Netinfo Security ›› 2024, Vol. 24 ›› Issue (5): 657-666.doi: 10.3969/j.issn.1671-1122.2024.05.001

Previous Articles     Next Articles

Linux Malicious Application Detection Scheme Based on Virtual Machine Introspection

WEN Weiping(), ZHANG Shichen, WANG Han, SHI Lin   

  1. School of Software and Microelectronics, Peking University, Beijing 100871, China
  • Received:2023-08-15 Online:2024-05-10 Published:2024-06-24
  • Contact: WEN Weiping E-mail:weipingwen@pku.edu.cn

Abstract:

With the rapid development of the Internet of things and cloud computing technology, the number and type of Linux malware have increased dramatically. Therefore, how to effectively detect Linux malware has become one of the important research directions in the security field. To solve this problem, this paper proposed a Linux malicious application detection scheme based on virtual machine introspection. This scheme utilized the virtual machine introspection technology to securely obtain the internal running status outside the sandbox, realized all-round monitoring while avoiding the anti-dynamic analysis technology of malware at the same time. Compared to other sandbox monitoring methods, this scheme improved malware performance in the sandbox. In order to pay more attention to the timing between features, a timing processing model was used to model and train the feature information obtained by the sandbox, aiming to judge whether a Linux application was malicious. In this paper, three kinds of neural network were used, including recurrent neural network, long short-term memory network and gated recurrent unit network. The experimental results show that the long short-term memory network works better in this application scenario, with an accuracy rate of 98.02% and a higher recall rate. The innovation of this paper is that the combination of virtual machine introspection technology and neural network model is applied to malicious application detection, which can not only monitor the inside of the virtual machine outside the virtual machine, but also pay attention to the timing between features.

Key words: malicious application detection, virtual machine introspection, deep neural network, Linux sandbox

CLC Number: