计算机应用 ›› 2016, Vol. 36 ›› Issue (7): 1811-1815.DOI: 10.11772/j.issn.1001-9081.2016.07.1811

• 网络空间安全 • 上一篇    下一篇

面向云平台的多样化恶意软件检测架构

高超1,2,3, 郑小妹1,2,3, 贾晓启1,3   

  1. 1. 信息安全国家重点实验室(中国科学院信息工程研究所), 北京 100093;
    2. 中国科学院大学 计算机与控制学院, 北京 100049;
    3. 网络安全防护技术北京市重点实验室(中国科学院信息工程研究所), 北京 100049
  • 收稿日期:2015-12-11 修回日期:2016-03-07 出版日期:2016-07-10 发布日期:2016-07-14
  • 通讯作者: 高超
  • 作者简介:高超(1992-),男,湖北潜江人,硕士研究生,主要研究方向:虚拟化、系统安全;郑小妹(1992-),女,山东德州人,硕士研究生,主要研究方向:信息安全;贾晓启(1982-),男,北京人,副研究员,博士,CCF会员,主要研究方向:恶意代码分析检测、虚拟化、网络和操作系统安全。
  • 基金资助:
    国家自然科学基金资助项目(61100228);国家863计划项目(2015AA017202)。

Diversified malware detection framework toward cloud platform

GAO Chao1,2,3, ZHENG Xiaomei1,2,3, JIA Xiaoqi1,3   

  1. 1. State Key Laboratory of Information Security (Institute of Information Engineering, Chinese Academy of Sciences), Beijing 100093, China;
    2. School of Computer and Control Engineering, University of Chinese Academy of Sciences, Beijing 100049, China;
    3. Beijing Key Laboratory of Network Security and Protection Technology (Institute of Information Engineering, Chinese Academy of Sciences), Beijing 100049, China
  • Received:2015-12-11 Revised:2016-03-07 Online:2016-07-10 Published:2016-07-14
  • Supported by:
    This work is partially supported by the Natural Science Foundation of China (61100228), the National High Technology Research and Development Program (863 Program) of China (2015AA017202).

摘要: 近年来,恶意软件对物理机和云平台上虚拟机均构成巨大的安全威胁。在基础设施即服务(IaaS)云平台上部署传统的杀毒软件、防火墙等恶意软件检测工具存在以下问题:1)检测工具可能被破坏或者关闭;2)单一的检测工具效果不理想;3)检测工具可能被加壳等方式绕过;4)需要给每台客户机安装额外软件,难以部署实施。为此提出一种面向云平台的多样化恶意软件检测架构。该架构利用虚拟化技术截获客户机的特定行为,抓取客户机内软件释放的代码,通过多种杀毒软件多样化的扫描确定软件的恶意性。采用的动态内存提取的方式对客户机完全透明。最后在Xen上部署该架构并进行恶意软件检测测试,该架构对加壳恶意软件的检测率为85.7%,比杀毒软件静态扫描的检测率高14.3个百分点。实验结果表明,在云平台上采用多样化恶意软件检测框架能更好地保障客户机的安全。

关键词: 云平台, 恶意软件检测, 虚拟化, 多样化, 动态扫描

Abstract: In recent years, physical and virtual machines are heavily threatened by malwares. Deploying traditional detection tools such as anti-virus softwares and firewalls on Infrastructure as a Service (IaaS) cloud faces the following problems:1) detection tools may be damaged or shut down by malwares; 2) the detection rate of a single tool is insufficient; 3) detection tools are easily bypassed; 4) it's difficult to deploy additional softwares in each virtual machine. A diversified malware detection framework was proposed to overcome these shortcomings. The framework leveraged virtualization technology to intercept some specific behavior of virtual machines at first. Then codes from virtual machines' memory were extracted dynamically. Finally, several anti-virus softwares were used to codetermine whether the extracted codes were malicious or not. The extraction and judgment processes were totally transparent to virtual machines. A prototype was implemented based on the Xen hypervisor and some experiments were done. The prototype has a malware detection rate of 85.7%, which is 14.3 percentage points higher than static anti-virus softwares. The experimental results show that the diversified malware detection framework on cloud platform can provide more effective protection to the security of virtual machines.

Key words: cloud platform, malware detection, virtualization, diversity, dynamic scanning

中图分类号: