Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Rootkit detection mechanism and detection method based on kernel-based virtual machine

A technology of a kernel virtual machine and a detection method, which is applied to the rootkit detection mechanism and detection field based on a kernel virtual machine, can solve the problems of lag, the detection thread is easily affected by the rootkit, and the coupling is not good, so as to achieve the effect of small attack.

Inactive Publication Date: 2011-09-21
XI AN JIAOTONG UNIV +1
View PDF2 Cites 30 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Specifically, the basic measure of this method is to save a copy of the key data segment or code segment that is vulnerable to rootkit attacks, run a detection thread and a recovery thread in the kernel, and the detection thread periodically detects these sensitive areas. If an exception is found, the recovery thread will be started immediately to recover; the second method is to customize or modify the kernel. For rootkits, it is often implemented as a loadable kernel module. This function can be forcibly disabled during compilation, but the system scalability is poor. In addition, by modifying the operating system kernel, the loading process is expanded by modifying the module loading function sys_init_module in the kernel. This method detects sensitive areas after executing the module initialization function. Kernel module unloading
[0004] Among the above two schemes, the method based on the detection-recovery mechanism is the most conventional method, and its disadvantages are also obvious. First, it cannot prevent the occurrence of rootkits. Regular detection has a certain lag, and the detection thread brings a certain amount of time. overhead, detection threads are also susceptible to rootkits
The second way to modify the source code, because its mechanism is triggered in the loading module, compared with the first method, has a certain ability to prevent rootkits, but it needs to modify the operating system kernel, the coupling is not good, and if the rootkit behavior is not Executed during module loading, can still escape detection mechanisms

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Rootkit detection mechanism and detection method based on kernel-based virtual machine
  • Rootkit detection mechanism and detection method based on kernel-based virtual machine
  • Rootkit detection mechanism and detection method based on kernel-based virtual machine

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0027] The invention is based on the rootkit detection mechanism of the kernel virtual machine. Firstly, the rootkit implementation form object is abstracted into four types: static kernel code, static kernel data, dynamic allocation code function and kernel heap space data structure.

[0028] A runtime module and a monitoring thread are loaded in the client computer, wherein the purpose of the runtime module is to obtain relevant information of the client computer during runtime. As the underlying virtual machine monitor KVM, it cannot obtain client semantic information other than system-level information. Therefore, the runtime module of the client implements semantic interaction with the underlying client at runtime. The information obtained by the runtime module of the client computer during runtime includes: interrupt vector table, system call table, kernel code segment information, key data information of the file system, and the like. The runtime module of the client co...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides a rootkit detection method based on a kernel-based virtual machine. By adopting the rootkit detection method, the types of objects attacked by rootkit are subjected to abstract classification into static code segment, static data segment, dynamic distribution function and heap space data, and different protection and detection mechanisms are provided specific to different types; while specific rootkit sensitive information is obtained through a runtime module operating in a client machine, information interaction between the kernel-based virtual machine and the client machine is realized by adding a semantic processing pathway, and by extending a corresponding page-fault exception handler and a vmcall active trap-in mechanism, the normal execution of the client machine is guaranteed under the rootkit detection mechanism. The rootkit detection mechanism and detection method, provided by the invention, can be used for effectively preventing the attack specific to static codes and data segments, and realizing isolated storage, detection and recovery of dynamic information at very low cost under a secure environment.

Description

technical field [0001] The invention belongs to the field of operating system security, in particular to a rootkit detection mechanism and detection method based on a kernel virtual machine (KVM for short). Background technique [0002] With the deepening of the application of computer technology, in the field of computer technology and research, performance is no longer the main focus, but high reliability and security of the system is replaced. A computer failure or security risk may cause immeasurable losses to the applications running on it. Rootkit, as a kind of malicious code running in the core state of the operating system, can provide hidden functions of processes, files, and communication connections for upper-layer applications. Once the backdoor program uses Rootkit, it can evade system administrators and monitoring programs to achieve its own purpose, thus bringing harm to key applications. [0003] The existing detection mechanism for Rootkit mainly has two m...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/22G06F21/56
Inventor 张兴军吴忠远王恩东董渭清董小社胡雷钧张东郑豪吴楠彭义勇宋鸿雁卫进
Owner XI AN JIAOTONG UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com