Detecting and Managing Hidden Process via Hypervisor

Wang Lina; Gao Hanjun; Liu Wei; Peng Yang

Journal of Computer Research and Development > 2011 > 48(8): 1534-1541.

Wang Lina, Gao Hanjun, Liu Wei, Peng Yang. Detecting and Managing Hidden Process via Hypervisor[J]. Journal of Computer Research and Development, 2011, 48(8): 1534-1541.

Citation:

Wang Lina, Gao Hanjun, Liu Wei, Peng Yang. Detecting and Managing Hidden Process via Hypervisor[J]. Journal of Computer Research and Development, 2011, 48(8): 1534-1541.

Citation:

Wang Lina, Gao Hanjun, Liu Wei, Peng Yang. Detecting and Managing Hidden Process via Hypervisor[J]. Journal of Computer Research and Development, 2011, 48(8): 1534-1541.

PDF (2713 KB)

Detecting and Managing Hidden Process via Hypervisor

Wang Lina^1,2,3,
Gao Hanjun^2,3,
Liu Wei^2,3,
Peng Yang^2,3

1(State Key Laboratory of Software Engineering, Wuhan University, Wuhan 430072) 2(Key Laboratory of Aerospace Information and Trusted Computing(Wuhan University), Ministry of Education, Wuhan 430072) 3(Computer School, Wuhan University, Wuhan 430072)

More Information

Published Date: August 14, 2011

Graphical Abstract

Abstract

Abstract

Malicious process is a significant threat to computer system security, which is not only able to compromise the integrity of system, but also getting increasingly stealthy and elusive when facilitated with stealthy rootkit techniques. Conventional detection tools are deployed and executed inside the very host they are protecting, which makes them vulnerable to deceive and subvert. In order to improve the accuracy of detection and the ability of tamper resistance, a VMM-based hidden process detection system located outside the protected virtual machine is designed and implemented. Using virtual machine introspection mechanism, the system implicitly inspects the low-level state of the protected virtual machine, and then reconstructs the high level OS abstractions (process queues) which are needed for analysis by semantic view reconstruction technique. Based on cross-view validation principle, the system compares various process queues between internal and external view, and finally identifies the target hidden process through their discrepancies. In the meantime, this system facilitates response mechanism for reporting more specific information (such as network port, real memory occupation etc) about the hidden process to the administrator and supplies the interfaces for hidden process termination and suspension. The experiments on some real-world rootkits which can hide process are designed to validate the effectiveness and feasibility of the detection system.

FullText(HTML)

References (0)

[1]	Wei Zhenkai, Cheng Meng, Zhou Xiabing, Li Zhifeng, Zou Bowei, Hong Yu, Yao Jianmin. Convolutional Interactive Attention Mechanism for Aspect Extraction[J]. Journal of Computer Research and Development, 2020, 57(11): 2456-2466. DOI: 10.7544/issn1000-1239.2020.20190748
[2]	Du Shengdong, Li Tianrui, Yang Yan, Wang Hao, Xie Peng, Horng Shi-Jinn. A Sequence-to-Sequence Spatial-Temporal Attention Learning Model for Urban Traffic Flow Prediction[J]. Journal of Computer Research and Development, 2020, 57(8): 1715-1728. DOI: 10.7544/issn1000-1239.2020.20200169
[3]	Wang Lu, Du Yuyue, Qi Hongda. Process Model Repair Based on Firing Sequences[J]. Journal of Computer Research and Development, 2018, 55(3): 585-601. DOI: 10.7544/issn1000-1239.2018.20160838
[4]	Zhang Hongbin, Ji Donghong, Yin Lan, Ren Yafeng, Niu Zhengyu. Caption Generation from Product Image Based on Tag Refinement and Syntactic Tree[J]. Journal of Computer Research and Development, 2016, 53(11): 2542-2555. DOI: 10.7544/issn1000-1239.2016.20150906
[5]	Wang Jinshui, Weng Wei, Peng Xin. Recovering Traceability Links Using Syntactic Analysis[J]. Journal of Computer Research and Development, 2015, 52(3): 729-737. DOI: 10.7544/issn1000-1239.2015.20131308
[6]	Tian Feng, Shen Xukun. Image Annotation by Semantic Neighborhood Learning from Weakly Labeled Dataset[J]. Journal of Computer Research and Development, 2014, 51(8): 1821-1832. DOI: 10.7544/issn1000-1239.2014.20121087
[7]	Wan Changxuan, Jiang Tengjiao, Zhong Minjuan, and Bian Hairong. Sentiment Computing of Web Financial Information Based on the Part-of-Speech Tagging and Dependency Parsing[J]. Journal of Computer Research and Development, 2013, 50(12): 2554-2569.
[8]	Zhu Hegui, Zhang Xiangde, Yang Lianping, and Tang Qingsong. Fingerprint-Based Random Sequence Generator[J]. Journal of Computer Research and Development, 2009, 46(11): 1862-1867.
[9]	Zhang Pengcheng, Zhou Yu, Li Bixin, and Xu Baowen. Property Sequence Chart: Formal Syntax and Semantic[J]. Journal of Computer Research and Development, 2008, 45(2): 318-328.
[10]	Chen Dangyang, Jia Suling, Wang Huiwen, and Luo Chang. Trend Sequences Analysis of Temporal Data and a Subsequence Matching Algorithm[J]. Journal of Computer Research and Development, 2007, 44(3).