计算机应用与软件2011,Vol.28Issue(9):52-55,59,5.
基于虚拟机的运行时入侵检测技术研究
STUDY ON INTRUSION DETECTION TECHNOLOGY AT RUNNING BASED ON VIRTUAL MACHINE
摘要
Abstract
There are two kinds of intrusion detection methods: misuse-based detection and anomaly-based detection. Misuse-based detection can detect known attacks based on the attack rule library, but is failing in detecting the attacks without pre-knowledge. Anomaly-based detection can forecast latent attacks which deviate normal value of threshold intervals, but has higher false alarm rate. In this paper we carry out the out-of-band surveillance against running behaviour of virtual machine operating system on the monitor of virtual machine, in this way the puzzle of the surveillance module inside the operating system being infected by the virus is avoided. By monitoring the behaviour of virtual machine at running and making validity analysis on its combined sequence, the ability of misuse-based detection in preventing long-time attacks is expanded, malicious attacks inflicted through legitimated system calls are differentiated. Testing data show that this method can preferably detect complex compositional attacks.关键词
入侵检测/虚拟机监视器/系统调用监控Key words
Intrusion detection Virtual machine monitor System call monitoring分类
信息技术与安全科学引用本文复制引用
魏辉,吴庆波,谭郁松..基于虚拟机的运行时入侵检测技术研究[J].计算机应用与软件,2011,28(9):52-55,59,5.基金项目
国家高技术研究发展计划项目(2009AA01Z101) (2009AA01Z101)
NSFC重点项目(90718040) (90718040)
