| Cloud Computing is a computer service by supporting convenient,cheap service via Internet,however users pay close attention on the safety problem.Virtualization,as the support technique of Cloud Computing,has risks in the virtual machine itself,by which threatens the all Cloud Computing system.This paper used the introspection technology of the virtual machine to detect and monitor malicious software of virtual machines in the virtualization environment.Main jobs included:First,this paper proposes a prototype malware analysis method based on the virtual machine introspection.By parsing the kernel debugging file to obtain the relative virtual address of the key data structure,after kernel memory virtualization physics base address has been calculated,and the distribution of internal storage in kernel function is obtained.Monitoring each kernel module and function by breakpoint into calls.By monitoring the CR3 registers to capture process context switching events.Traversing the loaded module and the its function and then injecting INT3 breakpoint in the functions which need to be monitored.When virtual machines continue to carry out the corresponding function,implementation process will be hijacked for introspection mechanism of the monitoring process,so that the system call sequences and other relevant information was extracted.Using n-gram method to generate clustering characteristics,characteristics of sequence data can be converted to vectors,the similarity between different behavior analysis can be calculated based on the vectors.On this basis,clustering classification algorithm is adopted to analyze system call sequences.The experimental results verified its validity.Secondly,this paper proposes a separate virtual machine model for introspection.Originally the basic idea of this model is to run in VMI module of privileged domain migration to the user domain,run by a dedicated VMI of virtual machine tools perform for other user domain of the virtual machine monitor work,from where privileged domain of trusted computing base and the possibility of being attacked and attack losses has been reduced.The experimental results showed that the model can also do introspection task,the machine function would not been reduced,but as a result of VMI operation user domain relative to the domain access privilege is low,in the process of execution performance would be reduced relatively,but also in the acceptable range.In concluded,this paper raised and realized the analyzing of malicious software in the virtual machine by virtual machine introspection technology,and on this basis raised the introspective mode of disconnected-type virtual machine,improved the safety of virtual machine introspection technology.The feasibility and efficiency has been proved by related experiments and the system performance has been improved as well. |
PDF Full Text Request