CN105631321B - A kind of detection method and device of virtual machine process information - Google Patents
A kind of detection method and device of virtual machine process information Download PDFInfo
- Publication number
- CN105631321B CN105631321B CN201510984793.XA CN201510984793A CN105631321B CN 105631321 B CN105631321 B CN 105631321B CN 201510984793 A CN201510984793 A CN 201510984793A CN 105631321 B CN105631321 B CN 105631321B
- Authority
- CN
- China
- Prior art keywords
- ioctl
- called
- ioctl system
- parameter
- calling
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The present invention provides a kind of detection method and device of virtual machine process information, this method comprises: intercepting and capturing to the IOCTL system calling that Kernel Driver in virtual platform is initiated;The parameter that the IOCTL system is called is obtained, the parameter is detected by preset strategy;According to testing result, it is determined whether execute the IOCTL system and call.This method is called by intercepting and capturing the IOCTL system that Kernel Driver is initiated, and the parameter called to IOCTL system detects, it avoids certain virtual machine and attack or control virtual machine host operating system is called by IOCTL system, avoid and the phenomenon that virtual machine escape occur.
Description
Technical field
The present invention relates to Internet technical field more particularly to a kind of detection method and device of virtual machine process information.
Background technique
Cloud computing is the revolution new again of computer and internet, it will be calculated and cloud has been arrived in memory transfer, is used
Family can carry out the storage of complicated calculating and large capacity by using the portable terminal of lightweight.Come from the angle of technology
It sees, cloud computing is not only a kind of new concept, and parallel computation and virtualization are the technical ways for realizing cloud computing application.
Due to the fast development of hardware technology, so that the had performance of a common physical server is considerably beyond common single
Demand of the user to hardware performance.It therefore, is virtually more virtual machines by a physical server by the means of virtualization,
The technical foundation that virtualization services become building public cloud and enterprise's private clound is provided.
For the virtual machine in same physical machine, being isolated between virtual machine and virtual machine is all to pass through securing software
It is isolated, Malware can generally be attacked by some loopholes of securing software, to reach attack or control virtual machine
Therefore how the purpose of host operating system avoids the problem that virtual machine escape becomes urgent need to resolve.
Summary of the invention
In view of the above defects of the prior art, a kind of virtual machine process letter for solving above-mentioned technical problem is proposed
The detection method and device of breath.
In a first aspect, the present invention provides a kind of detection devices of virtual machine process information, comprising:
Interception module, the IOCTL system calling for initiating Kernel Driver in virtual platform are intercepted and captured;
Module is obtained, the parameter called for obtaining the IOCTL system
Detection module, for being detected by preset strategy to the parameter;
Determining module, for according to testing result, it is determined whether execute the IOCTL system and call.
Optionally, described device further include: monitor module, the system for monitoring host is called;
The interception module, when the IOCTL system for initiating in monitoring from Qemu-kvm to kvm is called, described in intercepting and capturing
IOCTL system is called.
Optionally, described device further include: monitor module, the system for monitoring host is called;
The interception module, when the IOCTL system for initiating in monitoring from Privcmd to xen is called, described in intercepting and capturing
IOCTL system is called.
Optionally, it is described according to testing result, it is determined whether execute the IOCTL system and call, comprising:
If the testing result is legal calling, executes the IOCTL system and call.
Optionally, the determining module, is used for: when the testing result is illegal calls, preventing the IOCTL system
It calls;
Sending module, for sending warning message to the monitoring host.
Optionally, the sending module, is used for:
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.
Second aspect, the present invention also provides a kind of detection methods of virtual machine process information, comprising:
The IOCTL system calling that Kernel Driver in virtual platform is initiated is intercepted and captured;
The parameter that the IOCTL system is called is obtained, the parameter is detected by preset strategy;
According to testing result, it is determined whether execute the IOCTL system and call.
Optionally, before the IOCTL system calling that Kernel Driver is initiated in virtual platform is intercepted and captured, institute
State method further include:
The system for monitoring host is called, and is called if monitoring the IOCTL system initiated from Qemu-kvm to kvm, is intercepted and captured institute
State IOCTL system calling.
Optionally, before the IOCTL system calling that Kernel Driver is initiated in virtual platform is intercepted and captured, institute
State method further include:
The system for monitoring host is called, and is called if monitoring the IOCTL system initiated from Privcmd to xen, described in intercepting and capturing
IOCTL system is called.
Optionally, it is described according to testing result, it is determined whether execute the IOCTL system and call, comprising:
If the testing result is legal calling, executes the IOCTL system and call.
Optionally, it is described according to testing result, it is determined whether execute the IOCTL system and call, comprising:
If the testing result is illegal calling, the IOCTL system is prevented to call, and is sent to the monitoring host
Warning message.
It is optionally, described to send warning message to the monitoring host, comprising:
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.
As shown from the above technical solution, the present invention provides a kind of detection method and device of virtual machine process information, passes through
It intercepts and captures the IOCTL system that Kernel Driver is initiated to call, and the parameter for calling IOCTL system detects, and avoids certain
Virtual machine calls attack or control virtual machine host operating system by IOCTL system, avoids and showing for virtual machine escape occurs
As.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
Other attached drawings are obtained according to these figures.
Fig. 1 is a kind of flow diagram of the detection method for virtual machine process information that one embodiment of the invention provides;
Fig. 2 be another embodiment of the present invention provides a kind of virtual machine process information detection method flow diagram;
Fig. 3 is the structural schematic diagram for obtaining IOCTL system and calling that one embodiment of the invention provides;
Fig. 4 is the structural schematic diagram for obtaining IOCTL system and calling that one embodiment of the invention provides;
Fig. 5 be another embodiment of the present invention provides a kind of virtual machine process information detection method flow diagram;
Fig. 6 be another embodiment of the present invention provides obtain IOCTL system call structural schematic diagram;
Fig. 7 be another embodiment of the present invention provides obtain IOCTL system call structural schematic diagram;
Fig. 8 is the structural schematic diagram of the detection device for the virtual machine process information that one embodiment of the invention provides;
Fig. 9 be another embodiment of the present invention provides virtual machine process information detection device structural schematic diagram;
Figure 10 be another embodiment of the present invention provides virtual machine process information detection device structural schematic diagram.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
Virtual machine escape refers to is attacked using the loophole of the software run in software virtual machine or virtual machine, to reach
To the purpose for attacking or controlling virtual machine host operating system.
Fig. 1 shows a kind of process signal of the detection method of virtual machine process information of one embodiment of the invention offer
Figure, as shown in Figure 1, method includes the following steps:
101, the IOCTL system calling that Kernel Driver in virtual platform is initiated is intercepted and captured.
Kernel Driver, which initiates IOCTL system calling, in the present embodiment can be understood as calling ioctl by Hook
Function.
Currently, since virtual platform includes xen virtual platform and kvm virtual platform, it is virtual in the present embodiment
Change platform and is suitable for above two virtual platform.
102, the parameter that the IOCTL system is called is obtained, the parameter is detected by preset strategy.
The parameter that above-mentioned IOCTL system is called may include read operation, write operation, the operation and closing for opening some program
The operation etc. of some program.
103, according to testing result, it is determined whether execute the IOCTL system and call.
The above method is called by intercepting and capturing the IOCTL system that Kernel Driver is initiated, and to the ginseng that IOCTL system is called
Number is detected, and is avoided certain virtual machine by IOCTL system and is called attack or control virtual machine host operating system, avoids
There is the phenomenon that virtual machine escape.
Since virtual platform includes xen virtual platform and kvm virtual platform, two kinds of platforms pair are combined separately below
The above method is described in detail.
By taking xen virtual platform as an example, Fig. 2 shows the detection methods of virtual machine process information provided in this embodiment
Flow diagram, as shown in Fig. 2, method includes the following steps:
201, the system for monitoring host is called, and is called, is intercepted and captured if monitoring the IOCTL system initiated from Privcmd to xen
The IOCTL system is called.
Currently, the IOCTL interface of xen virtual platform is that it is supplied to Kernel Driver Privcmd and is called,
As shown in Figure 3 and Figure 4, the client computer interception module is responsible for calling IOCTL by intercepting and capturing physical host supersystem, and analysis is cut
It obtains and calls IOCTL title and parameter, the supersystem for intercepting and capturing the application virtual cpu that Kernel Driver Privcmd is initiated is called
IOCTL。
202, the parameter that the IOCTL system is called is obtained, the parameter is detected by preset strategy, obtains inspection
Survey result.
It will be appreciated that the whether legal strategy of parameter that preset strategy can be called for detection IOCTL system, the parameter
Check to include read operation, write operation, the operation for opening some program and the operation for closing some program etc..Preset strategy can also be with
It is interpreted as security rule base, corresponding parameter is matched according to the rule in the security rule base, operating status is carried out
Assessment, the suspicious parameter of mark.
The preset strategy can also periodically update, and the present embodiment is not limited thereof.
203, judge whether the testing result is legal calling, if so, thening follow the steps 204;Otherwise, step is executed
205。
204, the IOCTL system is executed to call.
205, it prevents the IOCTL system from calling, and sends warning message to the monitoring host.
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.Pass through
The warning message may include suspicious parameter, by sending the warning message including suspicious parameter to administrator, so that management
Member can check corresponding calling in time, and analyze, and suspicious process is carried out capture interception, avoids the occurrence of virtual machine (vm) migration
Problem.
The above method in the case where not modifying xen virtual platform module completely, all to virtual platform and virtual machine
Fully transparent virtual machine introspection api interface, and realized based on the interface to the process and register information in virtual machine
Scanning and analysis.The master of the system of technical scheme and other offer similar functions realized on xen virtual platform
The source code being completely without modification Privcmd and xen is distinguished, this is a kind of realization for being easier to be easily accepted by a user and portion
Management side formula, because under normal conditions, providing the service provider of cloud computing and virtualization services and providing the service provider of security service simultaneously
It is not same producer, if security service provider carries out the modification of source-code level to the product of virtualization services provider and recompile can
The stability that the basic platform of virtualization can be will cause is affected while being also not easy to be received by user, it is contemplated that usually provides
The service commercial city of cloud service and virtualization will not receive the fact that security firm goes modification virtual platform block code, above-mentioned
Method can realize the detection to virtual machine process under conditions of security firm does not modify virtual platform block code.
By taking kvm virtual platform as an example, Fig. 5 shows the detection method of virtual machine process information provided in this embodiment
Flow diagram, as shown in figure 5, method includes the following steps:
501, the system for monitoring host is called, and is called, is cut if monitoring the IOCTL system initiated from Qemu-kvm to kvm
The IOCTL system is obtained to call.
Currently, the IOCTL interface of kvm is that it is supplied to Qemu-kvm module and is called, and as shown in Figure 6 and Figure 7, institute
State client computer interception module be responsible for by intercept and capture physical host supersystem call IOCTL, analysis intercept and capture call IOCTL title and
Parameter, the supersystem for intercepting and capturing the application virtual cpu that Kernel Driver Qemu-kvm is initiated call IOCTL.
502, the parameter that the IOCTL system is called is obtained, the parameter is detected by preset strategy, obtains inspection
Survey result.
It will be appreciated that the whether legal strategy of parameter that preset strategy can be called for detection IOCTL system, the parameter
Check to include read operation, write operation, the operation for opening some program and the operation for closing some program etc..Preset strategy can also be with
It is interpreted as security rule base, corresponding parameter is matched according to the rule in the security rule base, operating status is carried out
Assessment, the suspicious parameter of mark.
The preset strategy can also periodically update, and the present embodiment is not limited thereof.
503, judge whether the testing result is legal calling, if so, thening follow the steps 504;Otherwise, step is executed
505。
504, the IOCTL system is executed to call.
505, it prevents the IOCTL system from calling, and sends warning message to the monitoring host.
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.Pass through
The warning message may include suspicious parameter, by sending the warning message including suspicious parameter to administrator, so that management
Member can check corresponding calling in time, and analyze, and suspicious process is carried out capture interception, avoids the occurrence of virtual machine (vm) migration
Problem.
The above method in the case where not modifying kvm virtual platform module completely, all to virtual platform and virtual machine
Fully transparent virtual machine introspection api interface, and realized based on the interface to the process and register information in virtual machine
Scanning and analysis.The master of the system of technical scheme and other offer similar functions realized on kvm virtual platform
Distinguish the source code being completely without modification Qemu-kvm and kvm, this be a kind of realization for being easier to be easily accepted by a user and
Deployment way, because under normal conditions, providing the service provider of cloud computing and virtualization services and providing the service provider of security service
It is not same producer, if security service provider carries out the modification of source-code level to the product of virtualization services provider and recompiles
The stability for being likely to result in the basic platform of virtualization is affected while being also not easy to be received by user, it is contemplated that usually mentions
It will not receive the fact that security firm goes modification virtual platform block code for the service commercial city of cloud service and virtualization, on
The method of stating can realize the detection to virtual machine process under conditions of security firm does not modify virtual platform block code.
Fig. 8 shows a kind of structural schematic diagram of the detection device of virtual machine process information provided in an embodiment of the present invention,
As shown in figure 8, the device includes:
Interception module 81, the IOCTL system calling for initiating Kernel Driver in virtual platform are intercepted and captured.
Currently, since virtual platform includes xen virtual platform and kvm virtual platform, it is virtual in the present embodiment
Change platform and is suitable for above two virtual platform.
Module 82 is obtained, the parameter called for obtaining the IOCTL system.
The parameter that above-mentioned IOCTL system is called may include read operation, write operation, the operation and closing for opening some program
The operation etc. of some program.
Detection module 83, for being detected by preset strategy to the parameter.
Determining module 84, for according to testing result, it is determined whether execute the IOCTL system and call.
Above-mentioned apparatus is called by intercepting and capturing the IOCTL system that Kernel Driver is initiated, and to the ginseng that IOCTL system is called
Number is detected, and is avoided certain virtual machine by IOCTL system and is called attack or control virtual machine host operating system, avoids
There is the phenomenon that virtual machine escape.
Since virtual platform includes xen virtual platform and kvm virtual platform, two kinds of platforms pair are combined separately below
Above-mentioned apparatus is described in detail.
By taking xen virtual platform as an example, as shown in figure 9, above-mentioned apparatus includes:
Described device further include: monitor module 91, the system for monitoring host is called;
The interception module 92, for monitoring the IOCTL system initiated from Privcmd to xen calling, then described in intercepting and capturing
IOCTL system is called.
Module 93 is obtained, the parameter called for obtaining the IOCTL system.
The parameter that above-mentioned IOCTL system is called may include read operation, write operation, the operation and closing for opening some program
The operation etc. of some program.
Detection module 94, for being detected by preset strategy to the parameter.
Determining module 95, for according to testing result, it is determined whether execute the IOCTL system and call, if the detection
As a result it is legal calling, then executes the IOCTL system and call;When the testing result is illegal calls, described in prevention
IOCTL system is called.
Sending module 96, for preventing the IOCTL system from calling, to institute when the testing result is illegal calls
It states and monitors host transmission warning message.
In a preferred embodiment of the present embodiment, the sending module 96 is used for:
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.Pass through
The warning message may include suspicious parameter, by sending the warning message including suspicious parameter to administrator, so that management
Member can check corresponding calling in time, and analyze, and suspicious process is carried out capture interception, avoids the occurrence of virtual machine (vm) migration
Problem.
Above-mentioned apparatus in the case where not modifying xen virtual platform module completely, all to virtual platform and virtual machine
Fully transparent virtual machine introspection api interface, and realized based on the interface to the process and register information in virtual machine
Scanning and analysis.The master of the system of technical scheme and other offer similar functions realized on xen virtual platform
The source code being completely without modification Privcmd and xen is distinguished, this is a kind of realization for being easier to be easily accepted by a user and portion
Management side formula, because under normal conditions, providing the service provider of cloud computing and virtualization services and providing the service provider of security service simultaneously
It is not same producer, if security service provider carries out the modification of source-code level to the product of virtualization services provider and recompile can
The stability that the basic platform of virtualization can be will cause is affected while being also not easy to be received by user, it is contemplated that usually provides
The service commercial city of cloud service and virtualization will not receive the fact that security firm goes modification virtual platform block code, above-mentioned
Device can realize the detection to virtual machine process under conditions of security firm does not modify virtual platform block code.
In another achievable mode, by taking kvm virtual platform as an example, as shown in Figure 10, above-mentioned apparatus includes:
Described device further include: monitor module 10, the system for monitoring host is called;
The interception module 11 then intercepts and captures institute for monitoring the IOCTL system initiated from Qemu-kvm to kvm calling
State IOCTL system calling.
Module 12 is obtained, the parameter called for obtaining the IOCTL system.
The parameter that above-mentioned IOCTL system is called may include read operation, write operation, the operation and closing for opening some program
The operation etc. of some program.
Detection module 13, for being detected by preset strategy to the parameter.
Determining module 14, for according to testing result, it is determined whether execute the IOCTL system and call, if the detection
As a result it is legal calling, then executes the IOCTL system and call;When the testing result is illegal calls, described in prevention
IOCTL system is called.
Sending module 15, for preventing the IOCTL system from calling, to institute when the testing result is illegal calls
It states and monitors host transmission warning message.
In a preferred embodiment of the present embodiment, the sending module 15 is used for:
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.Pass through
The warning message may include suspicious parameter, by sending the warning message including suspicious parameter to administrator, so that management
Member can check corresponding calling in time, and analyze, and suspicious process is carried out capture interception, avoids the occurrence of virtual machine (vm) migration
Problem.
Above-mentioned apparatus in the case where not modifying kvm virtual platform module completely, all to virtual platform and virtual machine
Fully transparent virtual machine introspection api interface, and realized based on the interface to the process and register information in virtual machine
Scanning and analysis.The master of the system of technical scheme and other offer similar functions realized on kvm virtual platform
Distinguish the source code being completely without modification Qemu-kvm and kvm, this be a kind of realization for being easier to be easily accepted by a user and
Deployment way, because under normal conditions, providing the service provider of cloud computing and virtualization services and providing the service provider of security service
It is not same producer, if security service provider carries out the modification of source-code level to the product of virtualization services provider and recompiles
The stability for being likely to result in the basic platform of virtualization is affected while being also not easy to be received by user, it is contemplated that usually mentions
It will not receive the fact that security firm goes modification virtual platform block code for the service commercial city of cloud service and virtualization, on
Detection to virtual machine process can be realized under conditions of security firm does not modify virtual platform block code by stating device.
Embodiment of the invention discloses:
A1, a kind of detection device of virtual machine process information characterized by comprising
Interception module, the IOCTL system calling for initiating Kernel Driver in virtual platform are intercepted and captured;
Module is obtained, the parameter called for obtaining the IOCTL system
Detection module, for being detected by preset strategy to the parameter;
Determining module, for according to testing result, it is determined whether execute the IOCTL system and call.
A2, device according to a1, which is characterized in that described device further include: module is monitored, for monitoring host
System is called;
The interception module, when the IOCTL system for initiating in monitoring from Qemu-kvm to kvm is called, described in intercepting and capturing
IOCTL system is called.
A3, device according to a1, which is characterized in that described device further include: module is monitored, for monitoring host
System is called;
The interception module, when the IOCTL system for initiating in monitoring from Privcmd to xen is called, described in intercepting and capturing
IOCTL system is called.
A4, the device according to A2 or 3, which is characterized in that it is described according to testing result, it is determined whether described in execution
IOCTL system is called, comprising:
If the testing result is legal calling, executes the IOCTL system and call.
A5, the device according to A2 or 3, which is characterized in that the determining module is used for: it is in the testing result
When illegal calling, the IOCTL system is prevented to call;
Sending module, for sending warning message to the monitoring host.
A6, device according to a5, which is characterized in that the sending module is used for:
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.
B7, a kind of detection method of virtual machine process information characterized by comprising
The IOCTL system calling that Kernel Driver in virtual platform is initiated is intercepted and captured;
The parameter that the IOCTL system is called is obtained, the parameter is detected by preset strategy;
According to testing result, it is determined whether execute the IOCTL system and call.
B8, the method according to B7, which is characterized in that Kernel Driver is initiated in virtual platform
Before IOCTL system calling is intercepted and captured, the method also includes:
The system for monitoring host is called, and is called if monitoring the IOCTL system initiated from Qemu-kvm to kvm, is intercepted and captured institute
State IOCTL system calling.
B9, the method according to B7, which is characterized in that Kernel Driver is initiated in virtual platform
Before IOCTL system calling is intercepted and captured, the method also includes:
The system for monitoring host is called, and is called if monitoring the IOCTL system initiated from Privcmd to xen, described in intercepting and capturing
IOCTL system is called.
B10, the method according to B8 or 9, which is characterized in that it is described according to testing result, it is determined whether described in execution
IOCTL system is called, comprising:
If the testing result is legal calling, executes the IOCTL system and call.
B11, the method according to B8 or 9, which is characterized in that it is described according to testing result, it is determined whether described in execution
IOCTL system is called, comprising:
If the testing result is illegal calling, the IOCTL system is prevented to call, and is sent to the monitoring host
Warning message.
B12, the method according to B11, which is characterized in that described to send warning message to the monitoring host, comprising:
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.
It should be noted that above-mentioned apparatus and the above method are that correspondingly, the specific implementation in the above method is thin
Section is equally applicable to above-mentioned apparatus, and the present embodiment is no longer described in detail the specific implementation details of above-mentioned apparatus.
In specification of the invention, numerous specific details are set forth.It is to be appreciated, however, that the embodiment of the present invention can be with
It practices without these specific details.In some instances, well known method, structure and skill is not been shown in detail
Art, so as not to obscure the understanding of this specification.
Similarly, it should be understood that disclose to simplify the present invention and help to understand one or more in each inventive aspect
A, in the above description of the exemplary embodiment of the present invention, each feature of the invention is grouped together into individually sometimes
In embodiment, figure or descriptions thereof.However, should not explain the method for the disclosure is in reflect an intention that be wanted
Ask protection the present invention claims features more more than feature expressly recited in each claim.More precisely, such as
As following claims reflect, inventive aspect is all features less than single embodiment disclosed above.
Therefore, it then follows thus claims of specific embodiment are expressly incorporated in the specific embodiment, wherein each right is wanted
Ask itself all as a separate embodiment of the present invention.
It will be understood by those skilled in the art that can be adaptively changed to the module in the equipment in embodiment
And they are provided in the different one or more equipment of the embodiment.Can in embodiment module or unit or
Component is combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or subgroups
Part.In addition to such feature and/or at least some of process or unit are mutually exclusive places, any combination can be used
To all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed any side
All process or units of method or equipment are combined.Unless expressly stated otherwise, this specification (is wanted including adjoint right
Ask, make a summary and attached drawing) disclosed in each feature can be replaced with an alternative feature that provides the same, equivalent, or similar purpose.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors
Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice
In the equipment of microprocessor or digital signal processor (DSP) to realize a kind of browser terminal according to an embodiment of the present invention
Some or all components some or all functions.The present invention is also implemented as executing side as described herein
Some or all device or device programs (for example, computer program and computer program product) of method.It is such
It realizes that program of the invention can store on a computer-readable medium, or can have the shape of one or more signal
Formula.Such signal can be downloaded from an internet website to obtain, and perhaps be provided on the carrier signal or with any other shape
Formula provides.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability
Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch
To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame
Claim.
Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent
Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to
So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into
Row equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution
The range of scheme should all cover within the scope of the claims and the description of the invention.
Claims (10)
1. a kind of detection device of virtual machine process information characterized by comprising
Interception module, the IOCTL system calling for initiating Kernel Driver in virtual platform are intercepted and captured;
Module is obtained, the parameter called for obtaining the IOCTL system, the parameter includes: read operation, write operation, unlatching
The operation of some program and the operation for closing some program;
Detection module, for being detected by preset strategy to the parameter;The preset strategy is security rule base, according to
Rule in the security rule base matches corresponding parameter, assesses operating status, marks suspicious parameter,
Wherein, the preset strategy can periodically update;
Determining module, for according to testing result, it is determined whether execute the IOCTL system and call.
2. the apparatus according to claim 1, which is characterized in that described device further include: module is monitored, for monitoring host
System call;
The interception module, for intercepting and capturing the IOCTL when monitoring the IOCTL system initiated from Qemu-kvm to kvm calling
System is called.
3. the apparatus according to claim 1, which is characterized in that described device further include: module is monitored, for monitoring host
System call;
The interception module, for intercepting and capturing the IOCTL when monitoring the IOCTL system initiated from Privcmd to xen calling
System is called.
4. device according to claim 2 or 3, which is characterized in that it is described according to testing result, it is determined whether described in execution
IOCTL system is called, comprising:
If the testing result is legal calling, executes the IOCTL system and call.
5. device according to claim 2 or 3, which is characterized in that the determining module is used for: in the testing result
When illegally to call, the IOCTL system is prevented to call;
Sending module, for sending warning message to the monitoring host.
6. device according to claim 5, which is characterized in that the sending module is used for:
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.
7. a kind of detection method of virtual machine process information characterized by comprising
The IOCTL system calling that Kernel Driver in virtual platform is initiated is intercepted and captured;
The parameter that the IOCTL system is called is obtained, the parameter is detected by preset strategy, the parameter includes:
Read operation, write operation, the operation for opening some program and the operation for closing some program;The preset strategy is safety regulation
Library matches corresponding parameter according to the rule in the security rule base, assesses operating status, marks suspicious
Parameter, wherein the preset strategy can periodically update;
According to testing result, it is determined whether execute the IOCTL system and call.
8. the method according to the description of claim 7 is characterized in that the Kernel Driver initiation in virtual platform
Before IOCTL system calling is intercepted and captured, the method also includes:
The system for monitoring host is called, and is called if monitoring the IOCTL system initiated from Qemu-kvm to kvm, described in intercepting and capturing
IOCTL system is called.
9. the method according to the description of claim 7 is characterized in that the Kernel Driver initiation in virtual platform
Before IOCTL system calling is intercepted and captured, the method also includes:
The system for monitoring host is called, and is called if monitoring the IOCTL system initiated from Privcmd to xen, described in intercepting and capturing
IOCTL system is called.
10. method according to claim 8 or claim 9, which is characterized in that it is described according to testing result, it is determined whether execute institute
State IOCTL system calling, comprising:
If the testing result is legal calling, executes the IOCTL system and call.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510984793.XA CN105631321B (en) | 2015-12-24 | 2015-12-24 | A kind of detection method and device of virtual machine process information |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510984793.XA CN105631321B (en) | 2015-12-24 | 2015-12-24 | A kind of detection method and device of virtual machine process information |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105631321A CN105631321A (en) | 2016-06-01 |
| CN105631321B true CN105631321B (en) | 2019-05-21 |
Family
ID=56046246
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510984793.XA Active CN105631321B (en) | 2015-12-24 | 2015-12-24 | A kind of detection method and device of virtual machine process information |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105631321B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106156621A (en) * | 2016-06-30 | 2016-11-23 | 北京奇虎科技有限公司 | A kind of method and device detecting virtual machine escape |
| CN109324873A (en) * | 2018-09-21 | 2019-02-12 | 郑州云海信息技术有限公司 | The equipment and storage medium for virtualizing method for managing security, running kernel-driven |
| CN111444510A (en) * | 2018-12-27 | 2020-07-24 | 北京奇虎科技有限公司 | CPU vulnerability detection method and system based on virtual machine |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102402453A (en) * | 2012-01-04 | 2012-04-04 | 北京航空航天大学 | System virtual machine for microprocessor without interlocked piped stages (MIPS) platform |
| CN102930210A (en) * | 2012-10-14 | 2013-02-13 | 江苏金陵科技集团公司 | System and method for automatically analyzing, detecting and classifying malicious program behavior |
| CN103077071A (en) * | 2012-12-31 | 2013-05-01 | 北京启明星辰信息技术股份有限公司 | Method and system for acquiring process information of KVM (Kernel-based Virtual Machine) |
| CN103618809A (en) * | 2013-11-12 | 2014-03-05 | 华为技术有限公司 | Method, device and system for communication under vitualization environment |
| CN103778368A (en) * | 2014-01-23 | 2014-05-07 | 重庆邮电大学 | Safe progress isolating method based on system virtualization technology |
-
2015
- 2015-12-24 CN CN201510984793.XA patent/CN105631321B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102402453A (en) * | 2012-01-04 | 2012-04-04 | 北京航空航天大学 | System virtual machine for microprocessor without interlocked piped stages (MIPS) platform |
| CN102930210A (en) * | 2012-10-14 | 2013-02-13 | 江苏金陵科技集团公司 | System and method for automatically analyzing, detecting and classifying malicious program behavior |
| CN103077071A (en) * | 2012-12-31 | 2013-05-01 | 北京启明星辰信息技术股份有限公司 | Method and system for acquiring process information of KVM (Kernel-based Virtual Machine) |
| CN103618809A (en) * | 2013-11-12 | 2014-03-05 | 华为技术有限公司 | Method, device and system for communication under vitualization environment |
| CN103778368A (en) * | 2014-01-23 | 2014-05-07 | 重庆邮电大学 | Safe progress isolating method based on system virtualization technology |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105631321A (en) | 2016-06-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10083302B1 (en) | System and method for detecting time-bomb malware | |
| US10630643B2 (en) | Dual memory introspection for securing multiple network endpoints | |
| US9594881B2 (en) | System and method for passive threat detection using virtual memory inspection | |
| CN109214170B (en) | Malware identification via auxiliary file analysis | |
| WO2016082501A1 (en) | Method, apparatus and system for processing cloud application attack behaviours in cloud computing system | |
| US10528733B2 (en) | Integrity, theft protection and cyber deception using a deception-based filesystem | |
| US11438349B2 (en) | Systems and methods for protecting devices from malware | |
| US9804869B1 (en) | Evaluating malware in a virtual machine using dynamic patching | |
| US10678918B1 (en) | Evaluating malware in a virtual machine using copy-on-write | |
| US10771477B2 (en) | Mitigating communications and control attempts | |
| CN105631321B (en) | A kind of detection method and device of virtual machine process information | |
| US11556652B2 (en) | End-point visibility | |
| US11706251B2 (en) | Simulating user interactions for malware analysis | |
| KR101060596B1 (en) | Malicious file detection system, malicious file detection device and method | |
| Hwang et al. | Design of a hypervisor-based rootkit detection method for virtualized systems in cloud computing environments | |
| KR20220086402A (en) | Cloud-based Integrated Security Service Providing System | |
| Shi et al. | Design of a comprehensive virtual machine monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee after: Beijing Qizhi Business Consulting Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220328 Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Beijing Qizhi Business Consulting Co.,Ltd. |