| Cloud computing and virtualization technologies are used in daily lives more widely.The attack on virtual machine in the cloud also becomes more and more.Among them,the malicious code attack on the virtual machine is particularly prominent,which seriously threatens the people's data security.In order to ensure reliable service,a safe and reliable method of monitoring the virtual machine is urgently needed.There are two main methods of virtual machine monitoring,including internal monitoring and external monitoring.Internal monitoring puts the monitoring module in the virtual machine,which is not transparent to the virtual machine and easy to be attacked.Thus,it loses the significance of its existence.External monitoring places the monitoring module outside the virtual machine.The attack on the virtual machine can not directly relate to the monitoring module,which can prevent the monitoring module from being attacked and provide a more secure and reliable monitoring service.Any attack behavior needs to be executed,and the running entities in virtual machine are all processes.So,monitoring virtual machine only needs to monitor the process in virtual machine.Therefore,the paper monitors the virtual machine by monitoring the process in the virtual machine.First of all,in order to solve the problem that process detection is not comprehensive,a process detection method based on active process list is proposed in this paper.the page-directory base address of process in the CR3 is unique and unchanging over the life of the process.When the process is scheduled,the page-directory base address of process in the CR3 is also changed.The method gets process information by CR3 and ESP.Therefore,the process detection method based on active process list proposed in the paper can obtain a more comprehensive process list and provide more comprehensive raw data for malicious process analysis,thereby improving the accuracy of identifying malicious processes.Secondly,in order to solve the problems of more training parameters,complex parameters and poor classification effect,the paper proposes a malicious process analysis method based on proximity matrix on the basis of deep forest.This method calculates the similarity between each sample by proximity matrix and divides the sample into high-similarity sample sets and ambiguous sample sets according to the high similarity ratio,and then sampling from these two sets separately to train decision trees to reduce the similarity between decision trees and improve the generalization ability of forests so as to improve the accuracy of classification of malicious processes and reduce the false negative rate and false positive rate.Finally,the methods proposed in the paper are verified experimentally.The experimental results show that the process detection method based on the active process list has a higher detection rate of the process than other traditional methods,which proves that the method can obtain a more comprehensive process list than other methods.Compared with other malicious process analysis methods,the method of deep forest malicious process analysis based on proximity matrix proposed in the paper has achieved good results in terms of accuracy rate,false positive rate and false negative rate. |
PDF Full Text Request