CN106557396A - Virtual machine program running state monitoring method based on qemu - Google Patents
Virtual machine program running state monitoring method based on qemu Download PDFInfo
- Publication number
- CN106557396A CN106557396A CN201510622333.2A CN201510622333A CN106557396A CN 106557396 A CN106557396 A CN 106557396A CN 201510622333 A CN201510622333 A CN 201510622333A CN 106557396 A CN106557396 A CN 106557396A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- information
- qemu
- behavior
- state
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a kind of virtual machine program running state monitoring method based on qemu, wherein, including:By information of the qemu when virtual machine monitor layer obtains virtual machine intermediate range sort run;To the information for obtaining, bottom semantic analysis and Semantics Reconstruction are carried out, state feature is carried out according to state feature extraction algorithm and behavior pattern extraction algorithm to state sequence and behavior series and behavior pattern is extracted;The state feature and behavior pattern of acquisition and existing state feature database and behavior pattern storehouse are contrasted, decision-making is carried out;According to the result of decision, operated.Virtual machine program running state monitoring method of the present invention based on qemu have be not easy to be bypassed, execution efficiency is high and realizes simple advantage.
Description
Technical field
The invention belongs to virtualize security technology area, it is a kind of implementation of the virtual machine program running state monitoring technology based on qemu.
Background technology
With the continuous expansion of the range of application of Intel Virtualization Technology, virtual machine program running state monitoring is also constantly advancing as the study hotspot of virtualization security fields.The monitoring of CPU abnormal behaviours, memory abnormal condition monitoring, three aspects of unit exception condition monitoring are mainly included to virtual machine program running state monitoring.Wherein the monitoring of CPU abnormal behaviours and memory abnormal condition monitoring have the contact of interwoveness between the two, the two most important part of composition virtual machine program running state monitoring.But at present conventional CPU abnormal behaviours monitoring means and memory abnormal condition monitoring means, the monitored object information that there is acquisition are sufficiently complete, and information source acquisition modes confidence level is not high enough, the problems such as information source obtains inefficiency and semantic gap.
The content of the invention
It is an object of the invention to provide a kind of virtual machine program running state monitoring method based on qemu, to solve above-mentioned problem of the prior art.
A kind of virtual machine program running state monitoring method based on qemu of the present invention, wherein, including:By information of the qemu when virtual machine monitor layer obtains virtual machine intermediate range sort run;To the information for obtaining, bottom semantic analysis and Semantics Reconstruction are carried out, state feature is carried out according to state feature extraction algorithm and behavior pattern extraction algorithm to state sequence and behavior series and behavior pattern is extracted;The state feature and behavior pattern of acquisition and existing state feature database and behavior pattern storehouse are contrasted, decision-making is carried out;According to the result of decision, operated.
According to an embodiment of the present invention based on the virtual machine program running state monitoring method of qemu, wherein, included by information of the qemu when virtual machine monitor layer obtains virtual machine intermediate range sort run:Memory information and register information are obtained respectively, wherein, the method for obtaining memory information includes:In qemu internal memory application processing modules, add Hook Function, intercept and capture the internal memory application information that client operating system is submitted to;In the distribute module of qemu physical memories space, add Hook Function, it is determined that the physical space information of distribution;Obtain memory information;The method for obtaining register information includes:Addition Hook Function intercepts and captures the process that intermediate code is translated in target instruction target word, monitors the process that row decoding is entered in function pair target instruction target word;When the operation translated by function pair target instruction target word is listened to, instruction field incoming in function and data field parameters are intercepted, and is preserved.
According to an embodiment of the present invention based on the virtual machine program running state monitoring method of qemu, wherein, to the information for obtaining, bottom semantic analysis and Semantics Reconstruction are carried out, state feature is carried out according to state feature extraction algorithm and behavior pattern extraction algorithm to state sequence and behavior series and behavior pattern is extracted and included:Information to obtaining carries out semantic conversion process, the information of semantic conversion process adopts semantic structure analysis method and semantic state transition diagram analytic approach, decomposed and recorded, general individual event Hash AES is adopted using the state feature to extracting, obtain state characteristic value;Behavior pattern to extracting equally adopts general individual event cryptographic hashing algorithm, obtains mode characteristic values.
According to an embodiment of the present invention based on the virtual machine program running state monitoring method of qemu, wherein, the state feature and behavior pattern of acquisition and existing state feature database and behavior pattern storehouse are contrasted, carrying out decision-making includes:The mode of rule of lawful acts and illegal act is taken out, according to state characteristic value and mode characteristic values, when the behavior to monitoring is analyzed, inquire about existing behavior pattern storehouse, the record being consistent therewith is seen if there is, if it has, just being reacted according to the action that rule is specified;The behavior for monitoring is analyzed according to system behaviour in service and user behavior pattern, according to state characteristic value and mode characteristic values, judges whether the abnormality degree of behavior exceedes given threshold, if it exceeds given threshold is then exception.
Virtual machine program running state monitoring method of the present invention based on qemu, transformed by source code, the means such as addition Hook Function, directly monitored object information is obtained in virtual machine monitor layer, reduction virtual machine Program running, state and behavior record result are compared with behavioural characteristic storehouse, to CPU abnormal behaviours and memory abnormal monitoring state, is had the advantage that:
It is safe:This programme is intercepted and captured on virtual machine monitor key code path, and source code is directly transformed, with the characteristic for being not easy to be bypassed.
Execution efficiency is high:This programme is directly extended to the existing shadow page table function of Intel Virtualization Technology and dynamic analog cpu function, affects less to systematic function.
Realize simple.Only need to the discrete sensing point of the arranging section in analog function and can just complete function for monitoring, it is not necessary to realize independent status poll mechanism and function.
Description of the drawings
Fig. 1 show flow chart of the present invention based on the virtual machine program running state monitoring method of qemu;
Fig. 2 show virtual machine program running state monitoring schematic diagram;
Fig. 3 show virtual machine program running state monitoring flow chart;
Fig. 4 is virtual machine monitor conversion of page schematic diagram;
Fig. 5 show working machine drawing of the present invention based on the security strategy of the virtual machine program running state monitoring method of qemu;
Fig. 6 show security strategy execution flow chart of the present invention based on the virtual machine program running state monitoring method of qemu.
Specific embodiment
To make the purpose of the present invention, content and advantage clearer, with reference to the accompanying drawings and examples, the specific embodiment of the present invention is described in further detail.
Fig. 1 show flow chart of the present invention based on the virtual machine program running state monitoring method of qemu, the present invention is in order to realize the security monitoring to virtual machine Program running status, it is proposed that it is a kind of positioned at virtual machine monitor layer possess acquisition of information, feature and pattern analysis matching, rule compare, a kind of security monitoring scheme of the function such as strategy implement.
The concrete steps of the inventive method are included following aspects:
Step 1:Acquisition of information.
Completed by acquisition of information thread pool, by placing multiple Hook Functions in virtual machine monitor layer, from machine instruction operands, command code, buffer status, stack states many aspects obtain virtual machine intermediate range sort run when bottom-up information.
Step 2:State feature and BMAT.
To the information for obtaining, bottom semantic analysis and Semantics Reconstruction are carried out, extract system running state series and behavior series.State feature is carried out according to state feature extraction algorithm and behavior pattern extraction algorithm to state sequence and behavior series and behavior pattern is extracted.
Step 3:Rule compares and strategic decision-making.
State feature database in the state feature and behavior pattern of acquisition and knowledge base and behavior pattern storehouse are contrasted, according to the corresponding strategy in policy manager, decision-making is carried out.
Step 4:Strategy implement.
According to the result of decision of policy manager, the operation such as authorized, refused and alerted.
Fig. 2 show virtual machine program running state monitoring schematic diagram, as shown in Figure 2, the present invention is based on the software virtual machine qemu that increases income, by carrying out source code transformation in virtual machine monitor layer, the means such as addition Hook Function, obtain monitored object information, obtain virtual machine running status and behavior series by means such as semantic analyses, the state feature of extraction and behavior pattern record result are compared with behavioural characteristic storehouse, is realized to CPU abnormal behaviours and memory abnormal monitoring state.
Fig. 3 show virtual machine program running state monitoring flow chart, as shown in Figure 3, the operation of monitoring system in virtual machine monitor, for its operation information is issued semantic conversion structure by sensitive event behavior, by abstract or reduction, specific event behavior is converted into policer and is appreciated that behavior event, and it is sent to policer, policer rule searching pattern base, judge this behavior event whether in accordance with rule, and the action specified according to rule is reacted, order is sent to controller, the configuration of operating system or application process is completed by control, control and management, so as to complete the monitor in real time to operating system.
Virtual machine program running state monitoring method of the present invention based on qemu is further illustrated with reference to the above, including:
Step 1:Acquisition of information
The acquisition object of information includes two class of internal memory and register.Wherein register includes two kinds of data register and command register, and running state of programs is monitored to be needed to obtain data register and the information in command register in real time.Internal memory and register information are obtained and is realized in different ways, classification below is described in detail.
(1) memory information is obtained
Fig. 4 is virtual machine monitor conversion of page schematic diagram, as shown in Figure 4, virtual machine monitor manages real internal memory, and the virtual address of target virtual machine is converted to real physical address, it is possible to which realization is directly read to the system resource of target virtual machine in monitor of virtual machine.Qemu is a virtual machine monitor platform increased income, and it solves the corresponding relation of the virtual memory in virtual machine and actual physics internal memory using shadow page table.
The present invention is based on shadow page table principle, and qemu source codes are transformed, and by adding Hook Function means, intercepts and captures shadow page table conversion corresponding relation, obtains the corresponding guest physical address information in client virtual address.
It is being managed by RAMBlock and RAMList that qemu distributes to the internal memory of goal systems.The present invention realizes the acquisition to relevant information by adding series of discrete Hook Function to RAMBlock and RAMList modules.How in the module relevant position is discussed further below and adds discrete Hook Function.
1., in qemu internal memory application processing modules, add Hook Function.In Qemu_mem_malloc, Hook Function intercepts and captures the internal memory application information that client operating system is submitted in the case where the requirement to internal memory application normal process is not affected to Hook Function.Obtain the size of the virutal machine memory address RAMBlock for pointing to host first before client operating system submits application to according to RAMList, be designated as A;Secondly the size of the virutal machine memory address RAMBlock for pointing to host is obtained after client operating system submits application success to according to RAMList, B is designated as;Then the value for obtaining twice is subtracted each other (i.e.:B-A the size of the RAMBlock obtained during this time application internal memory success can) be obtained;Finally by RAMList is read, the deviation post of the RAMBlock of new application can be obtained.New application memory information can determine that by deviation post and block size.
2., in the distribute module of qemu physical memories space, add Hook Function.Hook Function is in Cpu_register_physical_memory.Size C of the physical space of application distribution is obtained first;Next calls former Cpu_register_physical_memory to realize the distribution of physical space;Finally according to the return value of original physical space partition function, original position D of the physical space of actual distribution can be obtained, according to size C and original position D of the physical space of distribution, you can it is determined that the physical space information of actual distribution.Table 1 show the critical data field format table of the memory information of acquisition:
Table 1
(2) register information is obtained
The program run in virtual machine is called target instruction target word, is also to be made up of instruction field and data field as the program run in physical machine system.The acquisition process of register information is actually the process for being obtained to the instruction field and data field in program operation process in real time in real time.During qemu runs, the code translation performing module of qemu will be processed to the two.Qemu has used binary translation that target instruction target word (target instruction) is translated into physical machine instruction (host instruction), qemu defines intermediate code, target instruction target word can be translated into intermediate code by qemu first, and intermediate code is translated into physical machine instruction using tcg modules then.
Principle and process of the present invention based on above-mentioned qemu instruction translations, have carried out source code transformation in tcg modules, while with the addition of Hook Function to obtain command register value and data register value when target program runs.The Hook Function of addition is in function Cpu_gen_code.Process is as follows:
1. add Hook Function and intercept and capture the process that intermediate code is translated in target instruction target word, add hook in function Cpu_gen_code, monitor the process that row decoding is entered in function pair target instruction target word.And two spatial caches gen_opc_buf and gen_opparam_buf are created, for subsequently depositing the instruction field and the data field that are truncated to.
2., when the operation translated by function pair target instruction target word is listened to, start interception module, instruction field incoming in function and data field parameters are intercepted, and is saved in two spatial caches gen_opc_buf and gen_opparam_buf.
3. creating a thread or directly a thread being taken out from thread pool, semantic conversion process is carried out to the data in two spatial caches gen_opc_buf and gen_opparam_buf, high-level semantics is converted thereof into using Semantics Reconstruction method.And be stored in two array space gen_opc_array and gen_opparam_array.
4. the high-level semantics information transmission for getting is processed to behavior pattern and state feature-extraction analysis module.
Table 2 is the high-level semantics outline information explanation table that obtains after conversion
Table 2
| Field name | Field specifier | Type |
| Hard instruction mnemonic | OperateCode | Character string |
| 1 dummy order code of operand | OperateId1 | Character string |
| 1 register section name of operand | OperateRegester1 | Character string |
| 1 offset address of operand | OperatePtr1 | Integer |
| 2 dummy order code of operand | OperateId2 | Character string |
| 2 register section name of operand | OperateRegester2 | Character string |
| 2 offset address of operand | OperatePtr2 | Integer |
Step 2:State feature and behavior pattern are extracted and are analyzed
Last step describes how to obtain monitored object information, and gives the memory information for getting and register information data field structure.Description below is described separately and how to extract state and behavior and be analyzed according to the monitored object information for getting.
(1) state feature extraction and analysis
During the monitoring of running state of programs, the monitoring of specified register state is one of most important of which part.Can all there is specified register abnormal state situation to occur during typically there is the destructive or despiteful program operation process of tool.It is one of main method at present to running state of programs monitoring using the monitoring to special state buffer status.
According to the high-level semantics information that previous step is extracted, using semantic structure analysis method, semantic state transition diagram analytic approach, high-level semantics information is decomposed and recorded, the semantic information list for being directed to specified register includes the register IDTR state sequences of Cr3 register handoff lists, MSR register state table, interrupt vector table, and table 3 is the semantic information list for being related to specified register.
Table 3
Above-mentioned series is exactly the state feature extracted, state feature to extracting adopts general individual event Hash AES (the concrete individual event cryptographic hashing algorithm for adopting can be selected according to actual needs), and a state characteristic value is obtained after encryption function carries out calculating process to line item.Due to using hash algorithm, it is ensured that different series, the characteristic value for obtaining are different.State characteristic value obtained above by for next step rule relatively in.
(2) behavior pattern is extracted and is analyzed
During the monitoring of running state of programs, the object of action of monitoring includes that system calls series, I/O to call series, interrupt response series, four aspects of internal memory read list.This programme is exactly that above-mentioned behavior is monitored to the method for virtual machine program running state monitoring, is contrasted with general general behavior series, find its malicious act or abnormal behaviour after acquisition behavior series.
According to the high-level semantics information that previous step is extracted, using semantic behavioural analysis method, high-level semantics information is decomposed and recorded, respectively aforementioned four behavior is recorded using four modules, table 4 is record sheet.
Table 4
Above-mentioned series is exactly the system action extracted, behavior pattern to extracting equally adopts general individual event cryptographic hashing algorithm (specific individual event cryptographic hashing algorithm can be selected according to actual needs), obtain a mode characteristic values after encryption function carries out calculating process to line item, during same state characteristic value to be equally used for the rule of next step relatively for mode characteristic values obtained above.
Step 3:Rule compares
The policer of regular comparative approach adopts two class methods simultaneously, according to pattern feature state of value characteristic value and state characteristic value, is analyzed using Behavior-based control pattern match and anomaly statistics.The former was analyzed to former behavior, took out the mode of rule of lawful acts and illegal act, when the behavior to monitoring is analyzed, behavior pattern storehouse before inquiry, the record being consistent therewith is seen if there is, if it has, just being reacted according to the action that rule is specified;If it did not, just processed by default action (according to circumstances by or refusal).The latter is analyzed to the behavior for monitoring according to system behaviour in service and user behavior pattern, is processed with a function pair behavior, judges whether the abnormality degree of behavior exceedes given threshold, more than then specification exception.This programme policer is designed outside target virtual machine operating system, so after goal systems is broken, policer can also continue to use, and it can also realize the shared of security strategy between different operating system, can conveniently realize the modification and renewal of safety regulation.Which rule is the rule of policer in addition to describing legally or illegally, after respective behavior generation is further described, system needs the reaction made and the action taken, according to this reaction or action, policer is issued orders to controller, is controlled using its operation to operating system.
Fig. 5 show working machine drawing of the present invention based on the security strategy of the virtual machine program running state monitoring method of qemu, as shown in Figure 5, working mechanism's principle of security strategy is first described below, due to using Flask policy constructions, strategy configuration and strategy implement are to be separated, tactful configuration module and security service module are placed in Dom0 in practical implementations, and policy enforcement module is individually placed in DomU and VMM.
As security server module and policy enforcement module are in different virtual Domains, the expense of inter-domain communication can not be ignored.In order to reduce the communication overhead of intermodule, using the locality of routine access, strategic decision-making cache module is added in virtual machine monitor, strategic decision-making is cached.When policy enforcement module carries out scope check, access strategy decision-making buffer area first.If hit in strategic decision-making cache module, directly read, now in the buffer, reading speed will be greatly improved strategy;If do not have required security policy decision in strategic decision-making caching, the security server for just accessing distal end by shared drive obtains security policy decision information, while the strategy of reading is put in access vector cache.Therefore addition access vector cache module can effectively reduce the number of times for accessing distal end security server, the overhead that reduction system is brought because of access safety server.
Fig. 6 show security strategy execution flow chart of the present invention based on the virtual machine program running state monitoring method of qemu, as shown in fig. 6, description security strategy performs flow process below.
When the policy enforcement module in client operating system intercepts event message, needs are processed accordingly to the event, check whether the operation is legal.In this process, in needing distal end SOS, security server obtains security policy decision, and detailed flow process is as shown in Figure 6.The execution flow process of security strategy is segmented into initialization section and security strategy executable portion, and initialization flow process is discussed in detail first:
First, management tool editor correct text strategy of the safety officer by User space, the interface provided by security service load security strategy to security server, need to specify loading policy library mark required for strategy during loading.
Secondly, strategy file is parsed by security server, if policy library mark specified during loading has been present, by policy information be added to in the mark identical policy library;If specified policy library mark is not present, newly sets up a policy library and preserve the security strategy in this document.
Finally, loading policy enforcement module and access vector cache module in virtual machine monitor.After virtual machine monitor initialization is completed, it is possible to start working,
The workflow of secure access monitoring system is described in detail below:
1. the policy enforcement module in virtual machine monitor waits event triggering.
2. policy enforcement module is according to the parameter information and operation information for processing function.
3. strategic decision-making cache module is given by the information transmission after parsing, the information after parsing includes the attribute of subject and object, and the type operated by main object.
4. strategic decision-making cache module, according to the information that policy enforcement module is passed over, carries out Hash mapping to access vector cache, if searching hit, proceeds to the and 8. walks, if be not hit by, pass the requests to the security server of distal end, then carries out the and 5. walks.
5. security server receives the request for coming from that strategic decision-making caching sends, information of the regulative strategy decision-making module according to request, query strategy storehouse, and makes integrated decision-making.
6. strategic decision-making result is returned to strategic decision-making cache module by security server.
7. strategic decision-making cache module is updated to access vector cache, is needed to find out the vector for needing to eliminate using LRU in the operating process, is then carried out overlapping operation to the vector.
8. the mask and command code of strategic decision-making are carried out into step-by-step and operation, if result is identical with command code, represents that operation is legal, if result is differed with command code, represent that operation is illegal.
9. policy enforcement module performs corresponding operation according to the result for 8. walking.
Step 4:Strategy implement
The behavior for monitoring system will be also analyzed to behavior, judge the legitimacy of behavior with certain strategy, and the behavior to violating security strategy is prevented, and system is controlled after detecting invasion, it is to avoid result in greater loss.Due to the security strategy of operating system it is more complicated, prototype realization is simplified to which now, for some are certain to the behavior that causes system unstable, give and prevent, for some cannot judge the behavior of its legitimacy, by the method to user's warning log history, facilitate later behavioural analysis.
This programme has certain otherness in view of different operating system, simultaneously because length reason, is briefly described to Linux classes system and windows class systems respectively.
(SuSE) Linux OS is that realizing control of the user to system and process, by imitating mechanism of the Linux to process signals in virtual machine monitor, feed journey sends out various signal to this programme, reaches the purpose that system is controlled by process sending signal.Linux has signal fields to point to the shared signal queue of the process group in process descriptors, there are pending fields to point to privately owned signal queue, system can detect whether that when pattern switching is carried out to process signal demand is processed, and then call corresponding processing routine.Thus can be simulated to process sending signal by corresponding flag in modification process descriptors, reach the purpose of Process flowchart.
Source property closed due to Windows operating system, it is difficult to do the operation of kill process completely outside system, so needing the combination of inner and outside to complete the control of process.By toolkit is installed in VME operating system, it is embodied as pseudo- driver and registers an interrupt number.The operation of kill process is completed from virtual machine monitor to the corresponding function of virtual opetrating system injection interrupt call.The control of other functions in addition to kill process, can also be carried out, is such as suspended a process, is continued process etc..This method that Process flowchart is carried out outside band carries out Process flowchart when normally can cannot attack process after VME operating system is attacked, simultaneously there is another benefit to be, deadlock can also be carried out by the function and cracked when VME operating system meets with deadlock, can be without restarting the normal operation of system completion system.
To sum up virtual machine program running state monitoring method of the present invention based on qemu, has the advantage that:
It is safe.This programme is intercepted and captured on virtual machine monitor key code path, and source code is directly transformed, with the characteristic for being not easy to be bypassed.
Execution efficiency is high.This programme is directly extended to the existing shadow page table function of Intel Virtualization Technology and dynamic analog cpu function, affects less to systematic function.
Realize simple.Only need to the discrete sensing point of the arranging section in analog function and can just complete function for monitoring, it is not necessary to realize independent status poll mechanism and function.
Higher security.As behavior monitoring work is outside operating system, and realize that the condition monitoring within operating system is probably attacked and cheated.
The above is only the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, on the premise of without departing from the technology of the present invention principle; some improvement and deformation can also be made, these improve and deformation also should be regarded as protection scope of the present invention.
Claims (4)
1. a kind of virtual machine program running state monitoring method based on qemu, it is characterised in that
Including:
By information of the qemu when virtual machine monitor layer obtains virtual machine intermediate range sort run;
To the information for obtaining, bottom semantic analysis and Semantics Reconstruction are carried out, is carried according to state feature
Take algorithm and behavior pattern extraction algorithm state sequence and behavior series are carried out state feature and
Behavior pattern is extracted;
By the state feature for obtaining and behavior pattern and existing state feature database and behavior pattern
Storehouse is contrasted, and carries out decision-making;
According to the result of decision, operated.
2. the virtual machine program running state monitoring side based on qemu as claimed in claim 1
Method, it is characterised in that virtual machine Program fortune is obtained in virtual machine monitor layer by qemu
Information during row includes:Memory information and register information are obtained respectively,
Wherein, the method for obtaining memory information includes:In qemu internal memory application processing modules,
Addition Hook Function, intercepts and captures the internal memory application information that client operating system is submitted to;In qemu things
In reason memory headroom distribute module, add Hook Function, it is determined that the physical space information of distribution;
Obtain memory information;
The method for obtaining register information includes:Addition Hook Function is intercepted and captured target instruction target word and is translated into
The process of intermediate code, monitors the process that row decoding is entered in function pair target instruction target word;
When the operation translated by function pair target instruction target word is listened to, to finger incoming in function
Make field and data field parameters be intercepted, and preserve.
3. the virtual machine program running state monitoring side based on qemu as claimed in claim 1
Method, it is characterised in that
To the information for obtaining, bottom semantic analysis and Semantics Reconstruction are carried out, is carried according to state feature
Take algorithm and behavior pattern extraction algorithm state sequence and behavior series are carried out state feature and
Behavior pattern is extracted to be included:
Information to obtaining carries out semantic conversion process, and the information of semantic conversion process is using semantic
Structured analysis method and semantic state transition diagram analytic approach, are decomposed and are recorded, using to carrying
The state feature got adopts general individual event Hash AES, obtains state characteristic value;To carrying
The behavior pattern got equally adopts general individual event cryptographic hashing algorithm, obtains mode characteristic values.
4. the virtual machine program running state monitoring side based on qemu as claimed in claim 1
Method, it is characterised in that
By the state feature for obtaining and behavior pattern and existing state feature database and behavior pattern
Storehouse is contrasted, and carrying out decision-making includes:
The mode of rule of lawful acts and illegal act is taken out, according to state characteristic value and pattern
Characteristic value, when the behavior to monitoring is analyzed, inquires about existing behavior pattern storehouse, sees
Whether the record that be therewith consistent is had, if it has, just being reacted according to the action that rule is specified;
The behavior for monitoring is analyzed according to system behaviour in service and user behavior pattern, root
According to state characteristic value and mode characteristic values, judge whether the abnormality degree of behavior exceedes given threshold,
If it exceeds given threshold is then exception.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510622333.2A CN106557396A (en) | 2015-09-25 | 2015-09-25 | Virtual machine program running state monitoring method based on qemu |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510622333.2A CN106557396A (en) | 2015-09-25 | 2015-09-25 | Virtual machine program running state monitoring method based on qemu |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106557396A true CN106557396A (en) | 2017-04-05 |
Family
ID=58414547
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510622333.2A Pending CN106557396A (en) | 2015-09-25 | 2015-09-25 | Virtual machine program running state monitoring method based on qemu |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106557396A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107679398A (en) * | 2017-09-30 | 2018-02-09 | 北京奇虎科技有限公司 | Virtual machine I/O data stream detection method and device, computing device, storage medium |
| CN108228319A (en) * | 2018-01-10 | 2018-06-29 | 天津理工大学 | A kind of Semantics Reconstruction method based on more bridges |
| CN108874442A (en) * | 2018-06-08 | 2018-11-23 | 山东超越数控电子股份有限公司 | A kind of implementation method of the Domestic Platform system simulation based on QEMU |
| CN110321275A (en) * | 2018-03-29 | 2019-10-11 | 腾讯科技(上海)有限公司 | Program monitoring method, calculates equipment and storage medium at device |
| CN112148434A (en) * | 2020-10-12 | 2020-12-29 | 北京计算机技术及应用研究所 | Micro-kernel virtual machine communication method and device based on Loongson host environment and Loongson host |
| CN114238417A (en) * | 2021-12-27 | 2022-03-25 | 四川启睿克科技有限公司 | Data caching method |
| CN115658511A (en) * | 2022-10-27 | 2023-01-31 | 豫章师范学院 | Method and system for monitoring execution behavior of source code |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100146504A1 (en) * | 2008-12-10 | 2010-06-10 | Chang Bin Tang | Virtual mobile infrastructure and its base platform |
| CN102012987A (en) * | 2010-12-02 | 2011-04-13 | 李清宝 | Automatic behavioural analysis system for binary malicious codes |
| CN102651062A (en) * | 2012-04-09 | 2012-08-29 | 华中科技大学 | System and method for tracking malicious behavior based on virtual machine architecture |
| CN103914332A (en) * | 2014-04-14 | 2014-07-09 | 中国人民解放军国防科学技术大学 | Detecting method for true course information in guest operating system of virtual machine |
-
2015
- 2015-09-25 CN CN201510622333.2A patent/CN106557396A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100146504A1 (en) * | 2008-12-10 | 2010-06-10 | Chang Bin Tang | Virtual mobile infrastructure and its base platform |
| CN102012987A (en) * | 2010-12-02 | 2011-04-13 | 李清宝 | Automatic behavioural analysis system for binary malicious codes |
| CN102651062A (en) * | 2012-04-09 | 2012-08-29 | 华中科技大学 | System and method for tracking malicious behavior based on virtual machine architecture |
| CN103914332A (en) * | 2014-04-14 | 2014-07-09 | 中国人民解放军国防科学技术大学 | Detecting method for true course information in guest operating system of virtual machine |
Non-Patent Citations (2)
| Title |
|---|
| 郭琰: ""基于VMI的虚拟机安全监控技术研究"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 项国富 等: ""基于虚拟化的安全监控"", 《软件学报》 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107679398A (en) * | 2017-09-30 | 2018-02-09 | 北京奇虎科技有限公司 | Virtual machine I/O data stream detection method and device, computing device, storage medium |
| CN108228319A (en) * | 2018-01-10 | 2018-06-29 | 天津理工大学 | A kind of Semantics Reconstruction method based on more bridges |
| CN108228319B (en) * | 2018-01-10 | 2021-03-30 | 天津理工大学 | Multi-bridge based semantic reconstruction method |
| CN110321275A (en) * | 2018-03-29 | 2019-10-11 | 腾讯科技(上海)有限公司 | Program monitoring method, calculates equipment and storage medium at device |
| CN108874442A (en) * | 2018-06-08 | 2018-11-23 | 山东超越数控电子股份有限公司 | A kind of implementation method of the Domestic Platform system simulation based on QEMU |
| CN112148434A (en) * | 2020-10-12 | 2020-12-29 | 北京计算机技术及应用研究所 | Micro-kernel virtual machine communication method and device based on Loongson host environment and Loongson host |
| CN114238417A (en) * | 2021-12-27 | 2022-03-25 | 四川启睿克科技有限公司 | Data caching method |
| CN115658511A (en) * | 2022-10-27 | 2023-01-31 | 豫章师范学院 | Method and system for monitoring execution behavior of source code |
| CN115658511B (en) * | 2022-10-27 | 2023-08-29 | 豫章师范学院 | Method and system for monitoring execution behavior of source code |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106557396A (en) | Virtual machine program running state monitoring method based on qemu | |
| Bazm et al. | Cache-based side-channel attacks detection through intel cache monitoring technology and hardware performance counters | |
| US9229881B2 (en) | Security in virtualized computer programs | |
| US9747172B2 (en) | Selective access to executable memory | |
| KR101946982B1 (en) | Process Evaluation for Malware Detection in Virtual Machines | |
| Depoix et al. | Detecting spectre attacks by identifying cache side-channel attacks using machine learning | |
| US8732824B2 (en) | Method and system for monitoring integrity of running computer system | |
| Bianchi et al. | Blacksheep: Detecting compromised hosts in homogeneous crowds | |
| US20170286644A1 (en) | Protection Method and Device for Application Data | |
| Liu et al. | SecDeep: Secure and performant on-device deep learning inference framework for mobile and IoT devices | |
| CN105117649A (en) | Anti-virus method and anti-virus system for virtual machine | |
| US20210144170A1 (en) | System and method for protection against side channel attacks | |
| CN115904605A (en) | Software defense method and related equipment | |
| Wawryn et al. | Detection of anomalies in compiled computer program files inspired by immune mechanisms using a template method | |
| CN107608758A (en) | A kind of virtual machine file integrality monitoring method and system | |
| Ahmed et al. | Integrity checking of function pointers in kernel pools via virtual machine introspection | |
| Al-Sharif et al. | The Effects of Platforms and Languages on the Memory Footprint of the Executable Program: A Memory Forensic Approach. | |
| Albalawi et al. | Protecting Shared Virtualized Environments against Cache Side-channel Attacks. | |
| RU2467389C1 (en) | Method of protecting software and dataware from unauthorised use | |
| Zhan et al. | Cfwatcher: A novel target-based real-time approach to monitor critical files using vmi | |
| Grimm et al. | Automatic mitigation of kernel rootkits in cloud environments | |
| Tanimoto et al. | Risk Assessment Quantification of Ambient Service | |
| Shafi et al. | SecSched: Flexible scheduling in secure processors | |
| Yao et al. | Privacy-Preserving Content-Based Similarity Detection Over in-the-Cloud Middleboxes | |
| Hu et al. | FaultMorse: An automated controlled-channel attack via longest recurring sequence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170405 |
|
| WD01 | Invention patent application deemed withdrawn after publication |