信息网络安全 ›› 2024, Vol. 24 ›› Issue (5): 657-666.doi: 10.3969/j.issn.1671-1122.2024.05.001

• 专题论文:网络安全防御 • 上一篇    下一篇

基于虚拟机自省的Linux恶意软件检测方案

文伟平(), 张世琛, 王晗, 时林   

  1. 北京大学软件与微电子学院,北京 100871
  • 收稿日期:2023-08-15 出版日期:2024-05-10 发布日期:2024-06-24
  • 通讯作者: 文伟平 E-mail:weipingwen@pku.edu.cn
  • 作者简介:文伟平(1976—),男,湖南,教授,博士,主要研究方向为系统与网络安全、大数据与云安全、智能计算安全|张世琛(2000—),男,山东,硕士研究生,主要研究方向为恶意代码检测、漏洞挖掘|王晗(2000—),男,山东,硕士研究生,主要研究方向为软件与系统安全|时林(1998—),男,山东,硕士研究生,主要研究方向为漏洞挖掘、软件安全防护
  • 基金资助:
    国家自然科学基金(61872011)

Linux Malicious Application Detection Scheme Based on Virtual Machine Introspection

WEN Weiping(), ZHANG Shichen, WANG Han, SHI Lin   

  1. School of Software and Microelectronics, Peking University, Beijing 100871, China
  • Received:2023-08-15 Online:2024-05-10 Published:2024-06-24
  • Contact: WEN Weiping E-mail:weipingwen@pku.edu.cn

摘要:

随着物联网和云计算技术的快速发展,Linux恶意软件的数量和种类急剧增加,因此如何有效检测Linux恶意软件成为安全领域的重要研究方向之一。为了解决这一问题,文章提出一种基于虚拟机自省的Linux恶意软件检测方案。该方案利用虚拟机自省技术在沙箱外部安全获取内部运行状态,在实现全方位监控的同时,规避了恶意软件的反动态分析问题。与其他沙箱监控方案相比,文章所提方案增加了恶意软件在沙箱中的恶意行为表现的数量。针对特征之间的时序性,采用时序处理模型对沙箱获取的特征信息进行建模和训练,旨在判断Linux应用是否属于恶意软件。文章使用了3种神经网络,包括循环神经网络、长短期记忆网络和门控循环单元网络。实验结果表明,长短期记忆网络在该应用场景下检测效果更好,准确率达98.02%,同时具有较高的召回率,将虚拟机自省技术与神经网络模型结合应用于恶意软件检测,既能在虚拟机外部监控虚拟机内部,又考虑特征之间的时序性。

关键词: 恶意软件检测, 虚拟机自省, 深度神经网络, Linux沙箱

Abstract:

With the rapid development of the Internet of things and cloud computing technology, the number and type of Linux malware have increased dramatically. Therefore, how to effectively detect Linux malware has become one of the important research directions in the security field. To solve this problem, this paper proposed a Linux malicious application detection scheme based on virtual machine introspection. This scheme utilized the virtual machine introspection technology to securely obtain the internal running status outside the sandbox, realized all-round monitoring while avoiding the anti-dynamic analysis technology of malware at the same time. Compared to other sandbox monitoring methods, this scheme improved malware performance in the sandbox. In order to pay more attention to the timing between features, a timing processing model was used to model and train the feature information obtained by the sandbox, aiming to judge whether a Linux application was malicious. In this paper, three kinds of neural network were used, including recurrent neural network, long short-term memory network and gated recurrent unit network. The experimental results show that the long short-term memory network works better in this application scenario, with an accuracy rate of 98.02% and a higher recall rate. The innovation of this paper is that the combination of virtual machine introspection technology and neural network model is applied to malicious application detection, which can not only monitor the inside of the virtual machine outside the virtual machine, but also pay attention to the timing between features.

Key words: malicious application detection, virtual machine introspection, deep neural network, Linux sandbox

中图分类号: