Rootkit detection mechanism and detection method based on kernel-based virtual machine

A technology of a kernel virtual machine and a detection method, which is applied to the rootkit detection mechanism and detection field based on a kernel virtual machine, can solve the problems of lag, the detection thread is easily affected by the rootkit, and the coupling is not good, so as to achieve the effect of small attack.
CN102194080AInactive Publication Date: 2011-09-21XI AN JIAOTONG UNIV +1
2 Cites 30 Cited by

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
XI AN JIAOTONG UNIV
Publication Date
2011-09-21
Estimated Expiration
Not applicable · inactive patent

Smart Images

  • Figure 1
    Figure 1
  • Figure 2
    Figure 2
  • Figure 3
    Figure 3
Patent Text Reader

Abstract

The invention provides a rootkit detection method based on a kernel-based virtual machine. By adopting the rootkit detection method, the types of objects attacked by rootkit are subjected to abstract classification into static code segment, static data segment, dynamic distribution function and heap space data, and different protection and detection mechanisms are provided specific to different types; while specific rootkit sensitive information is obtained through a runtime module operating in a client machine, information interaction between the kernel-based virtual machine and the client machine is realized by adding a semantic processing pathway, and by extending a corresponding page-fault exception handler and a vmcall active trap-in mechanism, the normal execution of the client machine is guaranteed under the rootkit detection mechanism. The rootkit detection mechanism and detection method, provided by the invention, can be used for effectively preventing the attack specific to static codes and data segments, and realizing isolated storage, detection and recovery of dynamic information at very low cost under a secure environment.
Need to check novelty before this filing date? Find Prior Art

Description

technical field

[0001] The invention belongs to the field of operating system security, in particular to a rootkit detection mechanism and detection method based on a kernel virtual machine (KVM for short). Background technique

[0002] With the deepening of the application of computer technology, in the field of computer technology and research, performance is no longer the main focus, but high reliability and security of the system is replaced. A computer failure or security risk may cause immeasurable losses to the applications running on it. Rootkit, as a kind of malicious code running in the core state of the operating system, can provide hidden functions of processes, files, and communication connections for upper-layer applications. Once the backdoor program uses Rootkit, it can evade system administrators and monitoring programs to achieve its own purpose, thus bringing harm to key applications.

[0003] The existing detection mechanism for Rootkit mainly has two m...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More