中大機構典藏-NCU Institutional Repository-提供博碩士論文、考古題、期刊論文、研究計畫等下載:Item 987654321/86569
English  |  正體中文  |  简体中文  |  全文筆數/總筆數 : 80990/80990 (100%)
造訪人次 : 41773967      線上人數 : 2067
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
搜尋範圍 查詢小技巧:
  • 您可在西文檢索詞彙前後加上"雙引號",以獲取較精準的檢索結果
  • 若欲以作者姓名搜尋,建議至進階搜尋限定作者欄位,可獲得較完整資料
  • 進階搜尋


    請使用永久網址來引用或連結此文件: http://ir.lib.ncu.edu.tw/handle/987654321/86569


    題名: 雲環境中基於虛擬機自我檢查偵測DKOM-Rootkit隱藏行為之研究;Using Virtual Machine Introspection to Detect Hidden Behavior of DKOM-Rootkit in Cloud Environment
    作者: 謝明諺;Hsieh, Ming Yen
    貢獻者: 資訊工程學系
    關鍵詞: 雲端運算;虛擬化技術;虛擬機自我檢查技術;Linux Kernel;DKOM-Rootkit;Cloud Computing;Virtualization;Virtual Machine Introspection;Linux Kernel;DKOM-Rootkit
    日期: 2021-07-28
    上傳時間: 2021-12-07 12:58:59 (UTC+8)
    出版者: 國立中央大學
    摘要: 隨著網際網路的快速發展,各大企業早已將服務遷移至雲端之中。其中虛擬化技術(Virtualization)在此扮演整個雲端運算的重要角色,藉由在伺服器硬體層上加入一種特殊的虛擬機監視器(Hypervisor)軟體,將伺服器硬體資源抽象化,讓一台伺服器形成有多台虛擬機器(Virtual Machine, VM)同時運行的模樣,使得伺服器的使用效率大幅度的提升。另一方面,虛擬機器自我檢查技術(Virtual Machine Introspection, VMI)也被提出,VMI可透過Hypervisor取得VM之狀態,進一步對於VM狀態的特徵定義捕捉特定狀態之事件,當VM狀態為定義之事件時發出通知,並執行事件所定義處理方式。
    本論文所提出的系統是針對DKOM-Rootkit(Direct Linux Kernel Object Manipulation Rootkit)以及其隱藏之物件的偵測以及移除機制,並提出基於隱藏行為的異常檢測機制(Hidden Behavior based Anomaly Detection, HBRAD),透過VMI針對VM中每一條被執行的指令進行比對,來決定事件是否觸發,且觸發後將對於VM狀態進行分析並建構可信任視圖(Trusted View),同時也透過VMI向VM內部取得機制所需資訊並不可信任視圖(Untrusted View),進行比對找出隱藏的物件,並將其移除。
    ;With the rapid development of internet, the enterprises is migrating services to the Cloud. Among them, Virtualization technology is an important role in the Cloud. By adding a special software, Virtual Machine Monitor (Hypervisor), on the hardware layer, let the server hardware resources are abstracting, so that the server has the appearance of multiple Virtual Machines (VM) running at the same time, which greatly improves the efficiency of the server. As Virtualization technology becomes more mature, Virtual Machine Introspection (VMI) is proposed, VMI can get the status of VM by Hypervisor, and will further define the feature of the state of the VM to capture events in a specific state. When the VM state is a defined event, an alert is issued and the handling method defined by the event is executed.
    The system proposed in this paper is aimed at the detection and removal mechanism of DKOM-Rootkit (Direct Linux Kernel Object Manipulation Rootkit) and its hidden objects, and proposes a Hidden Behavior based Anomaly Detection (HBRAD) mechanism, which comparing each executed instruction in the VM by VMI to determine whether the event is triggered, and after the alert, the VM state will be analyzed and further construct a trusted view. At the same time, the data required by the HBRAD mechanism will be obtained from the VM′s internal Untrusted View by VMI, and the untrusted view will be compared with trusted view to find out the hidden object and remove it.
    顯示於類別:[資訊工程研究所] 博碩士論文

    文件中的檔案:

    檔案 描述 大小格式瀏覽次數
    index.html0KbHTML39檢視/開啟


    在NCUIR中所有的資料項目都受到原著作權保護.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明