Back to Search
Start Over
RMVP: A Real-Time Method to Monitor Random Processes of Virtual Machine
- Source :
- IEEE Access, Vol 7, Pp 15845-15860 (2019)
- Publication Year :
- 2019
- Publisher :
- Institute of Electrical and Electronics Engineers (IEEE), 2019.
-
Abstract
- Out-of-box methods can provide strict isolation between the security tool and the target virtual machine (TVM), so they have strong anti-jamming abilities. Current monitoring methods are mostly based on memory snapshots at a time point or a fixed period. Due to the randomness of processes and the discontinuity of monitoring methods, methods based on time point or fixed period snapshots that security tools used to monitor processes may result in a high leakage rate. The real-time monitoring method can be used to resolve this problem. However, all current real-time monitoring methods require a ready monitoring set, and their monitoring range is strictly limited. They are only effective for the inherent objects within the ready set and ineffective for the random processes. This paper presents real-time monitoring of virtual machine processes (RMVP), a real-time monitoring method to monitor a random process in the TVM. First, the RMVP monitors process switch by capturing the switch of kernel stack base addresses outside the TVM in real time. Then, it extracts raw memory of the current process through the memory mapping technology that adopts caching mechanism and multi-task concurrent execution strategy. Finally, the RMVP translates raw memory into high-level semantics according to a semantic knowledge base constructed offline. The RMVP can monitor random processes in real time and overcome the challenge of process randomness. The experimental results show that the capture rate of the random process is over 95% and the capture delay is in the range of 2.3~3.3 ms. In addition, the RMVP is especially effective for detecting the processes hidden by rootkits.
- Subjects :
- General Computer Science
Computer science
Stochastic process
process detection
memory mapping
Real-time computing
General Engineering
Rootkit
Process (computing)
real-time monitoring
computer.software_genre
Virtual machine
Set (abstract data type)
Kernel (statistics)
Snapshot (computer storage)
General Materials Science
lcsh:Electrical engineering. Electronics. Nuclear engineering
Isolation (database systems)
lcsh:TK1-9971
computer
rootkit
Subjects
Details
- ISSN :
- 21693536
- Volume :
- 7
- Database :
- OpenAIRE
- Journal :
- IEEE Access
- Accession number :
- edsair.doi.dedup.....b34e76b62e4988f74b76f12f4b5f3393