计算机应用与软件2025,Vol.42Issue(10):30-35,6.DOI:10.3969/j.issn.1000-386x.2025.10.005
轻量级的内核控制流异常检测方法
LIGHTWEIGHT KERNEL CONTROL FLOW ANOMALY DETECTION METHOD
摘要
Abstract
Aimed at the problem that the existing virtual machine introspection technology is difficult to take into account both completeness and efficiency in control flow anomaly detection,a lightweight kernel control flow anomaly detection method named HyperCache is proposed.By setting special detection code and target address cache,the compliance checking of jump target address of function indirect call could be achieved dynamically in the kernel.This method made most of the security detection work do not need to fall into the virtual machine monitor,which greatly reduced the performance overhead caused by mode switching.This method can detect control flow anomalies before rootkit jumps to malicious code,and only bring about 4%~10%additional performance overhead to native Linux.关键词
虚拟机自省/虚拟机监控器/操作系统内核/恶意代码/控制流/异常检测Key words
Virtual machine introspection/Virtual machine monitor/Operating system kernel/Malicious code/Control flow/Anomaly detection分类
信息技术与安全科学引用本文复制引用
程仲汉,陈淑珍..轻量级的内核控制流异常检测方法[J].计算机应用与软件,2025,42(10):30-35,6.基金项目
福建省高校产学合作项目(2020H6024) (2020H6024)
福建省中青年教师教育科研项目(科技类)(JAT200379). (科技类)
