èŠ‚ç‚¹æ–‡çŒ®

åŸºäºŽVMMçš„ç¨‹åºè¡Œä¸ºå¼‚å¸¸æ£€æµ‹

Abnormality Detection of Program Behavior by Using VMM

æŽ¨è CAJä¸‹è½½
PDFä¸‹è½½
ä¸æ”¯æŒè¿…é›·ç‰ä¸‹è½½å·¥å…·ï¼Œè¯·å–æ¶ˆåŠ é€Ÿå·¥å…·åŽä¸‹è½½ã€‚

ã€ä½œè€…ã€‘ è’‹ä¼ å‹‡ï¼› å§šç«‹çº¢ï¼› æ½˜ç†ï¼›

ã€Authorã€‘ JIANG Chuang-yong;YAO Li-hong;PAN Li;School of Electronic Information and Electrical Engineering,Shanghai Jiaotong University;Key Lab of Integrated Management of Information Security;State Key Lab.for Novel Software Technology,Nanjing University;

ã€æœºæž„ã€‘ ä¸Šæµ·äº¤é€šå¤§å¦ç”µåä¿¡æ¯ä¸Žç”µæ°”å·¥ç¨‹å¦é™¢ï¼› ä¸Šæµ·å¸‚ä¿¡æ¯å®‰å…¨ç»¼åˆç®¡ç†æŠ€æœ¯ç ”ç©¶é‡ç‚¹å®žéªŒå®¤ï¼› å—äº¬å¤§å¦è®¡ç®—æœºè½¯ä»¶æ–°æŠ€æœ¯å›½å®¶é‡ç‚¹å®žéªŒå®¤ï¼›

ã€æ‘˜è¦ã€‘ è™šæ‹Ÿæœºç›‘è§†å™¨(Virtual Machine Monitor,VMM)å…·æœ‰å¼ºéš”ç¦»æ€§ã€é«˜é€æ˜Žæ€§çš„ç‰¹ç‚¹,è€Œç¨‹åºè¡Œä¸ºå…·æœ‰ç¨³å®šå’Œæ˜“äºŽæ£€æµ‹çš„å±žæ€§ã€‚æå‡ºäº†ä¸€ç§åŸºäºŽVMMçš„ç¨‹åºè¡Œä¸ºå¼‚å¸¸æ£€æµ‹æ¨¡åž‹,è¯¥æ¨¡åž‹é¦–å…ˆä»ŽVMMä¸æ•èŽ·ç¨‹åºè¡Œä¸ºäº§ç”Ÿçš„åº•å±‚æ•°æ®,é€šè¿‡åˆ†æžå¯¹è¿›ç¨‹è¡Œä¸ºè§†å›¾é‡æž„,ç„¶åŽç»“åˆé˜²æŠ¤æ£€æŸ¥ç‚¹,é‡‡ç”¨åŸºäºŽC4.5å†³ç–æ ‘ç®—æ³•å¯¹æ‰€é‡æž„çš„ç¨‹åºè¡Œä¸ºè§†å›¾æ•°æ®è¿›è¡ŒåŠ¨æ€ç»¼åˆåˆ†æžå’Œåˆ¤å®š,ä»¥æ¤æ£€æµ‹å¼‚å¸¸å¹¶è¦å‘Šã€‚æœ€åŽåŸºäºŽQEMUå¯¹æ£€æµ‹æ¨¡åž‹è¿›è¡Œå®žçŽ°å¹¶åˆ†æž,ç»“æžœè¡¨æ˜Žè¯¥æ¨¡åž‹èƒ½æœ‰æ•ˆæ£€æµ‹å‡ºç¨‹åºçš„å¼‚å¸¸è¡Œä¸ºã€‚æ›´å¤š è¿˜åŽŸ

ã€Abstractã€‘ Considering that VMM(Virtual Machine Monitor) has the characteristics of strong isolation and high transparency,while program behavior which is stable and easy to be detected,a VMM-based behavior-abnormality detection model is proposed.The model could capture low-level data from the VMM layer and reconstruct them as up-level information,then automatically carry out comprehensive analysis on program behavior in combination of the protective checkpoints and C4.5 decision tree algorithm,thus to detect abnormal behaviors and give the warning.By using QEMU as VMM,the model is designed and implemented,and the experiment results show that the proposed model could detect the abnormal behavior effectively.æ›´å¤š è¿˜åŽŸ