Kernel mode Rootkit detection method based on system virtualization technology

A technology of virtualization technology and detection method, which is applied in the field of rootkit detection technology in the kernel state, can solve problems such as failure of detection tools, and achieve the effect of ensuring authenticity

Active Publication Date: 2013-09-18
HARBIN INST OF TECH SHENZHEN GRADUATE SCHOOL
View PDF3 Cites 15 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The traditional detection of rootkits in the kernel mode mainly uses signature scanning and kernel integrity detection, etc., but the continuous development of rootkits in the kernel mode makes these detection tools often invalidated by rootkit attacks

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Kernel mode Rootkit detection method based on system virtualization technology
  • Kernel mode Rootkit detection method based on system virtualization technology

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0025] The present invention will be further described below in conjunction with the drawings.

[0026] The meanings of the English abbreviations in this article are as follows:

[0027] 1) Rootkit: Rootkit is a special kind of malicious software, its function is to hide itself and designated files, processes, network links and other information on the installation target. It is more common to see that Rootkit is generally related to Trojan horses, backdoors, etc. Used in conjunction with malicious programs. Rootkit modifies the system kernel by loading a special driver to achieve the purpose of hiding information.

[0028] 2) LKM (Linux Kernel Module): Linux kernel module refers to a program that can be dynamically loaded into the Linux system kernel.

[0029] 3) LKM Rootkit: refers to the rootkit that can be directly loaded into the Linux system kernel, that is, the kernel state rootkit.

[0030] 4) module_list: Module (driver) list, which records the information list of all modules...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a kernel mode Rootkit detection method based on system virtualization technology. A Rootkit principle, system calling and an LKM (Loadable Kernel Module) are analyzed deeply to obtain the behavior characteristic of hiding of own module information of kernel mode Rootkit. Specific to the characteristic, the Rootkit detection method based on cross view validation is designed. A Xen kernel is changed to intercept system calling, so that a credible view is constructed. An infected view is constructed by using a user mode tool of a target client. Hidden modules are found by comparing the credible view with the infected view.

Description

Technical field [0001] The invention relates to the field of cloud computing security, in particular to a kernel state rootkit detection technology based on system virtualization technology in a cloud computing environment. Background technique [0002] In recent years, cloud computing services based on virtual machine technology have developed rapidly, and more and more users adopt cloud computing services to migrate data to cloud computing centers. At this time, new forms of attacks such as cross-virtual machine attacks using Rootkit technology emerged. How to detect malicious codes and other malicious attacks with the help of virtual machine technology in a virtualized environment to ensure the security of cloud computing centers has also become an important issue. Rootkit is the most difficult type of malware to detect. It is mainly installed in the target system by malicious attackers. By modifying important system files or kernel of the target system, it can hide attack in...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56
Inventor 王轩丁宇新李晔张加佳赵海楠于成龙刘猛李鑫鑫张自力
Owner HARBIN INST OF TECH SHENZHEN GRADUATE SCHOOL
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap