摘要
入侵检测技术通常分为误用检测和异常检测两类,误用检测根据攻击模式库检测已知的攻击行为,但却难以防范未知的攻击行为;异常检测技术虽然可以预测偏离正常值阈区间的潜在攻击行为,但却存在较高的误报现象。在虚拟机监视器中对虚拟机操作系统的运行行为进行带外监控,避免了操作系统内监控模块被病毒感染的难题;通过监视虚拟机的运行时行为,对之作组合序列的合法性分析,扩展了误用检测防范长时间段攻击行为的能力,识别通过合法系统调用进行的恶意攻击。测试数据表明,该技术能够较好地检测出复杂组合攻击行为。
There are two kinds of intrusion detection methods: misuse-based detection and anomaly-based detection.Misuse-based detection can detect known attacks based on the attack rule library,but is failing in detecting the attacks without pre-knowledge.Anomaly-based detection can forecast latent attacks which deviate normal value of threshold intervals,but has higher false alarm rate.In this paper we carry out the out-of-band surveillance against running behaviour of virtual machine operating system on the monitor of virtual machine,in this way the puzzle of the surveillance module inside the operating system being infected by the virus is avoided.By monitoring the behaviour of virtual machine at running and making validity analysis on its combined sequence,the ability of misuse-based detection in preventing long-time attacks is expanded,malicious attacks inflicted through legitimated system calls are differentiated.Testing data show that this method can preferably detect complex compositional attacks.
出处
《计算机应用与软件》
CSCD
2011年第9期52-55,59,共5页
Computer Applications and Software
基金
国家高技术研究发展计划项目(2009AA01Z101)
NSFC重点项目(90718040)
关键词
入侵检测
虚拟机监视器
系统调用监控
Intrusion detection Virtual machine monitor System call monitoring
