基于虚拟机自省的Linux恶意软件检测方案

doi:10.3969/j.issn.1671-1122.2024.05.001

摘要/Abstract

摘要：

随着物联网和云计算技术的快速发展，Linux恶意软件的数量和种类急剧增加，因此如何有效检测Linux恶意软件成为安全领域的重要研究方向之一。为了解决这一问题，文章提出一种基于虚拟机自省的Linux恶意软件检测方案。该方案利用虚拟机自省技术在沙箱外部安全获取内部运行状态，在实现全方位监控的同时，规避了恶意软件的反动态分析问题。与其他沙箱监控方案相比，文章所提方案增加了恶意软件在沙箱中的恶意行为表现的数量。针对特征之间的时序性，采用时序处理模型对沙箱获取的特征信息进行建模和训练，旨在判断Linux应用是否属于恶意软件。文章使用了3种神经网络，包括循环神经网络、长短期记忆网络和门控循环单元网络。实验结果表明，长短期记忆网络在该应用场景下检测效果更好，准确率达98.02%，同时具有较高的召回率，将虚拟机自省技术与神经网络模型结合应用于恶意软件检测，既能在虚拟机外部监控虚拟机内部，又考虑特征之间的时序性。

关键词: 恶意软件检测, 虚拟机自省, 深度神经网络, Linux沙箱

Abstract:

With the rapid development of the Internet of things and cloud computing technology, the number and type of Linux malware have increased dramatically. Therefore, how to effectively detect Linux malware has become one of the important research directions in the security field. To solve this problem, this paper proposed a Linux malicious application detection scheme based on virtual machine introspection. This scheme utilized the virtual machine introspection technology to securely obtain the internal running status outside the sandbox, realized all-round monitoring while avoiding the anti-dynamic analysis technology of malware at the same time. Compared to other sandbox monitoring methods, this scheme improved malware performance in the sandbox. In order to pay more attention to the timing between features, a timing processing model was used to model and train the feature information obtained by the sandbox, aiming to judge whether a Linux application was malicious. In this paper, three kinds of neural network were used, including recurrent neural network, long short-term memory network and gated recurrent unit network. The experimental results show that the long short-term memory network works better in this application scenario, with an accuracy rate of 98.02% and a higher recall rate. The innovation of this paper is that the combination of virtual machine introspection technology and neural network model is applied to malicious application detection, which can not only monitor the inside of the virtual machine outside the virtual machine, but also pay attention to the timing between features.

Key words: malicious application detection, virtual machine introspection, deep neural network, Linux sandbox

中图分类号:

TP309

文伟平, 张世琛, 王晗, 时林. 基于虚拟机自省的Linux恶意软件检测方案[J]. 信息网络安全, 2024, 24(5): 657-666.

WEN Weiping, ZHANG Shichen, WANG Han, SHI Lin. Linux Malicious Application Detection Scheme Based on Virtual Machine Introspection[J]. Netinfo Security, 2024, 24(5): 657-666.

图/表 25

图1

图2

图3

图4

图5

图6

图7

图8

图9

图10

图11

表1

表2

表3

表4

表5

表6

表7

表8

图12

图13

图14

表9

表10

图15

参考文献 15

[1]	CNCERT/CC. 2020 China Internet Network Security Report[EB/OL]. (2021-07-21)[2023-08-01]. http://www.cac.gov.cn/2021-07/21/c_1628454189500041.htm.
	国家计算机网络应急技术处理协调中心. 2020年中国互联网网络安全报告[EB/OL]. (2021-07-21)[2023-08-01]. http://www.cac.gov.cn/2021-07/21/c_1628454189500041.htm.
[2]	CNCERT/CC. Overview of China’s Internet Network Security Situation in 2020[EB/OL]. (2021-05-26)[2023-08-01]. http://www.cac.gov.cn/2021-05/26/c_1623610314656045.htm.
	国家计算机网络应急技术处理协调中心. 2020年我国互联网网络安全态势综述[EB/OL]. (2021-05-26)[2023-08-01]. http://www.cac.gov.cn/2021-05/26/c_1623610314656045.htm.
[3]	FANG Zhan, LIU Jun, HUANG Ribian, et al. Research on Multi-Model Android Malicious Application Detection Based on Feature Fusion[C]// IEEE. 2021 4th International Conference on Robotics, Control and Automation Engineering (RCAE). New York: IEEE, 2021: 318-325.
[4]	QIU Hongyuan, FERNANDO C. COLON O. Static Malware Detection with Segmented Sandboxing[EB/OL]. (2013-10-22)[2023-08-01]. https://ieeexplore.ieee.org/document/6703695.
[5]	ALKHATEEB E M S. Dynamic Malware Detection Using API Similarity[EB/OL]. (2017-09-14)[2023-08-01]. https://ieeexplore.ieee.org/document/8031489.
[6]	KEDZIORA M, GAWIN P, SZCZEPANIK M, et al. Malware Detection Using Machine Learning Algorithms and Reverse Engineering of Android Java Code[EB/OL]. (2019-01-29)[2023-08-01]. https://www.researchgate.net/publication/331245836_Malware_Detection_Using_Machine_Learning_Algorithms_and_Reverse_Engineering_of_Android_Java_Code.
[7]	BAUMAN E, AYOADE G, LIN Zhiqiang. A Survey on Hypervisor-Based Monitoring: Approaches, Applications, and Evolutions[J]. ACM Computing Surveys (CSUR), 2015, 48(1): 1-33.
[8]	LI Baohui, XU Kefu, ZHANG Peng, et al. Research and Application Progress of Virtual Machine Introspection Technology[J]. Journal of Software, 2016, 27(6): 1384-1401.
[9]	ROSENBLUM M, GARFINKEL T. Virtual Machine Monitors: Current Technology and Future Trends[J]. Computer, 2005, 38(5): 39-47.
[10]	HOCHREITER S, SCHMIDHUBER J. Long Short-Term Memory[J]. Neural Computation, 1997, 9(8): 1735-1780. doi: 10.1162/neco.1997.9.8.1735 pmid: 9377276
[11]	TAN Liuyan, RUAN Shuhua, YANG Min, et al. Educational Data Classification Based on Deep Learning[J]. Netinfo Security, 2023, 23(3): 96-102.
[12]	DEY R, SALEM F M. Gate-Variants of Gated Recurrent Unit (GRU) Neural Networks[EB/OL]. (2017-10-02)[2023-08-01]. https://ieeexplore.ieee.org/document/8053243.
[13]	KUMAR R, CHARU S. An Importance of Using Virtualization Technology in Cloud Computing[J]. Global Journal of Computers & Technology, 2015, 1(2): 2623-2634.
[14]	ZHANG Jixin, ZHANG Kehuan, QIN Zheng, et al. Sensitive System Calls Based Packed Malware Variants Detection Using Principal Component Initialized Multilayers Neural Networks[J]. Cybersecurity, 2018(10): 21-34.
[15]	RABADI D, TEO S G. Advanced Windows Methods on Malware Detection and Classification[C]// ACM. The 36th Annual Computer Security Applications Conference (ACSAC’20). New York: ACM, 2020: 54-68.

沙箱结构	参数名称	具体参数
Guest	操作系统	Linux Ubuntu18.04
	内存	4 GB
	CPU	4核
	开源工具	HVMI
	开发语言	C、Python3.6.8
Target	操作系统	Linux Ubuntu18.04
	内存	4 GB
	CPU	2核
Host	操作系统	Linux Ubuntu18.04
	内存	8 GB
	CPU	6核
	软件版本	Qemu4.2.1、kvm

实验环境	具体信息
操作系统	Ubuntu
CPU	Intel(R) Xeon(R) Platinum 8369 B CPU @2.90 GHz
GPU	A100(80 GB)
内存	128 GB
开发语言	Python 3.10.11
深度学习框架	Keras2.2.5

恶意行为	系统指令污染	服务创建/自启动	敏感文件读取	文件创建	删除文件	文件权限更改	获取系统相关信息	Bash执行命令	休眠躲避
微步	—	√	√	√	√	—	√	—	—
阿里云	√	√	√	√	—	√	√	√	√
HVMI	√	√	√	√	√	√	√	√	√

恶意行为	服务创建/自启动	创建守护进程	获取系统相关信息	查看网络配置	修改进程命令行
微步	—	—	—	√	—
阿里云	√	√	√	—	√
HVMI	√	√	√	√	—

恶意行为	反调试	敏感文件读取	文件权限更改	获取系统相关信息	Bash执行命令
微步	√	√	—	√	—
阿里云	—	√	√	—	√
HVMI	√	√	√	√	√