中大機構典藏-NCU Institutional Repository-提供博碩士論文、考古題、期刊論文、研究計畫等下載:Item 987654321/86549
English  |  正體中文  |  简体中文  |  Items with full text/Total items : 81570/81570 (100%)
Visitors : 47021325      Online Users : 120
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
    •  Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version


    Please use this identifier to cite or link to this item: http://ir.lib.ncu.edu.tw/handle/987654321/86549


    Title: VMDMD: A Solution to Defend a Linux System against VM-detection-based Malware
    Authors: 許?方;Hsu, Li-Fang
    Contributors: 資訊工程學系
    Keywords: 虛擬機檢測;Linux惡意程式;VM detection;Linux Malware
    Date: 2021-07-27
    Issue Date: 2021-12-07 12:57:40 (UTC+8)
    Publisher: 國立中央大學
    Abstract: 過去半個世紀以來,隨著Windows OS在個人電腦市場上的宰制性,資訊安全人員與駭客之間的戰場主要放在了Windows-based的惡意程式上。近年來隨著IoT(Internet of Things)的發展,能夠支援更多元架構的Linux作業系統被大量使用在更輕薄的嵌入式裝置上,讓攻擊者逐漸將目光放在了Linux作業系統上。
    根據以往Windows-based惡意程式的發展經驗,在這場資訊安全人員與駭客之間的貓捉老鼠遊戲中,由於虛擬機或沙箱經常被惡意程式分析人員用於分析惡意程式,惡意程式為了最大程度的阻止資訊安全人員的分析,絕大多數都發展出了相應的虛擬機偵測機制,因此可以預期Linux-based惡意程式極大可能也同樣會走向這樣的結果。
    由於這類惡意程式在檢測到自己在虛擬機之後,會表現出與不在虛擬機中不同的行為,本篇論文針對Linux-based惡意程式現有及未來可能會出現的虛擬機偵測機制進行分析,提出一套能夠停止帶有虛擬機偵測機制的惡意程式的方法,命名為VMDMD,為Virtual Machine Detection-based Malware Defender的縮寫。VMDMD在偵測到目標Process執行類似虛擬機檢測的行為時,會先fork出一個新Process(於本篇論文中,我們簡稱為FDP,Fake Data Process)並給予其虛擬機上的假資料,同時記錄它的執行流程,之後再恢復原本Process並比對他們的行為,只要一不相同就馬上停止其執行。
    ;For the half past century, with the dominating of Windows Operating System on the market share of Personal Computer, the war between Security researchers and attackers mainly focus on Windows-based malware. Recently, with the development of IoTs (Internet of Things), more embedded devices tend to use Linux Operating System, which could support various kinds of architecture.
    According to the experience on Windows-based malware, in this “Cat and Mouse Game”between attacks and security researchers, in order to prevent analysis on malware by malware analyst, the malware writers used to apply virtual machine detect mechanism (anti-vm, evasive) on malware, since virtual machines or sandboxes are widely used on analyzing malware . Although it is still not a trend on Linux-malware, we expect there will be more malware start to detect virtual machine detect method to avoid analysis.
    Since this kind of malware usually change its behavior after detecting itself a in virtual machine. In this paper, we focus on the evasive method used by Linux-based malware, proposing a mechanism to detect the evasive behavior, which is called VMDMD, it is a abbreviation for Virtual Machine Detection-based Malware Defender). VMDMD will fork another target process (hereafter we call it FDP, Fake Data Process) and provide fake information as if the target process behaves evasive, and trace its execution and result. And then resume the target program with the real information, and stop its execution after behave differently from FDP.
    Appears in Collections:[Graduate Institute of Computer Science and Information Engineering] Electronic Thesis & Dissertation

    Files in This Item:

    File Description SizeFormat
    index.html0KbHTML91View/Open


    All items in NCUIR are protected by copyright, with all rights reserved.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明