一种高效的面向虚拟桌面恶意代码检测机制

doi:10.3969/j.issn.0372-2112.2014.01.019

PDF(1438 KB)

电子学报 ›› 2014, Vol. 42 ›› Issue (1) : 119-124. DOI: 10.3969/j.issn.0372-2112.2014.01.019

学术论文

一种高效的面向虚拟桌面恶意代码检测机制

郭煜, 石勇

作者信息 +

An Effective Malicious Code Detection Mechanism for Virtual Desktop

GUO Yu, SHI Yong

Author information +

文章历史 +

摘要

与传统的恶意代码检测方式相比，面向虚拟桌面的恶意代码检测方法面临着性能方面的挑战，同一物理服务器上多个虚拟桌面同时开展恶意代码检测使得磁盘等硬件成为严重的IO性能瓶颈.本文提出了一种高效的虚拟桌面恶意代码检测方案，基于母本克隆技术的虚拟桌面恶意代码检测机制（MCIDS），MCIDS根据虚拟桌面系统的特点，通过系统映像网络存储克隆技术以及部署在网络存储系统中的恶意代码引擎减少虚拟桌面系统中的恶意代码检测范围，有效减少恶意代码检测所需的磁盘IO开销；同时MCIDS还克服了传统“Out-of-the-Box”安全检测机制存在的语义差别问题，改善了系统的安全性能.在原型系统上的实验显示该方法在技术上是可行的，与现有方法相比MCIDS具有较好的性能优势.

Abstract

Compared with traditional malicious codes detection mechanisms,detecting malicious codes in virtual desktop system faces serious performance challenge,multiple virtual desktops on a physical server conduct malicious code detection in parallel will face serious bottlenecks in the hardware devices with poor performance,such as hard disks.In this paper,we propose a malicious code detection mechanism for virtual desktop system,a malicious code detection mechanism based on mother-clone technology(MCIDS).Based on the characteristics of virtual desktops,MCIDS is designed to reduce the scope of mal-code detection by system image network storage clone technique and the mal-code detection engine deployed in network storage system,and this method effectively decreases the amount of disk IO operation caused by the detection of malicious codes,so that the performance of the system is improved greatly;In addition,MCIDS overcomes the semantic gap problem which often exists in traditional out-of-the-box security detection mechanisms.Experiments conducted on the prototype show that our method is technicallyfeasibleand the performance of MCIDS is better than other methods.

导出引用

郭煜, 石勇. 一种高效的面向虚拟桌面恶意代码检测机制[J]. 电子学报, 2014, 42(1): 119-124. https://doi.org/10.3969/j.issn.0372-2112.2014.01.019

GUO Yu, SHI Yong. An Effective Malicious Code Detection Mechanism for Virtual Desktop[J]. Acta Electronica Sinica, 2014, 42(1): 119-124. https://doi.org/10.3969/j.issn.0372-2112.2014.01.019

中图分类号： TP393.08

参考文献

[1] P Barham,B Dragovic,et al.Xen and the art of virtualization [A].Proceedings of the Nineteenth ACM Symposium on Operationg Systems Principles [C].NY,USA:ACM,2003.164-177.
[2] 俞能海,郝卓,徐甲甲,张卫明,张驰.云安全研究进展综述[J].电子学报,2013,41 (2):371-381. YU Neng-hai,HAO Zhuo,XU Jia-jia,ZHANG Wei-ming,ZHANG Chi.Review of cloud computing security[J].Acta Electronica Sinica,2013,41 (2):371-381.(in Chinese)
[3] 李建敦,彭俊杰,张武.云存储中一种基于布局的虚拟磁盘节能调度方法[J].电子学报,2012,40 (11):2247-2254. LI Jian-dun,PENG Jun-jie,ZHANG Wu.A layout-based energy-aware approach for virtual disk scheduling in cloud storage[J].Acta Electronica Sinica,2012,40 (11):2247-2254.(in Chinese)
[4] Alarifi S S,Wolthusen S D.Detecting anomalies in IaaS environments through virtual machine host system call analysis [A].Internet Technology And Secured Transactions,International Conference for IEEE [C].USA:IEEE,2012.211-218.
[5] Ibrahim A S,Hamlyn-Harris J,Grundy J, Almorsy M.DIGGER:Identifying OS Kernel Objects for Run-time Security Analysis [OL].http://www.ict.swin.edu.au/personal/aibrahim/Pubs/NSS2012-61.pdf,2012.
[6] Chiueh T,Conover M,Montague B.Surreptitious deployment and execution of kernel agents in windows guests [A].Proceedings of the 12th IEEE/ACM International Symposium on Cluster,Cloud and Grid Computing (CCGRID) [C].USA:IEEE Computer Society,2012.507-514.
[7] T Garfinkel,M Rosenblum.A virtual machine introspection based architecture for intrusion detection [A].Proc of the 2003 Network and Distributed System Security Symposium [C].USA,2003.196-206.
[8] S T Jones,A CArpaci-Dusseau,R H Arpaci-Dusseau.Antfarm:Tracking processes in a virtual machine environment [A].Proceedings of the USENIX Annual Technical Conference [C].Boston,MA,USA,2006.1-14.
[9] Stephen T.Jones ,Andrea C Arpaci-Dusseau ,Remzi H Arpaci-Dusseau.VMM-based hidden process detection and identification using lycosid [A].Proceedings of the Fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments [C].Seattle,WA,USA,2008.91-100.
[10] LLitty,H A Lagar-Cavilla,D Lie.Hypervisor support for identifying covertly executing binaries [A].Proceedings of the 17th Conference on Security Symposium [C].CA,USA,2008.243-258.
[11] A Dinaburg,P Royal,M Sharif,W Lee.Ether:Malware analysis via hardware virtualization extensions [A].Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS) [C].Alexandria,VA,2008.51-62.
[12] Peter M Chen,Brian D Noble.When virtual is better than real [A].In 8th Workshop on Hot Topics in Operating Systems,HotOS VIII [C].SchossElmau,Germany,2001.133-134.
[13] X Jiang,DXu,X Wang.Stealthy malware detection through VMM-based "out-of-the-box" semantic view reconstruction [A].Proceedings of the ACM Conference on Computer and Communications Security [C].Alexandria,VA,USA,2007.128-138.
[14] Bryan D Payne,Martim Carbone,Wenke Lee.Secure and flexible monitoring of virtual machines [A].Proceedings of the Annual Computer Security Applications Conference [C].Miami Beach,Florida,USA,2007.385-397.
[15] BD Payne,M Carbone,M Sharif,W Lee.Lares:an architecturefor secure active monitoring using virtualization [A].In SP'08:Proc of the 2008 IEEE Symposium on Security and Privacy [C].Washington DC,USA,2008.233-247.
[16] M Sharif,W Lee,W Cui,A Lanzi.Secure in-VMMonitoring using hardware virtualization [A].Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS ’09) [C].Hyatt Regency Chicago,Chicago,IL,USA,2009.477-487.
[17] IOPS〔OL〕.http://en.wikipedia.org/wiki/IOPS.
[18] Copy-on-write〔OL〕.http://en.wikipedia.org/wiki/Copy-on-write.