group of producer, extraction connection summary info is put into first
It is engaged in queue;Journey is assisted to obtain link summary info from first task queue by first group of consumer, will after completing relevant treatment
Result data are sent in the message queue;
And/or
Described to extract data from the message queue, carrying out processing according to the data of extraction includes:Journey is assisted by second group of producer
The message queue is monitored, data therefrom is put into the second task queue;Journey is assisted from the second task by second group of consumer
Data are obtained in queue and are handled.
8. method as claimed in claim 1 or 2, wherein, the outside reconstruct current active in target virtual machine
Network connection and its relevant information of affiliated process, posting in target virtual machine is determined by the relevant information for analyzing reconstruct
Raw process includes:
The network for the current active that process in the outside reconstruct target virtual machine of the target virtual machine is held connects
The relevant information connect;A network connection for current active, by the way that its relevant information and corresponding safety detection is regular
Whether the network connection of progress matching judgment is abnormal connection;If it is judged that a network connection connects to be abnormal, it is determined that
Process belonging to the network connection is the parasitic process for being injected into malicious code or being injected into malice dynamic link library (DLL);
And/or
For each target process, the target process is reconstructed outside the target virtual machine inside the target virtual machine
Management of process structure;By analyze reconstruct management of process structure, determine the target process whether be injected into malicious code or
It is injected into the parasitic process of malice dynamic link library (DLL).
9. a kind of virtual machine malicious act detecting system, wherein, the system includes:
Process behavior detection module, it is adapted to monitor for the establishment of process in target virtual machine and exits event, and notifies safety monitoring
Module;
Safety monitoring module, the notice suitable for exiting event according to process creation and process safeguard one and record the destination virtual
The trusted process list of actual motion process in machine;There is the related data of the progress information in target virtual machine by traversal record
Structure, obtain one or more untrusted process lists of the process in record target virtual machine;And by it is more credible enter
Cheng Liebiao and untrusted process list, judge the hidden process in target virtual machine;
Sniffer, suitable for intercepting and capturing the packet of disengaging target virtual machine, according to the packet intercepted and captured, determine in target virtual machine
Current active network connection and its affiliated process;
Virtual machine is examined oneself module, suitable for target virtual machine the outside network connection for reconstructing the current active and its it is affiliated enter
The relevant information of journey;
Safety monitoring module, it is further adapted for determining that the parasitism in target virtual machine enters by analyzing the relevant information of reconstruct
Journey.
10. system as claimed in claim 9, wherein,
The process behavior detection module is located at Xen inner nuclear layers;
The safety monitoring module is located at 0 layer of management domain Domain;
The sniffer is located at 0 layer of Domain virtual bridge;
Virtual machine module of examining oneself is located at 0 layer of Domain;
The safety monitoring module includes:Hidden process detection module and parasitic process detection module;
Hidden process detection module, the notice suitable for exiting event according to process creation and process safeguard the trusted process row
Table, and one or more untrusted process lists are obtained, judged by comparing trusted process list and untrusted process list
The hidden process gone out in target virtual machine;
Parasitic process detection module, determine that the parasitism in target virtual machine enters suitable for the relevant information by analyzing reconstruct
Journey.
11. the system as described in claim 9 or 10, wherein,
The virtual machine is examined oneself module, suitable for the relevant interface function and configuration file machine by calling Libvmi storehouses to provide
System, obtains the network connection of the current active and its relevant information of affiliated process.
12. the system as described in claim 9 or 10, wherein,
The virtual machine is examined oneself module, the related content of the target process in internal memory suitable for obtaining target virtual machine, is specially:
Memory address space corresponding to the target process of the target virtual machine is mapped to Domain 0 internal memory using Libvmi
Location space, supported so as to provide address space for Volatility frameworks;Generation is used for based on the Volatility frameworks
Target virtual machine internal memory during to operation analyze the script of reading, is passed through by the script in the Domain 0 after mapping
Deposit the related content that address space obtains target process.
13. system as claimed in claim 10, wherein,
There is provided based on Xen kernels _ _ HYPERVISOR_domctl hypercalls and Xen kernels be that each Operation Definition is used for
The mechanism of the data structure of parameter transmission, add and realized between Domain 0 and Xen kernels on process creation in Xen kernels
The traffic operation of event is exited with process and corresponding parameter transmits data structure;
Process behavior detection module positioned at Xen inner nuclear layers and the safety monitoring module positioned at 0 layer of Domain, based on addition
The traffic operation and corresponding parameter are transmitted data structure and communicated.
14. system as claimed in claim 10, wherein, the system further comprises:Message queue module, set suitable for preserving
Message queue between sniffer and parasitic process detection module;
Sniffer is intercepted and captured the packet of disengaging target virtual machine and handled, and result data are put into the message team
Row;
Parasitic process detection module is extracted data from the message queue and handled.
15. system as claimed in claim 14, wherein,
The producer of sniffer assists journey to intercept and capture the packet of disengaging target virtual machine, extracts connection summary info and is put into sniffer
In task queue;The consumer of sniffer assists journey to obtain link summary info from the task queue of sniffer, completes at correlation
After reason, result data are sent in the message queue;
And/or
The producer in parasitic process detection module assists journey to monitor the message queue, and data therefrom is put into parasitic process inspection
Survey in the task queue of module;Consumer in parasitic process detection module assists task queue of the journey from parasitic process detection module
Middle acquisition task is simultaneously handled.
16. the system as described in claim 9 or 10, wherein, the safety monitoring module, it is further adapted for,
The network for the current active that process in the outside reconstruct target virtual machine of the target virtual machine is held connects
The relevant information connect;A network connection for current active, by the way that its relevant information and corresponding safety detection is regular
Whether the network connection of progress matching judgment is abnormal connection;If it is judged that a network connection connects to be abnormal, it is determined that
Process belonging to the network connection is the parasitic process for being injected into malicious code or being injected into malice dynamic link library (DLL);
And/or
For each target process, the target process is reconstructed outside the target virtual machine inside the target virtual machine
Management of process structure;By analyze reconstruct management of process structure, determine the target process whether be injected into malicious code or
It is injected into the parasitic process of malice dynamic link library (DLL).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510149761.8A CN104715201B (en) | 2015-03-31 | 2015-03-31 | A kind of virtual machine malicious act detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510149761.8A CN104715201B (en) | 2015-03-31 | 2015-03-31 | A kind of virtual machine malicious act detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104715201A CN104715201A (en) | 2015-06-17 |
| CN104715201B true CN104715201B (en) | 2018-02-27 |
Family
ID=53414519
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510149761.8A Active CN104715201B (en) | 2015-03-31 | 2015-03-31 | A kind of virtual machine malicious act detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104715201B (en) |
Families Citing this family (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9852295B2 (en) * | 2015-07-14 | 2017-12-26 | Bitdefender IPR Management Ltd. | Computer security systems and methods using asynchronous introspection exceptions |
| CN105468967A (en) * | 2015-11-19 | 2016-04-06 | 国云科技股份有限公司 | Xen-based hidden process detection method aiming at Linux virtual machine malicious code attack |
| CN106909436B (en) * | 2015-12-23 | 2020-07-21 | 财团法人工业技术研究院 | Method and system for generating correlation of virtual machine message queue application program |
| CN105718303A (en) * | 2016-01-20 | 2016-06-29 | 国家电网公司 | Virtual machine anomaly detecting method, device and system |
| CN106059826A (en) * | 2016-07-08 | 2016-10-26 | 中国电子科技集团公司电子科学研究院 | Method and device for monitoring virtualization platform |
| CN107608752B (en) * | 2016-07-12 | 2020-10-16 | 中国科学院信息工程研究所 | Threat information response and disposal method and system based on virtual machine introspection |
| TWI656453B (en) | 2016-11-22 | 2019-04-11 | 財團法人資訊工業策進會 | Detection system and detection method |
| CN106682496A (en) * | 2016-12-06 | 2017-05-17 | 北京奇虎科技有限公司 | Code injection attack detection method and device |
| CN108270722B (en) * | 2016-12-30 | 2021-08-24 | 阿里巴巴集团控股有限公司 | Attack behavior detection method and device |
| CN107463430B (en) * | 2017-08-03 | 2020-10-02 | 哈尔滨工业大学 | Dynamic management system and method for virtual machine memory based on memory and Swap space |
| CN109033839A (en) * | 2018-08-10 | 2018-12-18 | 天津理工大学 | A kind of malware detection method based on dynamic multiple features |
| CN109597675B (en) * | 2018-10-25 | 2020-12-22 | 中国科学院信息工程研究所 | Method and system for detecting malicious software behaviors of virtual machine |
| CN109582437A (en) * | 2018-10-29 | 2019-04-05 | 中国科学院信息工程研究所 | A kind of the malicious process detection method and system of the perception of type based on memory |
| CN111444510A (en) * | 2018-12-27 | 2020-07-24 | 北京奇虎科技有限公司 | CPU vulnerability detection method and system based on virtual machine |
| CN110519180B (en) * | 2019-07-17 | 2022-09-13 | 华东计算技术研究所(中国电子科技集团公司第三十二研究所) | Network card virtualization queue scheduling method and system |
| CN110377518B (en) * | 2019-07-17 | 2023-07-25 | 招商银行股份有限公司 | Full-flow scanning method, device, equipment and readable storage medium |
| CN110941477A (en) * | 2019-12-13 | 2020-03-31 | 紫光云(南京)数字技术有限公司 | Xen platform-based virtual machine detection method |
| CN112861129A (en) * | 2021-01-28 | 2021-05-28 | 四川效率源信息安全技术股份有限公司 | Method for detecting hidden malicious program process in Windows operating system |
| CN113946825B (en) * | 2021-12-22 | 2022-04-26 | 北京微步在线科技有限公司 | Memory horse processing method and system |
| CN114826706B (en) * | 2022-04-13 | 2024-01-30 | 哈尔滨理工大学 | Malicious flow detection method based on computer memory evidence obtaining technology |
| CN115481397B (en) * | 2022-08-31 | 2023-06-06 | 中国人民解放军战略支援部队信息工程大学 | Code injection attack evidence obtaining detection method and system based on memory structure reverse analysis |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1896903A (en) * | 2005-07-15 | 2007-01-17 | 联想(北京)有限公司 | Virtual-machine system for supporting trusted evaluation and method for realizing trusted evaluation |
| CN101770551A (en) * | 2008-12-30 | 2010-07-07 | 中国科学院软件研究所 | Method for processing hidden process based on hardware simulator |
| CN102521537A (en) * | 2011-12-06 | 2012-06-27 | 北京航空航天大学 | Detection method and device for hidden process based on virtual machine monitor |
| CN103065084A (en) * | 2012-12-27 | 2013-04-24 | 武汉大学 | Windows hidden process detection method performed at external machine of virtual machine |
| CN103617391A (en) * | 2011-09-14 | 2014-03-05 | 北京奇虎科技有限公司 | Method, device and virtual machine for detecting malicious programs |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9054917B2 (en) * | 2012-03-08 | 2015-06-09 | Empire Technology Development Llc | Secure migration of virtual machines |
-
2015
- 2015-03-31 CN CN201510149761.8A patent/CN104715201B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1896903A (en) * | 2005-07-15 | 2007-01-17 | 联想(北京)有限公司 | Virtual-machine system for supporting trusted evaluation and method for realizing trusted evaluation |
| CN101770551A (en) * | 2008-12-30 | 2010-07-07 | 中国科学院软件研究所 | Method for processing hidden process based on hardware simulator |
| CN103617391A (en) * | 2011-09-14 | 2014-03-05 | 北京奇虎科技有限公司 | Method, device and virtual machine for detecting malicious programs |
| CN102521537A (en) * | 2011-12-06 | 2012-06-27 | 北京航空航天大学 | Detection method and device for hidden process based on virtual machine monitor |
| CN103065084A (en) * | 2012-12-27 | 2013-04-24 | 武汉大学 | Windows hidden process detection method performed at external machine of virtual machine |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104715201A (en) | 2015-06-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104715201B (en) | A kind of virtual machine malicious act detection method and system | |
| Fu et al. | Exterior: Using a dual-vm based external shell for guest-os introspection, configuration, and recovery | |
| Mysore et al. | Understanding and visualizing full systems with data flow tomography | |
| Park et al. | {StreamBox-TZ}: Secure stream analytics at the edge with {TrustZone} | |
| Fu et al. | {HYPERSHELL}: A Practical Hypervisor Layer Guest {OS} Shell for Automated {In-VM} Management | |
| Lee et al. | Design and implementation of the secure compiler and virtual machine for developing secure IoT services | |
| CN105184166A (en) | Kernel-based Android application real-time behavior analysis method and system | |
| More et al. | Virtual machine introspection: towards bridging the semantic gap | |
| CN104715202A (en) | Hidden process detecting method and hidden process detecting device in virtual machine | |
| Shi et al. | ShadowMonitor: An effective in-VM monitoring framework with hardware-enforced isolation | |
| CN109597675A (en) | Virtual machine Malware behavioral value method and system | |
| Di Pietro et al. | CloRExPa: Cloud resilience via execution path analysis | |
| CN109857520B (en) | Semantic reconstruction improvement method and system in virtual machine introspection | |
| Xing et al. | OB‐IMA: out‐of‐the‐box integrity measurement approach for guest virtual machines | |
| Pendergrass et al. | Lkim: The linux kernel integrity measurer | |
| Mazloom et al. | Dataflow tomography: Information flow tracking for understanding and visualizing full systems | |
| Laurén et al. | Virtual machine introspection based cloud monitoring platform | |
| Upadhyay et al. | Windows virtualization architecture for cyber threats detection | |
| CN103580885B (en) | The monitoring method and physical node of cloud environment | |
| Taubmann | Improving digital forensics and incident analysis in production environments by using virtual machine introspection | |
| Li et al. | LoRe: Supporting non-deterministic events logging and replay for KVM virtual machines | |
| Nemati et al. | Critical path analysis through hierarchical distributed virtualized environments using host kernel tracing | |
| Cotroneo et al. | Towards runtime verification via event stream processing in cloud computing infrastructures | |
| Schneider | Full Virtual Machine State Reconstruction for Security Applications | |
| Zhan et al. | SAVM: A practical secure external approach for automated in‐VM management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220727 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |