CN105550095A - Virtualization based active and passive combination detection system and method for host behavior - Google Patents
Virtualization based active and passive combination detection system and method for host behavior Download PDFInfo
- Publication number
- CN105550095A CN105550095A CN201510970176.4A CN201510970176A CN105550095A CN 105550095 A CN105550095 A CN 105550095A CN 201510970176 A CN201510970176 A CN 201510970176A CN 105550095 A CN105550095 A CN 105550095A
- Authority
- CN
- China
- Prior art keywords
- data
- virtual machine
- module
- monitoring
- behavioural analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/301—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is a virtual computing platform, e.g. logically partitioned systems
Abstract
The invention relates to a virtualization based active and passive combination detection system and method for a host behavior. The system comprises an active monitoring data acquisition module, a passive monitoring data acquisition module, a data forwarding module and a behavior analysis module, wherein the active monitoring data acquisition module actively acquires static data at a current moment in a virtual machine in an active monitoring mode; the passive monitoring data acquisition module captures system call and system instruction data in the virtual machine in an asynchronous monitoring mode; the data forwarding module is in charge of remotely forwarding locally obtained data to a behavior analysis server for analysis; and the behavior analysis module receives behavior data sent by the data forwarding module and dynamically controls an analysis thread to analyze the behavior data according to a data source. According to the detection system and method, a centralized virtual machine monitoring mechanism with the characteristics of transparency, real-time property, flexibility and the like is realized in an active and passive monitoring combination manner.
Description
Technical field
The present invention relates to virtual security monitoring field, it is passive in conjunction with detection system and method to be specifically related to based on virtualized Host behavior master.
Background technology
Along with the development of science and technology and technology, computer process ability increases fast, particularly the appearance of polycaryon processor, and this causes the utilization factor of server to decline.The appearance of Intel Virtualization Technology, improves the utilization factor of server to a certain extent.Server hardware resource is fully integrated utilization by Intel Virtualization Technology, is become can be run multiple operating system environment simultaneously on hardware resource from operation single operation system environments, and relative closure between different operating system environment, is independent of each other.In Intel Virtualization Technology, virtual machine manager (VirtualMachineMonitor, be called for short VMM) play vital effect, its management server hardware resource, and abstract, segmentation is carried out to hardware resource, use for the virtual opetrating system environment (VirtualMachine is called for short VM) on hardware environment.Compared with conventional architectures, the virtualization architecture that Intel Virtualization Technology produces is that security monitoring proposes new thinking and challenge.In virtualization architecture, operating system no longer directly runs on hardware environment, no longer manages control hardware environment, but is replaced by virtual machine manager, virtual machine manager is between operating system and real hardware environment simultaneously, higher than the authority of operating system.These characteristics make by virtual machine manager to ensure that the security of system platform gradually becomes a kind of research tendency.Utilize at present and virtually carry out security monitoring and mainly concentrate on the aspect such as virtual network behavior and virtualized host behavior, the intercepting and capturing of significant concern virtualized host of the present invention behavior and analysis.
At present, from monitoring triggering mode angle, utilize Intel Virtualization Technology to carry out Host behavior security monitoring and can be divided into two large classes: initiatively monitoring and passive monitoring.Initiatively monitoring refers to the mode utilizing scanning or poll, periodic triggers behavior monitoring.Initiatively the Typical Representative of monitoring is Lares, Libvmi etc.This monitor mode is completely controlled, all can implement Host behavior monitoring at any time, be applicable to the acquisition completely to Host behavior, more pay attention to the complete behavior act obtaining main frame inside, instead of the intercepting and capturing of particular event, the performance loss of monitoring efficiency lowly and to VM may be caused simultaneously.Passive monitoring refers to and arranges event trigger, only the trigger event trigger when corresponding event occurs, and just monitors Host behavior data.The Typical Representative of passive monitoring is Ether, Nitro etc.This monitor mode passes through specific events trigger, the generation of specific action can be monitored within the very first time, be applicable to the monitoring to particular host behavior act, more pay attention to obtain some specific behavior event, but due to supervisory control action uncontrollable, may cause monitoring wrong report or situation about failing to report occurs.
Present stage, the common methods of Host behavior monitoring was: 1) adopt initiatively monitor mode, periodic triggers supervisory control action; 2) adopt passive monitoring mode, trigger supervisory control action with event driven manner.Two kinds of monitor modes have relative merits concurrently, and the single monitor mode of simple employing is difficult to obtain complete semantic analysis view, is difficult to take into account the features such as real-time, dirigibility and accuracy.Initiatively monitor mode lacks real-time, when semantic analysis view generates depends primarily on polling schemas or timing triggers triggering, this mode cannot the change of system state in real-time perception virtual machine, as establishment and the switching of process, and the opening and closing etc. of file.More precisely, initiatively monitor mode is applicable to obtain behavioral data static in virtual machine.Passive monitoring mode only can obtain the semantic analysis view of current time particular event, as process switching, system call and interruption etc., lacks dirigibility, is difficult to obtain the semantic view that a certain moment comprises all behaviors of virtual machine internal flexibly.If use passive monitoring mode to obtain the semantic view of the whole behavior of virtual machine internal if want, then need all events of tackling virtual machine internal, this situation can have a strong impact on the performance of virtual machine.
Summary of the invention
For above-mentioned existing method Problems existing, it is a kind of passive in conjunction with detection system and method based on virtualized Host behavior master to the invention discloses.Consider that monitor of virtual machine controls operation all virtual machines thereon completely to the access of hardware resource, present invention achieves a kind of centralized virtual machine monitoring mechanism with features such as the transparency, real-time, dirigibilities; Limitation in current disclosed research background, the present invention adopts the mode initiatively monitored and combine with passive monitoring, by initiatively monitoring and passive monitoring with the use of, two kinds of monitor modes cooperate mutually, jointly complete the Host behavior analysis to virtual machine, take into account the real-time of Host behavior analysis, dirigibility and accuracy; Adopt centralized analysis framework simultaneously, the analysis action of virtual machine is transferred to collective analysis cluster and carries out, reduce behavioural analysis to the loss of hardware resource, reduce behavioural analysis to the impact of virtual machine performance.
Disclosed by the invention passive in conjunction with detection system as shown in Figure 1A based on virtualized Host behavior master, primarily of initiatively monitoring obtains data module, passive monitoring obtains data module, data forwarding module, behavioural analysis module composition.Wherein initiatively monitoring obtains the static data that data module adopts initiatively monitor mode active obtaining virtual machine internal current time; The employing of passive monitoring acquisition data module is asynchronous intercepts asynchronous system call, the system directive data intercepting intercepting and capturing virtual machine internal of mode; Data forwarding module is responsible for that the remote data that this locality obtains is forwarded to behavioural analysis server and is carried out, and the data of forwarding comprise the behavioral data of active mode acquisition and the asynchronous behavioral data of intercepting mode and obtaining; Behavioural analysis module receives the behavioral data that data forwarding module sends, and according to Data Source, Analysis of The Dynamic Control thread is analyzed behavioral data.
Disclosed by the invention passive in conjunction with detection method based on virtualized Host behavior master, adopt said system, as shown in Figure 1B, concrete steps are as follows for its operational scheme:
(1) the SCE field of EFER register is set to 0.
(2) initiatively monitoring obtains data module (ActiveViewGeneratingFunctionmodule, be called for short AVGF) obtain the system state in instrument (as Libvmi etc.) acquisition virtual machine by virtual machine information, and construct required semantic information according to current system conditions, then be forwarded on long-range behavioural analysis server through data forwarding module (Transfer), namely mail to behavioural analysis module.
(3) subsequently, passive monitoring obtains data module by event in Event receiver (EventSensor) constantly interception virtual machine: when virtual machine performs internal act, finally all can be implemented by corresponding system call; When virtual machine executive system is called, owing to the SCE field of EFER register being set to 0 during system cloud gray model, therefore can be absorbed in in VMM, when Event receiver intercepts abnormal information, judge whether to be caused by syscall or sysret, if caused by these two instructions, then the essential information etc. of collection system call number, system call parameter, system call process number, address that generation systems calls, virtual machine.
(4) data collected are put into the buffer circle realized by shared drive (Sharedmem) by EventSensor.
(5), after system call information is collected and terminated, EventSensor takes data away by event channel mechanism notification data forwarding module, simulates the operation of syscall or sysret instruction simultaneously, recovers the operation of virtual machine.
(6) data that EventSensor collects by data forwarding module are taken away, and mail to long-range behavioural analysis server, namely mail to behavioural analysis module.
(7) behavioural analysis module receives the behavioral data that teledata forwarding module is sent, and is distributed to different behavioural analysis threads according to Data Source.
(8) behavioural analysis thread is according to data volume size, and Dynamic controlling thread creates and withers away, and analyzes, operate different views behavioral data, as initialization, increase, delete, search, change etc.
Compared with prior art, tool of the present invention has the following advantages:
(1) centralized virtual machine monitoring mechanism.Overall arrangement virtual machine of the present invention behavioural analysis, is transferred to behavioural analysis server by the behavioural analysis of virtual machine by privileged domain, carries out collective analysis to virtual machine behavior act, be conducive to the centralized control to virtual machine.
(2) behavioural analysis dirigibility and real-time is taken into account.The present invention adopts and initiatively monitors the mode combined with passive monitoring and monitor fictitious host computer behavior, can take into account the advantage of initiatively monitor mode and passive monitoring mode, make up the defect of single monitor mode.
(3) high safety reliability is possessed.Fictitious host computer behavioural analysis is positioned over Analysis server and carries out by the present invention, can avoid virtual machine, privileged domain even monitor of virtual machine attacked and collapsed the behavioural analysis caused and lost efficacy, and this collapse action can be found out as early as possible, and take corresponding remedial measures.
(4) data analysis associated treatment.The present invention sets up multi views comparative analysis model, carries out associated treatment analysis to behavioral data, improves precision of analysis.
Accompanying drawing explanation
Figure 1A. based on the passive module composition diagram in conjunction with detection system of virtualized Host behavior master.
Figure 1B. based on the passive frame diagram in conjunction with detection method of virtualized Host behavior master.
Fig. 2. initiatively monitoring obtains data method flow diagram.
Fig. 3. passive monitoring obtains data method flow diagram.
Fig. 4. data forwarding method process flow diagram.
Fig. 5. behavior analysis method process flow diagram.
Embodiment
Below in conjunction with specific embodiment, the present invention is described in detail.
It is a kind of passive in conjunction with detection method and system based on virtualized Host behavior master to the present invention discloses, system forms primarily of 4 parts such as initiatively monitoring acquisition data module, passive monitoring acquisition module, data forwarding module, behavioural analysis module, as shown in Figure 1A.Figure 1B further illustrates structural framing and the workflow of this system.Illustrate privileged domain (Dom0) and client territory (DomU) in Figure 1B, client territory operating system is the dummy machine system adopting Intel Virtualization Technology to create.
Fig. 2 gives initiatively monitoring and obtains the process flow diagram of data method, initiatively monitors the concrete implementation step obtaining data method as follows:
(1) initialize Timer, and timing is set.
(2) judge whether to arrive timing, or whether have other modules to call initiatively monitor data acquisition, if then turn to step (3).
(3) virtual machine monoblock internal storage data is obtained by Libvmi.
(4), after concise and to the point finishing analysis being carried out to internal storage data, formed and initiatively monitor semantic information.
(5) by data forwarding module, the internal storage data after arrangement and corresponding semantic information are forwarded to remote analysis server.
(6) if by timer clocked flip, then reset timing.
(7) step (2) is returned.
Fig. 3 gives passive monitoring and obtains data method flow diagram, and the concrete implementation step that passive monitoring obtains data method is as follows:
(1) the SCE field arranging EFER register is 0.
(2) the abnormal #UD of occasions listen, after intercepting abnormal #UD, is trapped in VMM.
(3) by instruction encoding contrast corresponding with syscall, sysret for present instruction coding, observe and whether caused by syscall or sysret instruction, if caused by these two instructions, then turn to step (4), otherwise turn to step (1).
(4) analysis instruction type, if syscall instruction, then turns to step (5), if sysret instruction, then turns to step (6).
(5) analyze eax register, obtain system call number, analyze 5 registers such as EBX, EDI simultaneously, obtain system call parameter etc., turn to step (7).
(6) analyze eax register, obtain system call rreturn value, turn to step (7).
(7) process numbering and the address eip of instruction in internal memory at instruction place is obtained, obtain the mark Domid of virtual machine, and it is semantic to generate passive monitoring according to these information, the passive monitoring semantic information of generation and corresponding monitor data is delivered in asynchronous ring-like buffer zone.
(8) use case passage mechanism notification data forwarding module has new events to produce.
(9) execution of syscall or sysret instruction is simulated, the execution that recovery system calls.
(10) call initiatively monitoring acquisition data CMOS macro cell and initiatively monitor semanteme, turn to step (1).
Fig. 4 gives the process flow diagram of data forwarding method, and the concrete implementation step of data forwarding method is as follows:
(1) real-time reception event channel signal.
(2) judge whether to receive event channel signal, if receive event channel signal, then turn to step (3), otherwise turn to step (1).
(3) analyze event channel signal content, therefrom extract the ID scope of data in asynchronous ring buffer zone.
(4) judge that the current data that whether there is the free time extract thread.
(5) if there are not idle data to extract thread, then turn to step (6), otherwise turn to step (7).
(6) newly-built thread is used for data extraction, and carries out corresponding initialization.
(7) according to data block ID scope, data content is taken away in asynchronous ring buffer zone, and the content reset in asynchronous ring buffer zone on relevant position, leave data in local cache queue temporarily, Deng to be forwarded to behavioural analysis server, reset these data simultaneously and extract thread for idle.
(8) corresponding event channel signal is removed.
(9) data retransmission thread takes out data successively from local cache queue, is forwarded to behavioural analysis server, turns to step (1).
Fig. 5 gives the process flow diagram of behavior analysis method, and the concrete implementation step of behavior analysis method is as follows:
(1) create the data that multithreading is sent in order to receive different server, and unloading is in local cache queue.
(2) analyze data content source, according to the difference in data content source, analyze in different ways: if passive monitoring mode, then turn to step (3), otherwise turn to step (4).
(3) analyze data content, extract data type, according to different types of data, carry out different analyses: if the type of opening file, then, in the level Four list structure of file view, increase respective entries; If close file type, then in the level Four list structure of file view, delete respective entries; Otherwise according to specifying information, the semantic view execution additions and deletions of virtual machine are changed and looks into operation.
(4) data content is analyzed, extract data type, according to different types of data, carry out different analyses: if process data type, the process list view of then initialization respective virtual machine, three grades of list structures are built according to <dom0_ip, domU_id, pid>; If file data type, then the listed files view of initialization respective virtual machine, according to <dom0_ip, domU_id, pid, filec descriptor > builds a level Four list structure; If other data types, then according to specifying information, using suitable data structure, is virtual machine initialization semantic view.
(5) semantic view finally generated active monitor mode and asynchronous listening detection mode adopts multi views comparative analysis model to be analyzed, and draws final data results, turns to step (1).
To sum up, it is a kind of passive in conjunction with detection method and system based on virtualized Host behavior master to the invention discloses, active monitor mode is fully combined with asynchronous listening detection mode by this system, the behavioral data obtained is more accurately credible, compared with published method, tool has the following advantages: 1) integrated active monitor mode and the asynchronous advantage intercepting two kinds of monitoring techniques such as mode; 2) set up multi views comparative analysis model, associated treatment analysis is carried out to behavioral data, improve the accuracy of behavioural analysis; 3) set up behavioural analysis server, centralized analysis is carried out to behavioral data, reduce behavioural analysis to the consumption of server resource, improve analysis efficiency; (4) behavioral data to be obtained and behavioural analysis is separated, reduce server and to delay the impact of machine on behavioural analysis, the safe reliability of raising behavioural analysis further.
Above embodiment is only in order to illustrate technical scheme of the present invention but not to be limited; those of ordinary skill in the art can modify to technical scheme of the present invention or equivalent replacement; and not departing from the spirit and scope of the present invention, protection scope of the present invention should be as the criterion with described in claims.
Claims (10)
1. one kind passive in conjunction with detection system based on virtualized Host behavior master, it is characterized in that, comprise initiatively monitoring and obtain data module, passive monitoring acquisition data module, data forwarding module and behavioural analysis module, wherein initiatively monitoring obtains the static data that data module adopts active monitor mode active obtaining virtual machine internal current time; The employing of passive monitoring acquisition data module is asynchronous intercepts system call and the system directive data that mode intercepts and captures virtual machine internal; Data forwarding module is responsible for that the remote data that this locality obtains is forwarded to behavioural analysis server and is carried out, and the data of forwarding comprise the behavioral data of active mode acquisition and the asynchronous behavioral data of intercepting mode and obtaining; Behavioural analysis module receives the behavioral data that data forwarding module sends, and according to Data Source, Analysis of The Dynamic Control thread is analyzed behavioral data.
2. the system as claimed in claim 1, is characterized in that, described active monitoring obtains data module by the system state in virtual machine information acquisition instrument acquisition virtual machine.
3. the system as claimed in claim 1, it is characterized in that, described passive monitoring obtains data module and constantly tackles event in virtual machine by Event receiver, when Event receiver intercepts abnormal information, judge whether to be caused by syscall or sysret, if caused by these two instructions, then the essential information of collection system call number, system call parameter, system call process number, address that generation systems calls, virtual machine; The data collected are put into by the buffer circle of Sharing Memory Realization by Event receiver; After system call information is collected and terminated, Event receiver takes data away by event channel mechanism notification data forwarding module, simulates the operation of syscall or sysret instruction simultaneously, recovers the operation of virtual machine.
4. the system as claimed in claim 1, it is characterized in that, described data forwarding module real-time reception event channel signal, analyze event channel signal content, therefrom extract the ID scope of data in asynchronous ring buffer zone, then judge that the current data that whether there is the free time extract thread; If there are not idle data to extract thread, then newly-built thread is used for data extraction, and carries out corresponding initialization; If there are idle data to extract thread, then according to data block ID scope, data content is taken away in asynchronous ring buffer zone, and the content reset in asynchronous ring buffer zone on relevant position, leave data in local cache queue temporarily, Deng to be forwarded to behavioural analysis server, reset these data simultaneously and extract thread for idle; Data retransmission thread takes out data successively from local cache queue, is forwarded to behavioural analysis server.
5. the system as claimed in claim 1, is characterized in that, the data that described behavioural analysis module creation multithreading is sent in order to receive different server, and unloading is in local cache queue, then analyze data content source, according to the difference in data content source, analyze in different ways; Adopt multi views comparative analysis model to be analyzed to the semantic view that active monitor mode and asynchronous listening detection mode finally generate, draw final data results.
6. adopt the passive in conjunction with a detection method based on virtualized Host behavior master of system described in claim 1, it is characterized in that, comprise the steps:
1) initiatively monitoring obtains the system state in data module acquisition virtual machine, and constructs required semantic information according to current system conditions, is then forwarded to the behavioural analysis module on long-range behavioural analysis server through data forwarding module;
2) passive monitoring obtains data module and constantly tackles event in virtual machine by Event receiver, and the data collected are put into by the buffer circle of Sharing Memory Realization by Event receiver; After system call information is collected and terminated, Event receiver takes data away by event channel mechanism notification data forwarding module; The data that Event receiver is collected by data forwarding module are taken away, and mail to the behavioural analysis module on long-range behavioural analysis server;
3) behavioural analysis module receives the behavioral data that data forwarding module is sent, and is distributed to different behavioural analysis threads according to Data Source;
4) behavioural analysis thread is according to data volume size, and Dynamic controlling thread creates and withers away, and analyzes, operate different views behavioral data.
7. method as claimed in claim 6, is characterized in that, step 1) by initiatively monitoring the method obtaining data be:
(1) initialize Timer, and timing is set;
(2) judge whether to arrive timing, or whether have other modules to call initiatively monitor data acquisition, if then turn to step (3);
(3) virtual machine monoblock internal storage data is obtained by Libvmi;
(4), after concise and to the point finishing analysis being carried out to internal storage data, formed and initiatively monitor semantic information;
(5) by data forwarding module, the internal storage data after arrangement and corresponding semantic information are forwarded to remote analysis server;
(6) if by timer clocked flip, then reset timing;
(7) step (2) is returned.
8. method as claimed in claim 6, is characterized in that, step 2) by the method for passive monitoring acquisition data be:
(1) the SCE field arranging EFER register is 0;
(2) the abnormal #UD of occasions listen, after intercepting abnormal #UD, is trapped in VMM;
(3) by instruction encoding contrast corresponding with syscall, sysret for present instruction coding, observe and whether caused by syscall or sysret instruction, if caused by these two instructions, then turn to step (4), otherwise turn to step (1);
(4) analysis instruction type, if syscall instruction, then turns to step (5), if sysret instruction, then turns to step (6);
(5) analyze eax register, obtain system call number, analyze 5 registers such as EBX, EDI simultaneously, obtain system call parameter etc., turn to step (7);
(6) analyze eax register, obtain system call rreturn value, turn to step (7);
(7) process numbering and the address eip of instruction in internal memory at instruction place is obtained, obtain the mark Domid of virtual machine, and it is semantic to generate passive monitoring according to these information, the passive monitoring semantic information of generation and corresponding monitor data is delivered in asynchronous ring-like buffer zone;
(8) use case passage mechanism notification data forwarding module has new events to produce;
(9) execution of syscall or sysret instruction is simulated, the execution that recovery system calls;
(10) call initiatively monitoring acquisition data CMOS macro cell and initiatively monitor semanteme, turn to step (1).
9. method as claimed in claim 6, is characterized in that, step 3) method of carrying out data retransmission is:
(1) real-time reception event channel signal;
(2) judge whether to receive event channel signal, if receive event channel signal, then turn to step (3), otherwise turn to step (1);
(3) analyze event channel signal content, therefrom extract the ID scope of data in asynchronous ring buffer zone;
(4) judge that the current data that whether there is the free time extract thread;
(5) if there are not idle data to extract thread, then turn to step (6), otherwise turn to step (7);
(6) newly-built thread is used for data extraction, and carries out corresponding initialization;
(7) according to data block ID scope, data content is taken away in asynchronous ring buffer zone, and the content reset in asynchronous ring buffer zone on relevant position, leave data in local cache queue temporarily, Deng to be forwarded to behavioural analysis server, reset these data simultaneously and extract thread for idle;
(8) corresponding event channel signal is removed;
(9) data retransmission thread takes out data successively from local cache queue, is forwarded to behavioural analysis server, turns to step (1).
10. method as claimed in claim 6, is characterized in that, step 4) method of carrying out behavioural analysis is:
(1) create the data that multithreading is sent in order to receive different server, and unloading is in local cache queue;
(2) analyze data content source, according to the difference in data content source, analyze in different ways: if passive monitoring mode, then turn to step (3), otherwise turn to step (4).
(3) analyze data content, extract data type, according to different types of data, carry out different analyses: if the type of opening file, then, in the level Four list structure of file view, increase respective entries; If close file type, then in the level Four list structure of file view, delete respective entries; Otherwise according to specifying information, the semantic view execution additions and deletions of virtual machine are changed and looks into operation;
(4) data content is analyzed, extract data type, according to different types of data, carry out different analyses: if process data type, the process list view of then initialization respective virtual machine, three grades of list structures are built according to <dom0_ip, domU_id, pid>; If file data type, then the listed files view of initialization respective virtual machine, according to <dom0_ip, domU_id, pid, filec descriptor > builds a level Four list structure; If other data types, then according to specifying information, using suitable data structure, is virtual machine initialization semantic view;
(5) semantic view finally generated active monitor mode and asynchronous listening detection mode adopts multi views comparative analysis model to be analyzed, and draws final data results, turns to step (1).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510970176.4A CN105550095B (en) | 2015-12-22 | 2015-12-22 | Host behavior master based on virtualization passively combines detecting system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510970176.4A CN105550095B (en) | 2015-12-22 | 2015-12-22 | Host behavior master based on virtualization passively combines detecting system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105550095A true CN105550095A (en) | 2016-05-04 |
| CN105550095B CN105550095B (en) | 2018-07-06 |
Family
ID=55829291
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510970176.4A Active CN105550095B (en) | 2015-12-22 | 2015-12-22 | Host behavior master based on virtualization passively combines detecting system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105550095B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106027306A (en) * | 2016-05-26 | 2016-10-12 | 浪潮(北京)电子信息产业有限公司 | Resource monitoring method and device |
| CN106384047A (en) * | 2016-08-26 | 2017-02-08 | 青岛天龙安全科技有限公司 | APP detection unknown pattern collection and judging method |
| CN107463430A (en) * | 2017-08-03 | 2017-12-12 | 哈尔滨工业大学 | A kind of virutal machine memory dynamic management system and method based on internal memory and Swap spaces |
| CN109618139A (en) * | 2019-01-10 | 2019-04-12 | 深圳市华金盾信息科技有限公司 | A kind of intelligent video monitoring system and method for view-based access control model routing |
| CN113032216A (en) * | 2021-03-26 | 2021-06-25 | 山东英信计算机技术有限公司 | Monitoring method, device, equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6021438A (en) * | 1997-06-18 | 2000-02-01 | Wyatt River Software, Inc. | License management system using daemons and aliasing |
| CN103500304A (en) * | 2013-10-13 | 2014-01-08 | 西安电子科技大学 | Virtual machine personalized security monitoring system and method based on Xen |
| CN103501303A (en) * | 2013-10-12 | 2014-01-08 | 武汉大学 | Active remote attestation method for measurement of cloud platform virtual machine |
-
2015
- 2015-12-22 CN CN201510970176.4A patent/CN105550095B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6021438A (en) * | 1997-06-18 | 2000-02-01 | Wyatt River Software, Inc. | License management system using daemons and aliasing |
| CN103501303A (en) * | 2013-10-12 | 2014-01-08 | 武汉大学 | Active remote attestation method for measurement of cloud platform virtual machine |
| CN103500304A (en) * | 2013-10-13 | 2014-01-08 | 西安电子科技大学 | Virtual machine personalized security monitoring system and method based on Xen |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106027306A (en) * | 2016-05-26 | 2016-10-12 | 浪潮(北京)电子信息产业有限公司 | Resource monitoring method and device |
| CN106384047A (en) * | 2016-08-26 | 2017-02-08 | 青岛天龙安全科技有限公司 | APP detection unknown pattern collection and judging method |
| CN106384047B (en) * | 2016-08-26 | 2019-11-15 | 青岛天龙安全科技有限公司 | APP detects unknown behavior acquisition and judgment method |
| CN107463430A (en) * | 2017-08-03 | 2017-12-12 | 哈尔滨工业大学 | A kind of virutal machine memory dynamic management system and method based on internal memory and Swap spaces |
| CN107463430B (en) * | 2017-08-03 | 2020-10-02 | 哈尔滨工业大学 | Dynamic management system and method for virtual machine memory based on memory and Swap space |
| CN109618139A (en) * | 2019-01-10 | 2019-04-12 | 深圳市华金盾信息科技有限公司 | A kind of intelligent video monitoring system and method for view-based access control model routing |
| CN113032216A (en) * | 2021-03-26 | 2021-06-25 | 山东英信计算机技术有限公司 | Monitoring method, device, equipment and medium |
| CN113032216B (en) * | 2021-03-26 | 2023-04-25 | 山东英信计算机技术有限公司 | Monitoring method, device, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105550095B (en) | 2018-07-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105550095A (en) | Virtualization based active and passive combination detection system and method for host behavior | |
| US9436603B1 (en) | Detection and mitigation of timing side-channel attacks | |
| CN101976200B (en) | Virtual machine system for input/output equipment virtualization outside virtual machine monitor | |
| CN101557420A (en) | Realization method of high-efficiency network communication of a virtual machine monitor | |
| CN102609298B (en) | Based on network interface card virtualization system and the method thereof of hardware queue expansion | |
| US10824537B2 (en) | Method, device, and computer readable medium for tracing computing system | |
| CN104021344B (en) | Honey pot mechanism and method used for collecting and intercepting internal storage behaviors of computer | |
| CN103902885A (en) | Virtual machine security isolation system and method oriented to multi-security-level virtual desktop system | |
| CN104715201A (en) | Method and system for detecting malicious acts of virtual machine | |
| Moga et al. | Os-level virtualization for industrial automation systems: Are we there yet? | |
| CN103077071B (en) | The acquisition methods of a kind of KVM virtual machine progress information and system | |
| Pellegrini et al. | The rome optimistic simulator: Core internals and programming model | |
| CN103399812A (en) | Magnetic disc file operation monitoring system and monitoring method based on Xen hardware virtualization | |
| CN104008329A (en) | Software privacy leak behavior detection method and system based on virtualization technology | |
| CN103310152A (en) | Kernel mode Rootkit detection method based on system virtualization technology | |
| KR20180129631A (en) | Accelerating network security monitoring | |
| CN102929769A (en) | Virtual machine internal-data acquisition method based on agency service | |
| KR102088308B1 (en) | Cloud security analysing apparatus, apparatus and method for management of security policy based on nsfv | |
| CN105607945B (en) | Host behavior based on virtualization is asynchronous to listen to interception system and method | |
| CN105550574B (en) | Side channel analysis evidence-obtaining system and method based on memory activity | |
| CN103268567B (en) | The efficient mass incident detecting of Facing to Manufacturing trade management system and processing method | |
| Koller et al. | Unified monitoring and analytics in the cloud | |
| Qiang et al. | CloudVMI: A cloud-oriented writable virtual machine introspection | |
| CN104850781A (en) | Method and system for dynamic multilevel behavioral analysis of malicious code | |
| CN102193843B (en) | Method for accelerating virtual machine system breakdown on-site storage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |