Back to Search Start Over

RMVP: A Real-Time Method to Monitor Random Processes of Virtual Machine

Authors :
Chaoyuan Cui
YongGang Li
Yun Wu
Licheng Wang
Source :
IEEE Access, Vol 7, Pp 15845-15860 (2019)
Publication Year :
2019
Publisher :
Institute of Electrical and Electronics Engineers (IEEE), 2019.

Abstract

Out-of-box methods can provide strict isolation between the security tool and the target virtual machine (TVM), so they have strong anti-jamming abilities. Current monitoring methods are mostly based on memory snapshots at a time point or a fixed period. Due to the randomness of processes and the discontinuity of monitoring methods, methods based on time point or fixed period snapshots that security tools used to monitor processes may result in a high leakage rate. The real-time monitoring method can be used to resolve this problem. However, all current real-time monitoring methods require a ready monitoring set, and their monitoring range is strictly limited. They are only effective for the inherent objects within the ready set and ineffective for the random processes. This paper presents real-time monitoring of virtual machine processes (RMVP), a real-time monitoring method to monitor a random process in the TVM. First, the RMVP monitors process switch by capturing the switch of kernel stack base addresses outside the TVM in real time. Then, it extracts raw memory of the current process through the memory mapping technology that adopts caching mechanism and multi-task concurrent execution strategy. Finally, the RMVP translates raw memory into high-level semantics according to a semantic knowledge base constructed offline. The RMVP can monitor random processes in real time and overcome the challenge of process randomness. The experimental results show that the capture rate of the random process is over 95% and the capture delay is in the range of 2.3~3.3 ms. In addition, the RMVP is especially effective for detecting the processes hidden by rootkits.

Details

ISSN :
21693536
Volume :
7
Database :
OpenAIRE
Journal :
IEEE Access
Accession number :
edsair.doi.dedup.....b34e76b62e4988f74b76f12f4b5f3393