| 摘要: | 隨著網際網路的快速發展,各大企業早已將服務遷移至雲端之中。其中虛擬化技術(Virtualization)在此扮演整個雲端運算的重要角色,藉由在伺服器硬體層上加入一種特殊的虛擬機監視器(Hypervisor)軟體,將伺服器硬體資源抽象化,讓一台伺服器形成有多台虛擬機器(Virtual Machine, VM)同時運行的模樣,使得伺服器的使用效率大幅度的提升。另一方面,虛擬機器自我檢查技術(Virtual Machine Introspection, VMI)也被提出,VMI可透過Hypervisor取得VM之狀態,進一步對於VM狀態的特徵定義捕捉特定狀態之事件,當VM狀態為定義之事件時發出通知,並執行事件所定義處理方式。
本論文所提出的系統是針對DKOM-Rootkit(Direct Linux Kernel Object Manipulation Rootkit)以及其隱藏之物件的偵測以及移除機制,並提出基於隱藏行為的異常檢測機制(Hidden Behavior based Anomaly Detection, HBRAD),透過VMI針對VM中每一條被執行的指令進行比對,來決定事件是否觸發,且觸發後將對於VM狀態進行分析並建構可信任視圖(Trusted View),同時也透過VMI向VM內部取得機制所需資訊並不可信任視圖(Untrusted View),進行比對找出隱藏的物件,並將其移除。
;With the rapid development of internet, the enterprises is migrating services to the Cloud. Among them, Virtualization technology is an important role in the Cloud. By adding a special software, Virtual Machine Monitor (Hypervisor), on the hardware layer, let the server hardware resources are abstracting, so that the server has the appearance of multiple Virtual Machines (VM) running at the same time, which greatly improves the efficiency of the server. As Virtualization technology becomes more mature, Virtual Machine Introspection (VMI) is proposed, VMI can get the status of VM by Hypervisor, and will further define the feature of the state of the VM to capture events in a specific state. When the VM state is a defined event, an alert is issued and the handling method defined by the event is executed.
The system proposed in this paper is aimed at the detection and removal mechanism of DKOM-Rootkit (Direct Linux Kernel Object Manipulation Rootkit) and its hidden objects, and proposes a Hidden Behavior based Anomaly Detection (HBRAD) mechanism, which comparing each executed instruction in the VM by VMI to determine whether the event is triggered, and after the alert, the VM state will be analyzed and further construct a trusted view. At the same time, the data required by the HBRAD mechanism will be obtained from the VM′s internal Untrusted View by VMI, and the untrusted view will be compared with trusted view to find out the hidden object and remove it. |
