| 摘要(英) |
With the rapid development of internet, the enterprises is migrating services to the Cloud. Among them, Virtualization technology is an important role in the Cloud. By adding a special software, Virtual Machine Monitor (Hypervisor), on the hardware layer, let the server hardware resources are abstracting, so that the server has the appearance of multiple Virtual Machines (VM) running at the same time, which greatly improves the efficiency of the server. As Virtualization technology becomes more mature, Virtual Machine Introspection (VMI) is proposed, VMI can get the status of VM by Hypervisor, and will further define the feature of the state of the VM to capture events in a specific state. When the VM state is a defined event, an alert is issued and the handling method defined by the event is executed.
The system proposed in this paper is aimed at the detection and removal mechanism of DKOM-Rootkit (Direct Linux Kernel Object Manipulation Rootkit) and its hidden objects, and proposes a Hidden Behavior based Anomaly Detection (HBRAD) mechanism, which comparing each executed instruction in the VM by VMI to determine whether the event is triggered, and after the alert, the VM state will be analyzed and further construct a trusted view. At the same time, the data required by the HBRAD mechanism will be obtained from the VM′s internal Untrusted View by VMI, and the untrusted view will be compared with trusted view to find out the hidden object and remove it. |
| 參考文獻 |
[1] Zhang, Shuai, et al. "Cloud computing research and development trend." 2010 Second international conference on future networks. IEEE, 2010.
[2] SOPHOS. “The Active Adversary Playbook 2021”, 2021 Accessed on: May 26, 2021. [Online]. https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/
[3] BlackBerry, Inc., “Decade of the RATs Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android”, 2020. Accessed on: May 26, 2021. [Online]. Available: https://www.blackberry.com/us/en/events/security-summit/2020/pdfviewer?file=/content/dam/bbcomv4/blackberry-com/en/events/security-summit/assets/pdf/reConnection/reConnection-decade-of-the-rats.pdf
[4] QUICKSTART. “Why Linux Runs 90 percent of the Public Cloud Workload” Accessed on: May 26, 2021. [Online]. Available: https://www.quickstart.com/blog/why-linux-runs-90-percent-of-the-public-cloud-workload/
[5] M. Boelen. “rkhunter” Accessed on: May 26, 2021. [Online]. Available: http://rkhunter.sourceforge.net/
[6] Nelson Murilo. “chkrootkit” Accessed on: May 26, 2021. [Online]. Available: http://www.chkrootkit.org/
[7] Fargo, Farah, et al. "VM Introspection-based Allowlisting for IaaS." 2020 7th International Conference on Internet of Things: Systems, Management and Security (IOTSMS). IEEE, 2020.
[8] Hebbal, Yacine, Sylvie Laniepce, and Jean-Marc Menaud. "Hidden process detection using Linux Kernel Functions instrumentation." 2017 IEEE Conference on Dependable and Secure Computing. IEEE, 2017.
[9] Cui, Lei, et al. "XScope: Memory Introspection Based Malicious Application Detection." 2018 5th International Conference on Information Science and Control Engineering (ICISCE). IEEE, 2018.
[10] Qiang, Weizhong, et al. "CloudVMI: A cloud-oriented writable virtual machine introspection." IEEE Access 5 (2017): 21962-21976.
[11] Ye, Lin, et al. "Checking Function-Level Linux Kernel Control Flow Integrity for Cloud Computing." IEEE Access 6 (2018): 41856-41865.
[12] Hebbal, Yacine, Sylvie Laniepce, and Jean-Marc Menaud. "Virtual machine introspection: Techniques and applications." 2015 10th international conference on availability, reliability and security. IEEE, 2015.
[13] AX3. “GCP Professional Services Consultant in UK” Accessed on: May 26, 2021. [Online]. Available: https://ax3-systems.com/gcp-consulting-services-uk/
[14] RightScale. “2018 State of the Cloud ReConnection” Accessed on: May 26, 2021. [Online]. Available: https://news.lenovo.com/wp-content/uploads/2018/09/RightScale-2018-State-of-the-Cloud-ReConnection.pdf
[15] Rackspace Technology Blog. “Realising the Value of Cloud Computing with Linux” Accessed on: May 26, 2021. [Online]. Available: https://www.rackspace.com/en-gb/blog/realising-the-value-of-cloud-computing-with-linux
[16] Ret Had, Inc. “The state of Linux in the public cloud for enterprises” Accessed on: May 26, 2021. [Online]. Available: https://www.redhat.com/en/resources/state-of-linux-in-public-cloud-for-enterprises
[17] Kivity, Avi, et al. "kvm: the Linux virtual machine monitor." Proceedings of the Linux symposium. Vol. 1. No. 8. 2007.
[18] Barham, Paul, et al. "Xen and the art of virtualization." ACM SIGOPS operating systems review 37.5 (2003): 164-177.
[19] Xen Project. “Xen Project Software Overview” Accessed on: May 26, 2021. [Online]. Available: https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview
[20] Suse. “Introduction to KVM Virtualization” Accessed on: May 26, 2021. [Online]. Available: https://documentation.suse.com/sles/15-SP2/html/SLES-all/cha-kvm-intro.html
[21] LibVMI Project. “LibVMI” Accessed on: May 26, 2021. [Online]. Available: https://libvmi.com/
[22] Fu, Yangchun, and Zhiqiang Lin. "Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online Linux Kernel data redirection." 2012 IEEE symposium on security and privacy. IEEE, 2012.
[23] Linux Kernel Organization, Inc. “The Linux Kernel Archives” Accessed on: May 26, 2021. [Online]. Available: https://www.Linux Kernel.org/
[24] It’s FOSS. “Linux Runs on All of the Top 500 Supercomputers, Again!” Accessed on: May 26, 2021. [Online]. Available: https://itsfoss.com/linux-runs-top-supercomputers/
[25] INTEZER. “2020 Set a Record for New Linux Malware Families” Accessed on: May 26, 2021. [Online]. Available: https://www.intezer.com/blog/cloud-security/2020-set-record-for-new-linux-malware-families/
[26] Michael Kerrisk. “ps(1) – Linux manual page” Accessed on: May 26, 2021. [Online]. Available: https://man7.org/linux/man-pages/man1/ps.1.html
[27] Michael Kerrisk. “lsmod(8) – Linux manual page” Accessed on: May 26, 2021. [Online]. Available: https://man7.org/linux/man-pages/man8/lsmod.8.html
[28] Fred Baumgarten. “netstat(8) – Linux manual page” Accessed on: May 26, 2021. [Online]. https://linux.die.net/man/8/netstat
[29] Michael Kerrisk. “Kill(1) – Linux manual page” Accessed on: May 26, 2021. [Online]. Available: https://man7.org/linux/man-pages/man1/Kill.1.html
[30] Fred Baumgarten. “rmmod(8) – Linux manual page” Accessed on: May 26, 2021. [Online]. https://linux.die.net/man/8/rmmod
[31] Ubuntu releases. “Ubuntu 20.04.2.0 LTS (Focal Fossa)” Accessed on: May 26, 2021. [Online]. https://releases.ubuntu.com/20.04/
[32] Perf Wiki. “perf: Linux profiling with performance counters” Accessed on: May 26, 2021. [Online]. https://perf.wiki.kernel.org/index.php/Main_Page
[33] Mortimer, Mathijs. "iperf3 documentation." (2018).
[34] OSTECHNIX. “UnixBench – A Benchmark Suite For Unix-like Systems” Accessed on: May 26, 2021. [Online]. https://ostechnix.com/unixbench-benchmark-suite-unix-like-systems/
[35] f0rb1dd3n. “Reptile” Accessed on: May 26, 2021. [Online]. https://github.com/f0rb1dd3n/Reptile
[36] m0nad. “Diamorphine” Accessed on: May 26, 2021. [Online]. https://github.com/m0nad/Diamorphine
[37] plusls. “rootkit” Accessed on: May 26, 2021. [Online]. https://github.com/plusls/rootkit
[38] xcellerator. “linux_kernel_hacking” Accessed on: May 26, 2021. [Online]. https://github.com/xcellerator/linux_kernel_hacking
[39] Giovanni Giacobbi. “The GNU Netcat project” Accessed on: May 26, 2021. [Online]. http://netcat.sourceforge.net/ |
[Endnote RIS 格式]
[相關文章]
[文章引用]
[完整記錄]
[館藏目錄]
至系統瀏覽論文 ( 永不開放)
plurk
funp
live
udn
HD
myshare
netvibes
friend
youpush
delicious
baidu
Google bookmarks
del.icio.us
hemidemi
facebook
twitter
google
reddit