An advanced method of process reconstruction based on VMM
Recently, VMM-based anti-malware systems have become a hot research topic in finding ways of overcoming the fundamental limitations of traditional host-based anti-malware systems, which are likely to be deceived and attacked by malicious codes. Guest system semantic views (e.g., files, processes) must be reconstructed to overcome the semantic gap challenge. As a result of frequent switching between processes, process reconstruction based on CR3 register causes many VM EXIT events and some performance losses. In the current study, an advanced method to reconstruct processes is presented. Utilizing the features of hardware virtualization technology, this method reduces VM EXIT events caused by process switching; thus, the efficiency of process reconstruction is improved. Experiments show that the method can reduce nearly 85% of VM EXIT events caused by process switching.
network security malware detection process reconstruction hidden process hardware virtualization
Lin Chen Jing Zhang Bo Liu Huaping Hu
Computer School, National University of Defense Technology Changsha, Hunan 410073-P.R.China
国际会议
哈尔滨
英文
987-992
2011-12-24(万方平台首次上网日期,不代表论文的发表时间)