CN108920253B - Agent-free virtual machine monitoring system and monitoring method - Google Patents
Agent-free virtual machine monitoring system and monitoring method Download PDFInfo
- Publication number
- CN108920253B CN108920253B CN201810632935.XA CN201810632935A CN108920253B CN 108920253 B CN108920253 B CN 108920253B CN 201810632935 A CN201810632935 A CN 201810632935A CN 108920253 B CN108920253 B CN 108920253B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- monitoring
- system call
- code
- strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/301—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is a virtual computing platform, e.g. logically partitioned systems
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Quality & Reliability (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a virtual machine monitoring system and a virtual machine monitoring method without an agent, which comprise the following steps: a user sets a monitoring strategy through a monitoring strategy setting module, and when a virtual machine is started, a code injection module executes dynamic injection of a monitoring code according to the identification of the virtual machine to be monitored; the virtualization layer dynamically modifies the system call function pointer according to the monitoring code and the monitoring strategy, so that the system call function pointer points to the function address of the monitoring code; and after the monitoring code intercepts the internal system call of the virtual machine, acquiring a monitoring strategy from the virtualization layer, and finishing the specific response of the virtual machine system call interception according to the monitoring strategy. The invention dynamically injects monitoring codes into the virtual machine to monitor after detecting the virtual machine is started in the virtualization layer, thereby having high monitoring flexibility and quick real-time response. Meanwhile, the monitoring system is guaranteed to be effective all the time by means of the read-only protection of key data and codes related to monitoring through the virtualization layer.
Description
Technical Field
The invention belongs to the technical field of virtual machine monitoring, and particularly relates to a virtual machine monitoring system and a virtual machine monitoring method without an agent.
Background
With the deep development and application of cloud computing, security monitoring of virtual machines has been a technical difficulty and a hot spot in cloud computing. The technical implementation methods for security monitoring of virtual machines can be divided into two categories: a traditional host monitoring method and a virtualization-based monitoring method. The traditional host monitoring method directly integrates the traditional physical host monitoring methods such as a virus detection and defense system, a malicious code interception and isolation system and the like into the virtual machine operating system to realize monitoring; the monitoring method based on virtualization realizes the safety monitoring of the virtual machine by means of higher privilege level of the virtualization platform.
The monitoring method based on the traditional host computer has quick real-time response, but in a virtualization scene, the advantage of high-privilege-level transparent monitoring by using a virtualization platform is lost, and malicious codes existing inside the virtual machine can intervene and confront a safety monitoring system; the virtual machine monitoring is completely carried out on the virtualization platform layer, although the security monitoring is transparent to the virtual machine, malicious codes inside the virtual machine cannot damage monitoring codes positioned on the virtualization layer, the virtualization layer is complex in realization due to the fact that the virtualization layer lacks semantics of an operating system of the virtual machine, and the virtual machine frequently sinks into the virtual machine monitor layer to carry out extra checking and monitoring analysis, so that performance loss can be greatly enhanced.
In the prior art, virtual machine monitoring is generally realized by the following method:
as shown in fig. 1, the method intercepts a system call request initiated by all processes inside an operating system by means of a system call interception module located inside a virtual machine, and records information of the process initiating the call. According to the monitoring configuration, if the process initiating the system call is the process needing monitoring, the information of the starting time, the ending time and the like of the system call is recorded, and therefore detailed monitoring of the specific process information in the virtual machine is achieved. The scheme is seriously dependent on a system call interception module in the virtual machine, and the reliability and the safety of monitoring a specific process in the virtual machine cannot be ensured under the condition that malicious codes exist in the virtual machine.
As shown in fig. 2, in the virtualization layer, a monitoring breakpoint is inserted into a special instruction that needs to be executed by the virtualization layer, so as to intercept the execution flow of the virtual machine and obtain the current execution information of the virtual machine. According to the scheme, a special monitoring instruction is forcibly inserted in the translation stage of the instruction, the control flow is jumped, the running expense of the virtual machine is increased, and in addition, on a platform based on hardware virtualization, the privileged instruction is supported by a processor without a translation process.
Disclosure of Invention
The invention aims to: the above-mentioned deficiencies in the prior art are solved, and an agent-free virtual machine monitoring system and a monitoring method are provided, which combine the high security of the virtualization layer monitoring with the real-time performance of the traditional monitoring, on one hand, any agent component does not need to be deployed in the virtual machine, and on the other hand, the monitoring system can be prevented from being damaged by malicious codes inside the virtual machine.
In order to achieve the purpose, the invention adopts the technical scheme that:
an agent-less virtual machine monitoring system, comprising:
the monitoring strategy setting module is used for managing the monitoring strategy of the virtual machine of the user;
the monitoring injection module is deployed in the virtualization layer and used for judging whether the currently started virtual machine meets a monitoring code injection condition and executing monitoring code injection;
and the monitoring function protection module is deployed in the virtualization layer and is used for performing read-only protection on the virtual machine system call table, the monitoring code and the system call entry function execution flow.
An agent-free virtual machine monitoring method is applied to the agent-free virtual machine monitoring system, and comprises the following steps:
the method comprises the following steps: a user sets a monitoring strategy through a monitoring strategy setting module, wherein the monitoring strategy comprises a virtual machine identifier to be monitored, monitored related system calling and response actions of the virtual machine system calling monitoring;
step two: when the virtual machine is started, the code injection module executes monitoring code dynamic injection according to the virtual machine identifier to be monitored;
step three: the virtualization layer dynamically modifies the system call function pointer according to the monitoring code and the monitoring strategy, so that the system call function pointer points to the function address of the monitoring code;
step four: and after the monitoring code intercepts the internal system call of the virtual machine, acquiring a monitoring strategy from the virtualization layer, and finishing the specific response of the virtual machine system call interception according to the monitoring strategy.
In the invention, the monitoring code compiled in advance is dynamically injected when the virtual machine is started, any agent component is not required to be deployed in the virtual machine in the whole process, and all operations are implemented by a virtualization layer. After the system call interception monitoring code is injected, the safety real-time monitoring of the virtual machine based on the system call can be transparently implemented in the virtual machine.
Further, the monitoring code dynamic injection in the second step is specifically: the virtual machine platform layer generates executable codes according to the monitoring codes, then applies for memories from the virtual machine kernel layer and writes the executable codes into the applied virtual machine kernel memories.
Further, the generating the executable code specifically includes the following steps:
step 101: when the virtual machine is started, the code injection module judges whether to execute a monitoring code injection logic according to the virtual machine identifier to be monitored, if the monitoring code injection condition is met, the monitoring code file of the virtualization platform layer is read, and the virtual machine kernel symbol table is dynamically analyzed;
step 102: the virtualization platform layer repairs the symbol table of the monitoring code and the relocation data according to the symbol table of the virtual machine and the format of the monitoring code file, and generates an executable code;
further, the third step further includes that the virtualization platform layer obtains a virtual machine system call table address and a system call entry function address according to the virtual machine symbol table, and then sets a read-only attribute for the virtual machine system call table address, the system call entry function address and the EPT page table of the injected monitoring code address.
Further, the monitoring strategy comprises a monitoring object and a response action, wherein the monitoring object comprises a sensitive word stock, a sensitive process, a sensitive file and a directory, and the response action comprises recording, alarming, filtering, blocking and confusing.
Further, the first to fourth steps further include: and dynamically adding and deleting a virtual machine list to be monitored, a system call list to be monitored, a monitoring object and a response action by a user through an API (application programming interface).
The agent-free virtual machine monitoring system does not depend on the specific release version of the monitored virtual machine, has high portability, and meanwhile, the monitoring code positioned in the virtualization layer can be conveniently cut and replaced in various ways, thereby realizing the effect of real-time hot patching for internal monitoring of the virtual machine.
Furthermore, when malicious codes in the virtual machine try to modify the memory of the virtual machine, in the process of finally realizing memory addressing, read-only protection exception is triggered, the virtual machine captures the malicious codes, and then a malicious process, an alarm and/or downtime are killed.
The monitoring code of the invention is positioned in the memory area of the inner core of the virtual machine, except the page table of the virtual machine, no trace exists at any place, the concealment of the code is high, and the system call table, the system call entry function code segment and the dynamically injected monitoring code segment of the virtual machine are read-only protected through a virtualization layer with higher privilege level, thereby preventing the monitoring system from being damaged by malicious codes in the virtual machine.
Further, in the first step, before the user sets the monitoring policy through the monitoring policy setting module, the method further includes pre-reading the monitoring code file of the virtualization platform layer.
Due to the adoption of the technical scheme, the invention has the beneficial effects that:
the agent-free mode virtual machine monitoring method has the advantages that monitoring is realized by dynamically injecting monitoring codes into the virtual machine after the virtual machine is detected to be started in the virtualization layer, the monitoring flexibility is high, and the real-time response is fast. Meanwhile, the monitoring system is guaranteed to be effective all the time by means of the read-only protection of key data and codes related to monitoring through the virtualization layer.
The agent-free virtual machine monitoring method combines the high safety of the virtual layer monitoring with the real-time performance of the traditional monitoring in the virtual layer. When the virtual machine is started, a section of executable monitoring code is transparently injected into a memory area of a kernel of the virtual machine, and a system call table function pointer in the kernel of the virtual machine is rewritten to point to a corresponding function position of the injected monitoring code, so that the system call of the virtual machine is safely monitored, and the method has high monitoring flexibility and quick real-time response.
Aiming at the problem of frequent switching between a root mode and a non-root mode caused by completely utilizing a virtualization platform to monitor and setting hardware trapping to transparently intercept actions in a virtual machine, the invention does not need to set specific hardware trapping conditions by setting actually executed monitoring codes in the virtual machine, does not cause additional switching actions between the virtual machine and a virtualization layer mode, and avoids unnecessary loss caused by frequent context switching.
Drawings
Fig. 1 is a schematic flow chart of a conventional virtual machine monitoring method according to the present invention.
Fig. 2 is a schematic flow chart of a conventional virtual machine monitoring method according to the present invention.
Fig. 3 is a schematic flow chart of a virtual machine monitoring method according to the present invention.
FIG. 4 is a diagram of a monitoring framework of a virtual machine according to the present invention.
FIG. 5 is a schematic diagram of the basic environment for implementing the present invention.
Fig. 6 is a schematic view of the monitoring strategy according to the present invention.
FIG. 7 is a schematic diagram of a monitor code injection module according to the present invention.
FIG. 8 is a diagram illustrating a physical address access of a virtual machine according to the present invention.
Detailed Description
Embodiments of the present invention will be described in detail with reference to the accompanying drawings 1 to 8.
As shown in fig. 5, the Virtual Machine architecture of the virtualized layer KVM (Kernel-based Virtual Machine) of the embodiment includes an underlying hardware, a Linux Kernel and a plurality of Virtual machines.
As shown in fig. 3, an agent-less virtual machine monitoring system includes:
the monitoring strategy setting module is used for managing the monitoring strategy of the virtual machine of the user;
the monitoring injection module is deployed in the virtualization layer and used for judging whether the currently started virtual machine meets a monitoring code injection condition and executing monitoring code injection;
and the monitoring function protection module is deployed in the virtualization layer and is used for performing read-only protection on the virtual machine system call table, the monitoring code and the system call entry function execution flow.
An agent-free virtual machine monitoring method is applied to the agent-free virtual machine monitoring system, and comprises the following steps:
the method comprises the following steps: a user sets a monitoring strategy through a monitoring strategy setting module, wherein the monitoring strategy comprises a virtual machine identifier to be monitored, monitored related system calling and response actions of the virtual machine system calling monitoring;
step two: when the virtual machine is started, the code injection module executes monitoring code dynamic injection according to the virtual machine identifier to be monitored;
step three: the virtualization layer dynamically modifies the system call function pointer according to the monitoring code and the monitoring strategy, so that the system call function pointer points to the function address of the monitoring code;
step four: and after the monitoring code intercepts the internal system call of the virtual machine, acquiring a monitoring strategy from the virtualization layer, and finishing the specific response of the virtual machine system call interception according to the monitoring strategy.
In the invention, the monitoring code compiled in advance is dynamically injected when the virtual machine is started, and the whole process does not need to deploy any agent component in the virtual machine, and all operations are implemented by a virtualization layer. After the system call interception monitoring code is injected, the safety real-time monitoring of the virtual machine based on the system call can be transparently implemented in the virtual machine.
Further, the monitoring code dynamic injection in the second step is specifically: the virtual machine platform layer generates executable codes according to the monitoring codes, then applies for memories from the virtual machine kernel layer and writes the executable codes into the applied virtual machine kernel memories.
Further, the generating the executable code specifically includes the following steps:
step 101: when the virtual machine is started, the code injection module judges whether to execute a monitoring code injection logic according to the virtual machine identifier to be monitored, if the monitoring code injection condition is met, the monitoring code file of the virtualization platform layer is read, and the virtual machine kernel symbol table is dynamically analyzed;
step 102: the virtualization platform layer repairs the symbol table of the monitoring code and the relocation data according to the symbol table of the virtual machine and the format of the monitoring code file, and generates an executable code;
further, the third step further includes that the virtualization platform layer obtains a virtual machine system call table address and a system call entry function address according to the virtual machine symbol table, and then sets a read-only attribute for the virtual machine system call table address, the system call entry function address and the EPT page table of the injected monitoring code address.
Further, the monitoring strategy comprises a monitoring object and a response action, wherein the monitoring object comprises a sensitive word stock, a sensitive process, a sensitive file and a directory, and the response action comprises recording, alarming, filtering, blocking and confusing.
Further, the first to fourth steps further include: and dynamically adding and deleting a virtual machine list to be monitored, a system call list to be monitored, a monitoring object and a response action by a user through an API (application programming interface).
The agent-free virtual machine monitoring system does not depend on the specific release version of the monitored virtual machine, has high portability, and meanwhile, the monitoring code positioned in the virtualization layer can be conveniently cut and replaced in various ways, thereby realizing the effect of real-time hot patching for internal monitoring of the virtual machine.
Furthermore, when malicious codes in the virtual machine try to modify the memory of the virtual machine, in the process of finally realizing memory addressing, read-only protection exception is triggered, the virtual machine captures the malicious codes, and then a malicious process, an alarm and/or downtime are killed.
The monitoring code of the invention is positioned in the memory area of the inner core of the virtual machine, except the page table of the virtual machine, no trace exists at any place, the concealment of the code is high, and the system call table, the system call entry function code segment and the dynamically injected monitoring code segment of the virtual machine are read-only protected through a virtualization layer with higher privilege level, thereby preventing the monitoring system from being damaged by malicious codes in the virtual machine.
Further, in the first step, before the user sets the monitoring policy through the monitoring policy setting module, the method further includes pre-reading the monitoring code file of the virtualization platform layer.
The system call interception according to the present embodiment will be described in detail with reference to fig. 7.
When a virtual machine is just started, the KVM detects that the virtual machine is in a starting state, at the moment, a monitoring code file located on a virtualization platform side is loaded, then a symbol table of the current virtual machine is dynamically analyzed, the symbol table repair of the monitoring code is completed in a temporary memory according to the symbol table of the current virtual machine, and when the virtual machine executes a privilege instruction, a function address is allocated to a current instruction register by inserting a memory of the virtual machine, so that a memory area is dynamically applied in a kernel of the virtual machine. And then restoring the relocation data of the monitoring code according to the dynamically applied base address of the kernel memory of the virtual machine, and finally writing the monitoring code segment for completing the restoration of the symbol table and the relocation table into the kernel memory of the virtual machine applied.
The virtualization layer finds the system call table of the current virtual machine by analyzing the symbol table of the virtual machine, and sequentially modifies the corresponding system call table items into function addresses corresponding to the injected monitoring codes according to the system call number list corresponding to the monitoring strategy, so that the system call inside the virtual machine is intercepted by the system call proxy function of the monitored codes.
The following description of the virtual machine physical address access is made with reference to fig. 8.
When the virtual machine is started, the symbol table is analyzed to obtain the base address of the system call function table and the base address of the system call entry function, meanwhile, the code segment base address of the monitoring code can also be obtained by analyzing the monitoring code file, in the KVM, the virtual machine page table is traversed through the virtual machine kernel virtual machine address to find the corresponding virtual machine physical address, then the corresponding EPT table entry is traversed, and the corresponding data and code page EPT table entry are set to be read-only attributes. Thus, as shown in fig. 8, when malicious code in the virtual machine tries to modify its memory, in the process of finally implementing memory addressing, an exception is triggered due to read-only protection, so that the exception is captured by the KVM, and the monitoring system can be prevented from being damaged by the malicious code in time.
Claims (7)
1. An agent-less virtual machine monitoring system, comprising:
the monitoring strategy setting module is used for managing a user virtual machine monitoring strategy, wherein the monitoring strategy comprises a virtual machine identifier to be monitored, monitored related system call and response action of monitoring of virtual machine system call;
the method comprises the following steps that a monitoring injection module is deployed on a virtualization layer and used for judging whether a currently started virtual machine meets monitoring code injection conditions and executing monitoring code injection, and the specific flow is as follows, when the virtual machine is just started, a KVM detects that the virtual machine is in a starting state, at the moment, a monitoring code file located on a virtualization platform side is loaded, then a symbol table of the current virtual machine is dynamically analyzed, symbol table repair of monitoring codes is completed in a temporary memory according to the symbol table of the current virtual machine, and when the virtual machine executes a privilege instruction, a function address is allocated to a current instruction register by inserting a memory of the virtual machine, so that a memory area is dynamically applied in a kernel of the virtual machine; then, restoring the repositioning data of the monitoring code according to the dynamically applied base address of the kernel memory of the virtual machine, and finally writing the monitoring code segment for completing symbol table and repositioning table restoration into the kernel memory of the virtual machine;
and the monitoring function protection module is deployed in the virtualization layer and is used for performing read-only protection on the virtual machine system call table, the monitoring code and the system call entry function execution flow.
2. An agent-free virtual machine monitoring method, applying the agent-free virtual machine monitoring system of claim 1, characterized by comprising the following steps:
the method comprises the following steps: a user sets a monitoring strategy through a monitoring strategy setting module, wherein the monitoring strategy comprises a virtual machine identifier to be monitored, monitored related system calling and response actions of the virtual machine system calling monitoring;
step two: when a virtual machine is started, a code injection module executes dynamic injection of a monitoring code according to a virtual machine identifier to be monitored, the specific flow is as follows, when the virtual machine is just started, a KVM detects that the virtual machine is in a starting state, at the moment, a monitoring code file positioned on a virtualization platform side is loaded, then a symbol table of the current virtual machine is dynamically analyzed, in a temporary memory, the symbol table repair of the monitoring code is completed according to the current virtual machine symbol table, and when the virtual machine executes a privileged instruction, a virtual machine memory is inserted to allocate a function address to a current instruction register, so that a memory area is dynamically applied in a virtual machine kernel; then, restoring the repositioning data of the monitoring code according to the dynamically applied base address of the kernel memory of the virtual machine, and finally writing the monitoring code segment for completing symbol table and repositioning table restoration into the kernel memory of the virtual machine;
step three: the virtualization layer dynamically modifies the system call function pointer according to the monitoring code and the monitoring strategy, so that the system call function pointer points to the function address of the monitoring code;
step four: and after the monitoring code intercepts the internal system call of the virtual machine, acquiring a monitoring strategy from the virtualization layer, and finishing the specific response of the virtual machine system call interception according to the monitoring strategy.
3. The agent-less virtual machine monitoring method according to claim 2, characterized in that: the third step also includes that the virtualization platform layer obtains a virtual machine system call table address and a system call entry function address according to the virtual machine symbol table, and then sets read-only attributes for the virtual machine system call table address, the system call entry function address and an EPT page table of the injected monitoring code address.
4. The agent-less virtual machine monitoring method according to claim 2, characterized in that: the monitoring strategy comprises a monitoring object and a response action, wherein the monitoring object comprises a sensitive word bank, a sensitive process, a sensitive file and a directory, and the response action comprises recording, alarming, filtering, blocking and confusing.
5. The agent-less virtual machine monitoring method according to claim 4, wherein: the first step to the fourth step further comprise: and dynamically adding and deleting a virtual machine list to be monitored, a system call list to be monitored, a monitoring object and a response action by a user through an API (application programming interface).
6. The agent-less virtual machine monitoring method according to claim 3, characterized in that: when malicious codes in the virtual machine try to modify the memory of the virtual machine, in the process of finally realizing memory addressing, the read-only protection exception is triggered, the virtual machine captures the malicious codes, and then the malicious processes, the alarm and/or the downtime are killed.
7. The agent-less virtual machine monitoring method according to claim 2, characterized in that: in the first step, before the user sets the monitoring policy through the monitoring policy setting module, the method further includes pre-reading a monitoring code file of the virtualization platform layer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810632935.XA CN108920253B (en) | 2018-06-20 | 2018-06-20 | Agent-free virtual machine monitoring system and monitoring method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810632935.XA CN108920253B (en) | 2018-06-20 | 2018-06-20 | Agent-free virtual machine monitoring system and monitoring method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108920253A CN108920253A (en) | 2018-11-30 |
| CN108920253B true CN108920253B (en) | 2022-05-17 |
Family
ID=64421304
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810632935.XA Active CN108920253B (en) | 2018-06-20 | 2018-06-20 | Agent-free virtual machine monitoring system and monitoring method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108920253B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110941551B (en) * | 2019-11-21 | 2021-04-30 | 腾讯科技(深圳)有限公司 | Application stuck detection method, device and equipment and computer storage medium |
| CN113032737B (en) * | 2021-03-15 | 2021-11-30 | 清华大学 | Software protection method and device, electronic equipment and storage medium |
| CN113176926B (en) * | 2021-04-06 | 2023-09-05 | 中国科学院信息工程研究所 | API dynamic monitoring method and system based on virtual machine introspection technology |
| CN113448690B (en) * | 2021-08-27 | 2022-02-01 | 阿里云计算有限公司 | Monitoring method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101499016A (en) * | 2008-01-31 | 2009-08-05 | 联想(北京)有限公司 | Virtual machine monitor, virtual machine system and process handling method of client operating system |
| CN106775929A (en) * | 2016-11-25 | 2017-05-31 | 中国科学院信息工程研究所 | A kind of virtual platform safety monitoring method and system |
| CN107291525A (en) * | 2016-04-01 | 2017-10-24 | 华为技术有限公司 | A kind of method, host and system for disposing virtual machine |
| CN109150616A (en) * | 2018-09-03 | 2019-01-04 | 成都嗨翻屋科技有限公司 | A kind of Intelligent gateway and its working method that can increase https entrance automatically |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7886294B2 (en) * | 2004-12-28 | 2011-02-08 | Sap Ag | Virtual machine monitoring |
| US8635612B2 (en) * | 2005-04-29 | 2014-01-21 | Microsoft Corporation | Systems and methods for hypervisor discovery and utilization |
| US8838913B1 (en) * | 2009-09-15 | 2014-09-16 | Symantec Corporation | System and method for locating a memory page in a guest virtual machine |
| CN103399812B (en) * | 2013-07-22 | 2016-04-13 | 西安电子科技大学 | Based on disk file operation supervise and control system and the method for supervising of Xen hardware virtualization |
| CN103365758B (en) * | 2013-08-05 | 2016-03-16 | 北京搜狐新媒体信息技术有限公司 | Process monitoring method under a kind of virtualized environment and system |
| CN107291587A (en) * | 2016-04-11 | 2017-10-24 | 北京京东尚科信息技术有限公司 | Computer applied algorithm monitoring method and device |
| CN107169347B (en) * | 2017-05-08 | 2019-07-05 | 中国科学院信息工程研究所 | A kind of enhancing ARM platform virtual machine is examined oneself safe method and device |
| CN107357629A (en) * | 2017-07-10 | 2017-11-17 | 成都虫洞奇迹科技有限公司 | A kind of virtual machine based on internal memory online analyzing is without agent monitors method and device |
-
2018
- 2018-06-20 CN CN201810632935.XA patent/CN108920253B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101499016A (en) * | 2008-01-31 | 2009-08-05 | 联想(北京)有限公司 | Virtual machine monitor, virtual machine system and process handling method of client operating system |
| CN107291525A (en) * | 2016-04-01 | 2017-10-24 | 华为技术有限公司 | A kind of method, host and system for disposing virtual machine |
| CN106775929A (en) * | 2016-11-25 | 2017-05-31 | 中国科学院信息工程研究所 | A kind of virtual platform safety monitoring method and system |
| CN109150616A (en) * | 2018-09-03 | 2019-01-04 | 成都嗨翻屋科技有限公司 | A kind of Intelligent gateway and its working method that can increase https entrance automatically |
Non-Patent Citations (4)
| Title |
|---|
| SEVerity: Code Injection Attacks against Encrypted Virtual Machines;Mathias Morbitzer等;《2021 IEEE Security and Privacy Workshops (SPW)》;20210708;第444-455页 * |
| Transparent Security-Sensitive Process Protection via VMM-Based Process Shadowing;Xiaoguang Wang等;《2013 IEEE 37th Annual Computer Software and Applications Conference Workshops》;20130923;第115-120页 * |
| 一种无代理虚拟机进程监控方法;尹学渊等;《南京大学学报(自然科学)》;20190330;第55卷(第02期);第221-230页 * |
| 基于API Hook的进程行为监控系统;沈济南等;《云南大学学报(自然科学版)》;20180510;第40卷(第03期);第466-473页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108920253A (en) | 2018-11-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108920253B (en) | Agent-free virtual machine monitoring system and monitoring method | |
| EP3123311B1 (en) | Malicious code protection for computer systems based on process modification | |
| CN103907098B (en) | System and method for the crucial address space protection in management program environment | |
| US8990934B2 (en) | Automated protection against computer exploits | |
| US9779240B2 (en) | System and method for hypervisor-based security | |
| CN107066311B (en) | Kernel data access control method and system | |
| US8856473B2 (en) | Computer system protection based on virtualization | |
| KR101174751B1 (en) | Malware auto-analysis system and method using kernel call-back mechanism | |
| RU2723668C1 (en) | Event filtering for security applications of virtual machines | |
| US9178900B1 (en) | Detection of advanced persistent threat having evasion technology | |
| Qi et al. | ForenVisor: A tool for acquiring and preserving reliable data in cloud live forensics | |
| CN107479946B (en) | Interactive behavior monitoring scheme of kernel module | |
| JPWO2005024630A1 (en) | Method and program for preventing illegal code | |
| US9189620B2 (en) | Protecting a software component using a transition point wrapper | |
| CN106897121B (en) | It is a kind of based on virtualization technology without proxy client process protection method | |
| CN111597109A (en) | Defect detection method and system for cross-architecture firmware stack memory | |
| CN110737888B (en) | Method for detecting attack behavior of kernel data of operating system of virtualization platform | |
| CN113987507A (en) | Heap memory vulnerability detection method and device, storage medium and electronic equipment | |
| Mustafa et al. | Seeds of SEED: New security challenges for persistent memory | |
| CN111428240B (en) | Method and device for detecting illegal access of memory of software | |
| US11816217B2 (en) | Decoy memory allocation | |
| CN111931191A (en) | Dynamic detection method and system for binary software stack overflow leakage hole of Linux platform | |
| CN108052415B (en) | Rapid recovery method and system for malicious software detection platform | |
| US20220258955A1 (en) | Non-disruptive mitigation of malware attacks | |
| EP2720170B1 (en) | Automated protection against computer exploits |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 610000 1, 39, two street, Dayuan south, Chengdu high tech Zone, Sichuan. Applicant after: Chengdu Lingyue yunchuang Technology Co.,Ltd. Address before: 610000 1, 39, two street, Dayuan south, Chengdu high tech Zone, Sichuan. Applicant before: CHENGDU CHONGDONG QIJI TECHNOLOGY CO.,LTD. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220708 Address after: 610000 room 1110, floor 11, unit 1, building 1, No. 722, middle section of Yizhou Avenue, high tech Zone, Chengdu, Sichuan Province Patentee after: Sichuan Lingyue Yunzhi Technology Co.,Ltd. Address before: 610000 1, 39, two street, Dayuan south, Chengdu high tech Zone, Sichuan. Patentee before: Chengdu Lingyue yunchuang Technology Co.,Ltd. |
|
| TR01 | Transfer of patent right |