Research On Test Platform For Anti-malware Products Based On Virtual Machine Introspection

With the development of Internet technology,the computer viruses,Trojans and other malware are also develop and change constantly,the situation in cyber security becomes severe increasingly.In order to deal with the increasingly complex and changeable security threats,anti-malware technology and products are constantly improving the real-time anti-attack ability.However,the existing anti-malware evaluation system is not suitable for the rapid development of anti-malware technology and products,which cannot evaluate anti-malware products in a continuous,accurate and comprehensive way.Therefore,it is necessary to establish a more objective and scientific evaluation system for anti-malware products,which can promote the development of anti-malware industry and improve the protective ability and level of cyber security.In this paper,through the analysis and research of current domestic and international test methods of anti-malware products and virtual machine introspection technology.In order to solve the current evaluation system problems,we proposed a novel test method for anti-malware products which is based on virtual machine introspection technology.The main work and achievements of this paper are described as follows:(1)This paper researched virtualization technology,and put forward a method of setting up test platform based on virtualization technology.It can provide a continuous evaluation environment for anti-malware products.It can realize the effective use of resources,because it is based on virtualization technology which can provide dynamic allocation for testing according to the different needs of test cases and meet real-world's requirements of the test.If some emergencies like hardware failure and system halted take place during the evaluation time,we can recover the evaluation environment fleetly according to the state of the virtual machines' information.It solved the problem of traditional evaluation method,because physical machine cannot provide a continuous evaluation environment.(2)This paper researched virtual machine introspection technology,and put forward a method of capturing data in an out-of-VM way.It isolated the anti-malware product and the detection module,which improved the accuracy of the detection data and the safety of the detection module.Only tested anti-malware products are deployed in the guest virtual machines(Dom U),and there is no need to install any agent in the Dom U.The detection module and introspection module are deployed in domain 0(Dom 0)and Virtual Machine Monitor(VMM)which are more secure and have higher right level.It solved the problem that traditional test method cannot ensure the accuracy of the evaluation data,because malware can disturb and attack the detection module as they are in the same operating system.(3)This paper researched virtual machine introspection and test technology of anti-malware products,and put forward a parallel test method based on virtual machines,which realized the comprehensive and multi-dimensional evaluation of anti-malware products.Because the current evaluation methods of anti-malware products are based on physical machine,each test can only obtain a part of the functional characteristics of the product.It is difficult to achieve evaluating the product in a comprehensive and multi-dimensional once for all.Therefore,we gave full play of virtualization platform's characteristics which are rich resources,dynamic expansion,efficient and convenient management and maintenance.We put forward a comprehensive evaluation method which synthesized variety of virtual machine introspection technologies.The platform can detect the target system and the tested product in multiple and fine-grained dimensions.The platform can detect memory,disk and network information of virtual machines in an out-of-VM way.It provides a comprehensive test for anti-malware products.According to the above research results,we have set up the test platform for anti-malware products based on virtual machine introspection technology,and have carried out related testing work.The malware Rootkits can be effectively detected through experiments.By evaluating the real-time protective ability and performance of anti-malware products,we can find some problems such as missing reports and missing kill,which are difficult to find in the traditional testing methods.This novel method improved the ability to test anti-malware products.The next step is to improve testing efficiency and automatic configuration ability,which can realize continuous and automatic testing of multiple products in horizontal comparison way.