{"title":"使用内核函数检测隐藏进程","authors":"Yacine Hebbal, S. Laniepce, Jean-Marc Menaud","doi":"10.1109/DESEC.2017.8073805","DOIUrl":null,"url":null,"abstract":"Process hiding is a common attack used by long-lived malicious processes to conceal their presence from security and administration tools. Multiple techniques based on Virtual Machine Introspection (VMI) were proposed to detect the presence of hidden running process in virtual machines. However, existing techniques are not practical for real world cloud environments as they suffer from evasion attacks or use manually provided and too OS-specific information. In this paper we present HPD, a VMI-based Hidden Process Detector that instruments guest OS kernel functions to automatically and reliably detect and terminate execution of hidden processes. We designed and implemented a prototype of HPD on KVM hypervisor. Its evaluation on multiple Linux kernels shows that from the hypervisor level, HPD detects successfully the presence of hidden running processes and safely terminate their execution.","PeriodicalId":92346,"journal":{"name":"DASC-PICom-DataCom-CyberSciTech 2017 : 2017 IEEE 15th International Conference on Dependable, Autonomic and Secure Computing ; 2017 IEEE 15th International Conference on Pervasive Intelligence and Computing ; 2017 IEEE 3rd International...","volume":"203 1","pages":"138-145"},"PeriodicalIF":0.0000,"publicationDate":"2017-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Hidden process detection using kernel functions instrumentation\",\"authors\":\"Yacine Hebbal, S. Laniepce, Jean-Marc Menaud\",\"doi\":\"10.1109/DESEC.2017.8073805\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Process hiding is a common attack used by long-lived malicious processes to conceal their presence from security and administration tools. Multiple techniques based on Virtual Machine Introspection (VMI) were proposed to detect the presence of hidden running process in virtual machines. However, existing techniques are not practical for real world cloud environments as they suffer from evasion attacks or use manually provided and too OS-specific information. In this paper we present HPD, a VMI-based Hidden Process Detector that instruments guest OS kernel functions to automatically and reliably detect and terminate execution of hidden processes. We designed and implemented a prototype of HPD on KVM hypervisor. Its evaluation on multiple Linux kernels shows that from the hypervisor level, HPD detects successfully the presence of hidden running processes and safely terminate their execution.\",\"PeriodicalId\":92346,\"journal\":{\"name\":\"DASC-PICom-DataCom-CyberSciTech 2017 : 2017 IEEE 15th International Conference on Dependable, Autonomic and Secure Computing ; 2017 IEEE 15th International Conference on Pervasive Intelligence and Computing ; 2017 IEEE 3rd International...\",\"volume\":\"203 1\",\"pages\":\"138-145\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-08-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"DASC-PICom-DataCom-CyberSciTech 2017 : 2017 IEEE 15th International Conference on Dependable, Autonomic and Secure Computing ; 2017 IEEE 15th International Conference on Pervasive Intelligence and Computing ; 2017 IEEE 3rd International...\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/DESEC.2017.8073805\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"DASC-PICom-DataCom-CyberSciTech 2017 : 2017 IEEE 15th International Conference on Dependable, Autonomic and Secure Computing ; 2017 IEEE 15th International Conference on Pervasive Intelligence and Computing ; 2017 IEEE 3rd International...","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DESEC.2017.8073805","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Hidden process detection using kernel functions instrumentation
Process hiding is a common attack used by long-lived malicious processes to conceal their presence from security and administration tools. Multiple techniques based on Virtual Machine Introspection (VMI) were proposed to detect the presence of hidden running process in virtual machines. However, existing techniques are not practical for real world cloud environments as they suffer from evasion attacks or use manually provided and too OS-specific information. In this paper we present HPD, a VMI-based Hidden Process Detector that instruments guest OS kernel functions to automatically and reliably detect and terminate execution of hidden processes. We designed and implemented a prototype of HPD on KVM hypervisor. Its evaluation on multiple Linux kernels shows that from the hypervisor level, HPD detects successfully the presence of hidden running processes and safely terminate their execution.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
