VMDetector: A VMM-based Platform to Detect Hidden Process by Multi-view Comparison

Author

Wang, Ying ; Hu, Chunming ; Li, Bo

Author_Institution

Sch. of Comput. Sci. & Eng., Beihang Univ., Beijing, China

fYear

2011

fDate

10-12 Nov. 2011

Firstpage

307

Lastpage

312

Abstract

Recently, "rootkit" becomes a popular hacker malware on the Internet, which controls the hosts on the Internet by hiding itself, and raises a serious security threat. Existing host-based and hardware-based solutions have some disadvantages, such as hardware overhead and being discovered by root kits, where the development of virtualization technology provides a better solution to avoid those. Virtual machine monitor has the highest authority on the virtual machine, and has the right to control the activities in the virtual machine without being found by root kits in the virtual machines. We propose VM Detector based on this hardware virtualization technology, using multi-view detection mechanism, to detect hidden processes inside the virtual machine on many aspects, then to improve the virtual machine\´s security. Through several experiments, VM Detector carried on the process detection effectively, and introduced less than 10% performance overhead.

Keywords

security of data; virtual machines; virtualisation; Internet; VMDetector; VMM-based platform; hacker malware; hardware overhead; hardware virtualization technology; hidden process; multiview comparison; multiview detection; security threat; virtual machine monitor; Hardware; Kernel; Linux; Semantics; Virtual machine monitors; Virtual machining; hidden process detection; multi-view; multi-view comparison; virtualization;

fLanguage

English

Publisher

ieee

Conference_Titel

High-Assurance Systems Engineering (HASE), 2011 IEEE 13th International Symposium on

Conference_Location

Boca Raton, FL

ISSN

1530-2059

Print_ISBN

978-1-4673-0107-7

Type

conf

DOI

10.1109/HASE.2011.41

Filename

6113912