CN105631320A - Detection method and device of virtual machine escape - Google Patents
Detection method and device of virtual machine escape Download PDFInfo
- Publication number
- CN105631320A CN105631320A CN201510959276.7A CN201510959276A CN105631320A CN 105631320 A CN105631320 A CN 105631320A CN 201510959276 A CN201510959276 A CN 201510959276A CN 105631320 A CN105631320 A CN 105631320A
- Authority
- CN
- China
- Prior art keywords
- preset
- virtual machine
- value
- escape
- list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Abstract
The invention discloses a detection method and device of virtual machine escape, relates to the field of the information technology and can timely detect virtual machine escape behaviors to bring convenience for carrying out security protection. The method comprises the following steps: firstly, obtaining a binary file which is currently executed in the virtual machine; then, calculating a message digest algorithm 5(MD5) value corresponding to the binary file; and finally, detecting whether the MD5 value is matched with a preset MD5 value in a preset escape list, determining that the virtual machine escape is in the presence if the MD5 value is matched with the preset MD5 value in the preset escape list, wherein the preset escape list stores the preset MD5 values independently corresponding to different escape files. The detection method and device is suitable for detecting virtual machine escape behaviors.
Description
Technical field
The present invention relates to a kind of areas of information technology, particularly relate to detection method and device that a kind of virtual machine is escaped.
Background technology
Along with the development of information technology, computer software development technique is more and more universal, and wherein, virtual machine is escaped and become research staff's urgent problem. Virtual machine is escaped and is referred to that the leak utilizing the software run in software virtual machine or virtual machine is attacked, to reach to attack or control the purpose of virtual machine host operating system.
At present, the program in virtual machine can only be run in virtual machine, and when dummy machine system starts a leak, the program in virtual machine will break through the boundary of virtual machine, reads the resource beyond virtual machine. Such as, virtual machine is escaped can pass through a USB flash disk fictionalized, and is entrained in host by escape procedure, the resource in host is taken; An emulator command can also be fictionalized carry out carrying escape procedure. Which kind of escape mode is not the normal condition that system is run, so wanting in time escape to be protected.
Summary of the invention
In view of this, the invention provides detection method and device that a kind of virtual machine is escaped, main purpose is in that to detect in time the flight behavior of virtual machine, in order to carry out security protection.
According to one aspect of the invention, it is provided that the detection method that a kind of virtual machine is escaped, the method includes:
Obtain the current binary file performed in virtual machine;
Calculate the MD5 value that described binary file is corresponding;
Detect whether described MD5 value mates with the preset MD5 value in default escape list, described default escape list is preserved the preset MD5 value that different escape file is corresponding respectively;
If, it is determined that there is virtual machine and escape.
According to another aspect of the present invention, it is provided that the detecting device that a kind of virtual machine is escaped, this device includes:
Acquiring unit, for obtaining the current binary file performed in virtual machine;
Computing unit, for calculating MD5 value corresponding to binary file that described acquiring unit obtains;
Detection unit, whether the MD5 value calculated for detecting described computing unit mates with the preset MD5 value in default escape list, preserves the preset MD5 value that different escape file is corresponding respectively in described default escape list;
Determining unit, mating with the preset MD5 value presetting in escape list if detecting described MD5 value for described detection unit, it is determined that there is virtual machine and escape.
By technique scheme, the technical scheme that the embodiment of the present invention provides at least has the advantage that
The detection method of a kind of virtual machine provided by the invention escape and device, first obtain the current binary file performed in virtual machine; Then the MD5 value that described binary file is corresponding is calculated; Finally detect whether described MD5 value mates with the preset MD5 value in default escape list, described default escape list is preserved the preset MD5 value that different escape file is corresponding respectively; If, it is determined that there is virtual machine and escape. The present invention is by MD5 value corresponding to binary file that virtual machine is currently performed, specifically detect whether to mate with the preset MD5 value in default escape list, may determine that whether virtual machine exists escape, and then the flight behavior of virtual machine can be detected in time, in order to carry out security protection.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, and can be practiced according to the content of description, and in order to above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit those of ordinary skill in the art be will be clear from understanding. Accompanying drawing is only for illustrating the purpose of preferred implementation, and is not considered as limitation of the present invention. And in whole accompanying drawing, it is denoted by the same reference numerals identical parts. In the accompanying drawings:
Fig. 1 illustrates the detection method schematic flow sheet that a kind of virtual machine that the embodiment of the present invention provides is escaped;
Fig. 2 illustrates the detection method schematic flow sheet that the another kind of virtual machine that the embodiment of the present invention provides is escaped;
Fig. 3 illustrates the structure of the detecting device schematic diagram that a kind of virtual machine that the embodiment of the present invention provides is escaped;
Fig. 4 illustrates the structure of the detecting device schematic diagram that the another kind of virtual machine that the embodiment of the present invention provides is escaped.
Detailed description of the invention
It is more fully described the exemplary embodiment of the disclosure below with reference to accompanying drawings. Although accompanying drawing showing the exemplary embodiment of the disclosure, it being understood, however, that may be realized in various forms the disclosure and should do not limited by embodiments set forth here. On the contrary, it is provided that these embodiments are able to be best understood from the disclosure, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
Embodiments provide the detection method that a kind of virtual machine is escaped, as it is shown in figure 1, described method includes:
101, the current binary file performed in virtual machine is obtained.
Wherein, described binary file is included in ASCII and extension ascii character the file of data or the programmed instruction write. Computer documents is essentially divided into two kinds: binary file and ASCII (also referred to as text-only file), the computer program such as graphic file and word processing program broadly falls into binary file. These files contain special form and computer code. For the embodiment of the present invention, described binary file can be ERF file, drive file etc.
It should be noted that the executive agent for the embodiment of the present invention can be the light agent client being arranged in virtual machine, for the flight behavior of virtual machine is monitored.
102, the MD5 value that binary file is corresponding is calculated.
Wherein, described MD5 (Message-DigestAlgorithm5, message digest algorithm 5) is one of widely used hashing algorithm of computer.
103, whether detection MD5 value mates with the preset MD5 value in default escape list.
Wherein, described default escape list is preserved the preset MD5 value that different escape file is corresponding respectively.
Further, the preset MD5 value that different escape file is corresponding respectively can be acquired in advance from Cloud Server, and can be saved in the middle of the default escape list in local cache, it is used for carrying out visiting Data Matching verification, and then can realize the flight behavior of virtual machine is detected.
Mate with the preset MD5 value presetting in escape list if 104 detect MD5 value, it is determined that there is virtual machine and escape.
It should be noted that, when the preset MD5 value detecting MD5 value with preset in escape list is mated, may determine that current virtual machine exists flight behavior, host can be caused security threat, need this flight behavior is protected in time, and export information, it is used for pointing out in user's current virtual machine and there is flight behavior, and it is carried out security protection.
The detection method that a kind of virtual machine that the embodiment of the present invention provides is escaped, first obtains the current binary file performed in virtual machine; Then the MD5 value that described binary file is corresponding is calculated; Finally detect whether described MD5 value mates with the preset MD5 value in default escape list, described default escape list is preserved the preset MD5 value that different escape file is corresponding respectively; If, it is determined that there is virtual machine and escape. The present invention is by MD5 value corresponding to binary file that virtual machine is currently performed, specifically detect whether to mate with the preset MD5 value in default escape list, may determine that whether virtual machine exists escape, and then the flight behavior of virtual machine can be detected in time, in order to carry out security protection.
Embodiments provide the detection method that another kind of virtual machine is escaped, as in figure 2 it is shown, described method includes:
201, the current binary file performed in virtual machine is obtained.
Wherein, the concept explanation of described binary file is referred to the corresponding description in step 101, does not repeat them here.
It should be noted that the executive agent for the embodiment of the present invention can be the light agent client being arranged in virtual machine, for the flight behavior of virtual machine is monitored.
202, the MD5 value that binary file is corresponding is calculated.
203, whether detection MD5 value mates with the preset MD5 value in default escape list.
Wherein, described default escape list is preserved the preset MD5 value that different escape file is corresponding respectively.
Further, performing after described step 203, it is also possible to including: if detecting, MD5 value corresponding to binary file is not mated with the preset MD5 value presetting in escape list, then extract the critical segment information in described binary file; Whether detect the matching degree between described critical segment information and preset critical segment information more than or equal to predetermined threshold value; If, it is determined that there is virtual machine and escape. Wherein, described critical segment information comprises multiple critical segment, comprising multiple preset critical segment in described preset critical segment information, described preset critical segment is the critical segment that may determine that and there is flight behavior, specifically can configure according to the actual requirements. Described predetermined threshold value can configure according to the actual demand of user, it is also possible to being configured by system default, the embodiment of the present invention does not limit.
Such as, the critical segment information of the binary file extracted comprises 100 critical segments, predetermined threshold value is 70%, this critical segment information is mated with preset critical segment information, when detecting that 75 critical segments mate with the critical segment in preset critical segment information, the matching degree that can calculate between this critical segment information and preset critical segment information is 75%, more than predetermined threshold value, it is determined that there is virtual machine flight behavior.
It should be noted that, after performing step 203, in the preset unmatched situation of MD5 value detecting MD5 value corresponding to binary file and preset in escape list, by the matching degree between critical segment information and the preset critical segment information in detection binary file whether more than or equal to predetermined threshold value, if, then determine the flight behavior of virtual machine, it is possible to improve the accuracy of detection virtual machine flight behavior.
Yet further, after whether the matching degree detected between described critical segment information and preset critical segment information is more than or equal to predetermined threshold value, can also include: if the matching degree detected between described critical segment information and preset critical segment information is less than predetermined threshold value, then described binary file is resolved, obtain the access path information of correspondence; Detect described access path information whether with preset access path information matches; If, it is determined that there is virtual machine and escape. Wherein, described access path information comprises the execution function that each access path node is corresponding. Comprising the access path of escape file in described preset access path information, namely escape file is to the operating process of system in virtual machine.
Specifically, whether respectively whether described detection described access path information includes with preset access path information matches: detect described execution function preset execution function corresponding with preset access path information and mate. Such as, access path information comprises the execution function that two access path nodes are corresponding respectively, it is specially function 1, function 2, preset access path information comprises the preset execution function that two access path nodes are corresponding respectively, it is specially function a, function b, when function 1 function a mates, during function 2 function b coupling, it is determined that access path information and preset access path information matches.
It should be noted that, after whether the matching degree detected between described critical segment information and preset critical segment information is more than or equal to predetermined threshold value, by detect binary file resolve the access path information that obtains whether with preset access path information matches, if, then determine the flight behavior of virtual machine, the accuracy of detection virtual machine flight behavior can be improved further, it is to avoid the situation that detection virtual machine flight behavior is omitted occurs.
Further, performing after described step 203, it is also possible to including: if detecting, MD5 value corresponding to binary file is not mated with the preset MD5 value presetting in escape list, then whether trigger performing preset Key Functions when detecting the described binary file of execution; If, it is determined that there is virtual machine and escape. Wherein, described preset Key Functions can configure according to the actual requirements, it is also possible to configures according to the actual requirements. Described preset Key Functions can be that described preset Key Functions is for determining whether the flight behavior that there is virtual machine only at the function occurring just triggering when virtual machine is escaped execution.
It should be noted that performing after step 203, detecting MD5 value corresponding to binary file and in the preset unmatched situation of MD5 value presetting in escape list, whether triggering during by detecting execution described binary file and perform preset Key Functions; If, it is determined that there is virtual machine and escape, it is possible to improve the accuracy of detection virtual machine flight behavior.
It is possible to further obtain the preset MD5 value that different escape file is corresponding respectively in advance from Cloud Server; Described preset MD5 value is saved in described default escape list. Yet further, after this, it is also possible to detect whether described preset MD5 value exists renewal; If so, then described default escape list is updated. It should be noted that when detecting that described preset MD5 value exists renewal, by default escape list is upgraded in time, it is possible to detect the flight behavior of virtual machine more accurately.
Mate with the preset MD5 value presetting in escape list if 204 detect MD5 value, it is determined that there is virtual machine and escape.
It should be noted that when the preset MD5 value detecting MD5 value with preset in escape list is mated, it may be determined that current virtual machine exists flight behavior, host can be caused security threat, it is necessary to this flight behavior is protected in time.
205, outputting alarm information.
Wherein, described warning information can be text alert information, picture warning information, audible alarm information, visual alarm information etc.
Such as, when determining that there is virtual machine escapes, can by audio output outputting alarm information corresponding to the terminal unit at light agent client place, can also by video output terminals outputting alarm information corresponding to the terminal unit at light agent client place, for pointing out, user's current virtual machine exists flight behavior, and it is carried out security protection.
The detection method that the another kind of virtual machine that the embodiment of the present invention provides is escaped, first obtains the current binary file performed in virtual machine; Then the MD5 value that described binary file is corresponding is calculated; Finally detect whether described MD5 value mates with the preset MD5 value in default escape list, described default escape list is preserved the preset MD5 value that different escape file is corresponding respectively; If, it is determined that there is virtual machine and escape. The present invention is by MD5 value corresponding to binary file that virtual machine is currently performed, specifically detect whether to mate with the preset MD5 value in default escape list, may determine that whether virtual machine exists escape, and then the flight behavior of virtual machine can be detected in time, in order to carry out security protection.
Further, as implementing of method described in Fig. 1, embodiments provide the detecting device that a kind of virtual machine is escaped, as it is shown on figure 3, described device includes: acquiring unit 31, computing unit 32, detection unit 33, determine unit 34.
Described acquiring unit 31, it is possible to for obtaining the current binary file performed in virtual machine.
Described computing unit 32, it is possible to for calculating MD5 value corresponding to binary file that described acquiring unit 31 obtains.
Described detection unit 33, it is possible to whether the MD5 value calculated for detecting described computing unit 32 mates with the preset MD5 value in default escape list, preserves the preset MD5 value that different escape file is corresponding respectively in described default escape list.
Described determine unit 34, it is possible to mate with the preset MD5 value presetting in escape list if detecting described MD5 value for described detection unit 33, it is determined that there is virtual machine escape.
It should be noted that other of each functional unit involved by the detecting device of a kind of virtual machine escape of embodiment of the present invention offer describe accordingly, it is possible to reference to the corresponding description in Fig. 1, do not repeat them here.
The detecting device that a kind of virtual machine that the embodiment of the present invention provides is escaped, first obtains the current binary file performed in virtual machine; Then the MD5 value that described binary file is corresponding is calculated; Finally detect whether described MD5 value mates with the preset MD5 value in default escape list, described default escape list is preserved the preset MD5 value that different escape file is corresponding respectively; If, it is determined that there is virtual machine and escape. The present invention is by MD5 value corresponding to binary file that virtual machine is currently performed, specifically detect whether to mate with the preset MD5 value in default escape list, may determine that whether virtual machine exists escape, and then the flight behavior of virtual machine can be detected in time, in order to carry out security protection.
Further, as implementing of method described in Fig. 2, embodiments providing the detecting device that another kind of virtual machine is escaped, as shown in Figure 4, described device includes: acquiring unit 41, computing unit 42, detection unit 43, determine unit 44.
Described acquiring unit 41, it is possible to for obtaining the current binary file performed in virtual machine.
Described computing unit 42, it is possible to for calculating MD5 value corresponding to binary file that described acquiring unit 41 obtains.
Described detection unit 43, it is possible to whether the MD5 value calculated for detecting described computing unit 42 mates with the preset MD5 value in default escape list, preserves the preset MD5 value that different escape file is corresponding respectively in described default escape list.
Described determine unit 44, it is possible to mate with the preset MD5 value presetting in escape list if detecting described MD5 value for described detection unit 43, it is determined that there is virtual machine escape.
Further, described device also includes: extraction unit 45.
Described extraction unit 45, it is possible to do not mate with the preset MD5 value presetting in escape list if detecting described MD5 value for described detection unit 43, then extract the critical segment information in described binary file.
Described detection unit 43, it is also possible to whether the matching degree being used for detecting between critical segment information and the preset critical segment information that described extraction unit 45 extracts is more than or equal to predetermined threshold value.
Described determine unit 44, it is also possible to if detecting that the matching degree between described critical segment information and preset critical segment information is more than or equal to predetermined threshold value for described detection unit 43, it is determined that there is virtual machine and escape.
Further, described device also includes: resolution unit 46.
Described resolution unit 46, it is possible to if detecting that the matching degree between described critical segment information and preset critical segment information is less than predetermined threshold value, then resolve described binary file for described detection unit 43, obtain the access path information of correspondence.
Described detection unit 43, it is also possible to for detect access path information that described resolution unit 46 is resolved to whether with preset access path information matches.
Described determine unit 44, it is also possible to if detecting described access path information and preset access path information matches for described detection unit 43, it is determined that there is virtual machine and escape.
Alternatively, described access path information comprises the execution function that each access path node is corresponding.
Whether respectively described detection unit 43, specifically may be used for detecting described execution function preset execution function corresponding with preset access path information coupling.
Described detection unit 43, it is also possible to if not mating with the preset MD5 value preset in escape list for described MD5 value, then whether detection triggers execution preset Key Functions when performing described binary file.
Described determine unit 44, it is also possible to if triggering execution preset Key Functions when detecting the described binary file of execution for described detection unit 43, it is determined that there is virtual machine and escape.
Further, described device also includes: output unit 47.
Described output unit 47, it is possible to for outputting alarm information.
Further, described device also includes: storage unit 48.
Described acquiring unit 41, it is also possible to the preset MD5 value corresponding respectively for obtaining different escape file from Cloud Server.
Described storage unit 48, it is possible to for described preset MD5 value is saved in described default escape list.
Further, described device also includes: updating block 49.
Described detection unit 43, it is also possible to be used for detecting whether described preset MD5 value exists renewal.
Described updating block 49, updates if detecting that described preset MD5 value exists for described detection unit 43, then described default escape list is updated.
It should be noted that other of each functional unit involved by the detecting device of the another kind of virtual machine escape of embodiment of the present invention offer describe accordingly, it is possible to reference to the corresponding description in Fig. 2, do not repeat them here.
The detecting device that the another kind of virtual machine that the embodiment of the present invention provides is escaped, first obtains the current binary file performed in virtual machine; Then the MD5 value that described binary file is corresponding is calculated; Finally detect whether described MD5 value mates with the preset MD5 value in default escape list, described default escape list is preserved the preset MD5 value that different escape file is corresponding respectively; If, it is determined that there is virtual machine and escape. The present invention is by MD5 value corresponding to binary file that virtual machine is currently performed, specifically detect whether to mate with the preset MD5 value in default escape list, may determine that whether virtual machine exists escape, and then the flight behavior of virtual machine can be detected in time, in order to carry out security protection.
Embodiment of the invention discloses that:
The detection method that A1, a kind of virtual machine are escaped, including:
Obtain the current binary file performed in virtual machine;
Calculate the message digest algorithm MD5 value that described binary file is corresponding;
Detect whether described MD5 value mates with the preset MD5 value in default escape list, described default escape list is preserved the preset MD5 value that different escape file is corresponding respectively;
If, it is determined that there is virtual machine and escape.
The detection method that A2, virtual machine according to A1 are escaped, after whether described detection described MD5 value mates with the preset MD5 value in default escape list, described method also includes:
If it is not, the critical segment information then extracted in described binary file;
Whether detect the matching degree between described critical segment information and preset critical segment information more than or equal to predetermined threshold value;
If, it is determined that there is virtual machine and escape.
The detection method that A3, virtual machine according to A2 are escaped, whether the matching degree between described detection described critical segment information and preset critical segment information is more than or equal to after predetermined threshold value, and described method also includes:
If it is not, then described binary file is resolved, obtain the access path information of correspondence;
Detect described access path information whether with preset access path information matches;
If, it is determined that there is virtual machine and escape.
The detection method that A4, virtual machine according to A3 are escaped, comprises the execution function that each access path node is corresponding in described access path information, whether described detection described access path information includes with preset access path information matches:
Detect described execution function whether respectively preset execution function corresponding with preset access path information coupling.
The detection method that A5, virtual machine according to A1 are escaped, after whether described detection described MD5 value mates with the preset MD5 value in default escape list, described method also includes:
If it is not, then whether detection triggers execution preset Key Functions when performing described binary file;
If, it is determined that there is virtual machine and escape.
The detection method that A6, virtual machine according to A1 are escaped, if described, it is determined that existing after virtual machine escapes, described method also includes:
Outputting alarm information.
The detection method that A7, virtual machine according to A1 are escaped, described method also includes:
The preset MD5 value that different escape file is corresponding respectively is obtained from Cloud Server;
Described preset MD5 value is saved in described default escape list.
The detection method that A8, virtual machine according to A7 are escaped, described described preset MD5 value is saved in described default escape list after, described method also includes:
Detect whether described preset MD5 value exists renewal;
If so, then described default escape list is updated.
The detecting device that B9, a kind of virtual machine are escaped, including:
Acquiring unit, for obtaining the current binary file performed in virtual machine;
Computing unit, for calculating MD5 value corresponding to binary file that described acquiring unit obtains;
Detection unit, whether the MD5 value calculated for detecting described computing unit mates with the preset MD5 value in default escape list, preserves the preset MD5 value that different escape file is corresponding respectively in described default escape list;
Determining unit, mating with the preset MD5 value presetting in escape list if detecting described MD5 value for described detection unit, it is determined that there is virtual machine and escape.
The detecting device that B10, virtual machine according to B9 are escaped, described device also includes: extraction unit;
Described extraction unit, does not mate with the preset MD5 value presetting in escape list if detecting described MD5 value for described detection unit, then extracts the critical segment information in described binary file;
Described detection unit, whether the matching degree being additionally operable to detect between critical segment information and the preset critical segment information that described extraction unit extracts is more than or equal to predetermined threshold value;
Described determine unit, if being additionally operable to described detection unit to detect that the matching degree between described critical segment information and preset critical segment information is more than or equal to predetermined threshold value, it is determined that there is virtual machine and escape.
The detecting device that B11, virtual machine according to B10 are escaped, described device also includes: resolution unit;
Described resolution unit, if detecting that the matching degree between described critical segment information and preset critical segment information is less than predetermined threshold value, then resolve described binary file for described detection unit, obtains the access path information of correspondence;
Described detection unit, be additionally operable to detect access path information that described resolution unit is resolved to whether with preset access path information matches;
Described determine unit, if being additionally operable to described detection unit to detect described access path information and preset access path information matches, it is determined that there is virtual machine and escape.
The detecting device that B12, virtual machine according to B11 are escaped, comprises the execution function that each access path node is corresponding in described access path information,
Whether respectively described detection unit, specifically for detecting described execution function preset execution function corresponding with preset access path information coupling.
The detecting device that B13, virtual machine according to B9 are escaped,
Described detection unit, does not mate with the preset MD5 value presetting in escape list if being additionally operable to described MD5 value, then whether detection triggers execution preset Key Functions when performing described binary file;
Described determine unit, if being additionally operable to trigger execution preset Key Functions when described detection unit detects execution described binary file, it is determined that there is virtual machine and escape.
The detecting device that B14, virtual machine according to B9 are escaped, described device also includes:
Output unit, for outputting alarm information.
The detecting device that B15, virtual machine according to B9 are escaped, described device also includes: storage unit;
Described acquiring unit, is additionally operable to from Cloud Server and obtains the preset MD5 value that different escape file is corresponding respectively;
Described storage unit, for being saved in described preset MD5 value in described default escape list.
The detecting device that B16, virtual machine according to B15 are escaped, described device also includes: updating block;
Described detection unit, is additionally operable to detect whether described preset MD5 value exists renewal;
Described updating block, updates if detecting that described preset MD5 value exists for described detection unit, then described default escape list is updated.
In the above-described embodiments, the description of each embodiment is all emphasized particularly on different fields, certain embodiment there is no the part described in detail, it is possible to referring to the associated description of other embodiments.
It is understood that the correlated characteristic in said method and device can reference mutually. It addition, " first ", " second " in above-described embodiment etc. is for distinguishing each embodiment, and do not represent the quality of each embodiment.
Those skilled in the art is it can be understood that arrive, for convenience and simplicity of description, the system of foregoing description, the specific works process of device and unit, it is possible to reference to the corresponding process in preceding method embodiment, do not repeat them here.
Not intrinsic to any certain computer, virtual system or miscellaneous equipment relevant in algorithm and the display of this offer. Various general-purpose systems can also with use based on together with this teaching. As described above, the structure constructed required by this kind of system is apparent from. Additionally, the present invention is also not for any certain programmed language. It is understood that, it is possible to utilize various programming language to realize the content of invention described herein, and the description above language-specific done is the preferred forms in order to disclose the present invention.
In description mentioned herein, describe a large amount of detail. It is to be appreciated, however, that embodiments of the invention can be put into practice when not having these details. In some instances, known method, structure and technology it are not shown specifically, in order to do not obscure the understanding of this description.
Similarly, it is to be understood that, one or more in order to what simplify that the disclosure helping understands in each inventive aspect, herein above in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or descriptions thereof sometimes. But, the method for the disclosure should be construed to and reflect an intention that namely the present invention for required protection requires feature more more than the feature being expressly recited in each claim. More precisely, as the following claims reflect, inventive aspect is in that all features less than single embodiment disclosed above. Therefore, it then follows claims of detailed description of the invention are thus expressly incorporated in this detailed description of the invention, wherein each claim itself as the independent embodiment of the present invention.
Those skilled in the art are appreciated that, it is possible to carry out the module in the equipment in embodiment adaptively changing and they being arranged in one or more equipment different from this embodiment. Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition. Except at least some in such feature and/or process or unit excludes each other, it is possible to adopt any combination that all processes or the unit of all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment are combined. Unless expressly stated otherwise, each feature disclosed in this specification (including adjoint claim, summary and accompanying drawing) can be replaced by the alternative features providing purpose identical, equivalent or similar.
In addition, those skilled in the art it will be appreciated that, although embodiments more described herein include some feature included in other embodiments rather than further feature, but the combination of the feature of different embodiment means to be within the scope of the present invention and form different embodiments. Such as, in the following claims, the one of any of embodiment required for protection can mode use in any combination.
The all parts embodiment of the present invention can realize with hardware, or realizes with the software module run on one or more processor, or realizes with their combination. It will be understood by those of skill in the art that the some or all functions of some or all parts in microprocessor or digital signal processor (DSP) can be used in practice to realize detection method that a kind of virtual machine according to embodiments of the present invention escapes and device. The present invention is also implemented as part or all the equipment for performing method as described herein or device program (such as, computer program and computer program). The program of such present invention of realization can store on a computer-readable medium, or can have the form of one or more signal. Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described rather than limits the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment without departing from the scope of the appended claims. In the claims, any reference marks that should not will be located between bracket is configured to limitations on claims. Word " comprises " and does not exclude the presence of the element or step not arranged in the claims. Word "a" or "an" before being positioned at element does not exclude the presence of multiple such element. The present invention by means of including the hardware of some different elements and can realize by means of properly programmed computer. In the unit claim listing some devices, several in these devices can be through same hardware branch and specifically embody. Word first, second and third use do not indicate that any order. Can be title by these word explanations.
Claims (10)
1. the detection method that a virtual machine is escaped, it is characterised in that including:
Obtain the current binary file performed in virtual machine;
Calculate the message digest algorithm MD5 value that described binary file is corresponding;
Detect whether described MD5 value mates with the preset MD5 value in default escape list, described default escape list is preserved the preset MD5 value that different escape file is corresponding respectively;
If, it is determined that there is virtual machine and escape.
2. the detection method that virtual machine according to claim 1 is escaped, it is characterised in that after whether described detection described MD5 value mates with the preset MD5 value in default escape list, described method also includes:
If it is not, the critical segment information then extracted in described binary file;
Whether detect the matching degree between described critical segment information and preset critical segment information more than or equal to predetermined threshold value;
If, it is determined that there is virtual machine and escape.
3. the detection method that virtual machine according to claim 2 is escaped, it is characterised in that whether the matching degree between described detection described critical segment information and preset critical segment information is more than or equal to after predetermined threshold value, and described method also includes:
If it is not, then described binary file is resolved, obtain the access path information of correspondence;
Detect described access path information whether with preset access path information matches;
If, it is determined that there is virtual machine and escape.
4. the detection method that virtual machine according to claim 3 is escaped, it is characterized in that, comprising the execution function that each access path node is corresponding in described access path information, whether described detection described access path information includes with preset access path information matches:
Detect described execution function whether respectively preset execution function corresponding with preset access path information coupling.
5. the detection method that virtual machine according to claim 1 is escaped, it is characterised in that after whether described detection described MD5 value mates with the preset MD5 value in default escape list, described method also includes:
If it is not, then whether detection triggers execution preset Key Functions when performing described binary file;
If, it is determined that there is virtual machine and escape.
6. the detection method that virtual machine according to claim 1 is escaped, it is characterised in that if described, it is determined that after there is virtual machine escape, described method also includes:
Outputting alarm information.
7. the detection method that virtual machine according to claim 1 is escaped, it is characterised in that described method also includes:
The preset MD5 value that different escape file is corresponding respectively is obtained from Cloud Server;
Described preset MD5 value is saved in described default escape list.
8. virtual machine according to claim 7 escape detection method, it is characterised in that described described preset MD5 value is saved in described default escape list after, described method also includes:
Detect whether described preset MD5 value exists renewal;
If so, then described default escape list is updated.
9. the detecting device that a virtual machine is escaped, it is characterised in that including:
Acquiring unit, for obtaining the current binary file performed in virtual machine;
Computing unit, for calculating MD5 value corresponding to binary file that described acquiring unit obtains;
Detection unit, whether the MD5 value calculated for detecting described computing unit mates with the preset MD5 value in default escape list, preserves the preset MD5 value that different escape file is corresponding respectively in described default escape list;
Determining unit, mating with the preset MD5 value presetting in escape list if detecting described MD5 value for described detection unit, it is determined that there is virtual machine and escape.
10. the detecting device that virtual machine according to claim 9 is escaped, it is characterised in that described device also includes: extraction unit;
Described extraction unit, does not mate with the preset MD5 value presetting in escape list if detecting described MD5 value for described detection unit, then extracts the critical segment information in described binary file;
Described detection unit, whether the matching degree being additionally operable to detect between critical segment information and the preset critical segment information that described extraction unit extracts is more than or equal to predetermined threshold value;
Described determine unit, if being additionally operable to described detection unit to detect that the matching degree between described critical segment information and preset critical segment information is more than or equal to predetermined threshold value, it is determined that there is virtual machine and escape.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510959276.7A CN105631320B (en) | 2015-12-18 | 2015-12-18 | The detection method and device of virtual machine escape |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510959276.7A CN105631320B (en) | 2015-12-18 | 2015-12-18 | The detection method and device of virtual machine escape |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105631320A true CN105631320A (en) | 2016-06-01 |
| CN105631320B CN105631320B (en) | 2019-04-19 |
Family
ID=56046245
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510959276.7A Active CN105631320B (en) | 2015-12-18 | 2015-12-18 | The detection method and device of virtual machine escape |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105631320B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102467637A (en) * | 2011-07-28 | 2012-05-23 | 中标软件有限公司 | Anti-virus system under virtualization environment and anti-virus method thereof |
| US20120144489A1 (en) * | 2010-12-07 | 2012-06-07 | Microsoft Corporation | Antimalware Protection of Virtual Machines |
| CN103366117A (en) * | 2012-03-31 | 2013-10-23 | 深圳市腾讯计算机系统有限公司 | Repairing method and system for files infected by infectious viruses |
| CN103839003A (en) * | 2012-11-22 | 2014-06-04 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device |
| CN104462985A (en) * | 2014-11-28 | 2015-03-25 | 北京奇虎科技有限公司 | Detecting method and device of bat loopholes |
-
2015
- 2015-12-18 CN CN201510959276.7A patent/CN105631320B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120144489A1 (en) * | 2010-12-07 | 2012-06-07 | Microsoft Corporation | Antimalware Protection of Virtual Machines |
| CN102467637A (en) * | 2011-07-28 | 2012-05-23 | 中标软件有限公司 | Anti-virus system under virtualization environment and anti-virus method thereof |
| CN103366117A (en) * | 2012-03-31 | 2013-10-23 | 深圳市腾讯计算机系统有限公司 | Repairing method and system for files infected by infectious viruses |
| CN103839003A (en) * | 2012-11-22 | 2014-06-04 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device |
| CN104462985A (en) * | 2014-11-28 | 2015-03-25 | 北京奇虎科技有限公司 | Detecting method and device of bat loopholes |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105631320B (en) | 2019-04-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10789118B2 (en) | Information processing device and error detection method | |
| KR101337874B1 (en) | System and method for detecting malwares in a file based on genetic map of the file | |
| US10621349B2 (en) | Detection of malware using feature hashing | |
| KR101720686B1 (en) | Apparaus and method for detecting malcious application based on visualization similarity | |
| EP2940957B1 (en) | Method, apparatus and system for detecting malicious process behavior | |
| KR101582601B1 (en) | Method for detecting malignant code of android by activity string analysis | |
| EP2790122A2 (en) | System and method for correcting antivirus records to minimize false malware detections | |
| KR20120105759A (en) | Malicious code visualization apparatus, apparatus and method for detecting malicious code | |
| CN105354494A (en) | Detection method and apparatus for web page data tampering | |
| JP6000465B2 (en) | Process inspection apparatus, process inspection program, and process inspection method | |
| CN104462985A (en) | Detecting method and device of bat loopholes | |
| CN105306467A (en) | Method and device for analyzing webpage data tampering | |
| CN105791250B (en) | Application program detection method and device | |
| CN105760761A (en) | Software behavior analyzing method and device | |
| CN109543409B (en) | Method, device and equipment for detecting malicious application and training detection model | |
| KR20160099159A (en) | Electronic system and method for detecting malicious code | |
| CN108363931B (en) | Method and device for restoring files in isolation area | |
| CN105590058B (en) | The detection method and device of virtual machine escape | |
| CN106407815A (en) | Vulnerability detection method and device | |
| CN105553767A (en) | Website backdoor file detection method and device | |
| CN105631320A (en) | Detection method and device of virtual machine escape | |
| CN106372508B (en) | Malicious document processing method and device | |
| KR101824699B1 (en) | Apparatus and method for analyzing android application, and computer-readable medium storing program for method thereof | |
| US8291494B1 (en) | System, method, and computer program product for detecting unwanted activity associated with an object, based on an attribute associated with the object | |
| CN105608374B (en) | The detection method and device of virtual machine escape |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Co-patentee after: Qianxin Technology Group Co., Ltd. Patentee after: Beijing Qihu Technology Co., Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Co-patentee before: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. Patentee before: Beijing Qihu Technology Co., Ltd. |
|
| CP01 | Change in the name or title of a patent holder |