Nowadays, a variety of applications of Windows OS has become more sophisticated and the complexity of its behavior has also been increased. Large scale applications generate the vast size of traffic and logs hard to understand for a shot while which impose a great burden on administrators Visualization could be one of the solutions for this problem. In this paper we propose a visualization technique of anomaly memory behavior of full-virtualized Windows OS using virtual machine introspection. Proposed system has been implemented in tree steps: (1 modification of Windows OS by inserting library and filter driver, (2) modification of the debug register handler of virtual machine monitor, and (3) deploying visualization tool on Host OS. We generate the sequence of memory behavior using virtual machine introspection. On guest Windows OS side, we intercept memory API And then, virtual machine monitor generates the sequence and transfer it to host OS. To present the visualization by proposed system, we deal with two popular security issues: BoF (buffer overflow) based shellcode execution and P2P network application. We have successfully detected the incidents of BoF based shellcode detection, and visualize the memory state transition of P2P application. We can conclude that visualization is effective way to discover and detect anomaly memory behavior caused by BoF based shellcode execution and P2P application usage.
展开▼
机译:如今,Windows OS的各种应用已经变得更加复杂,并且其行为的复杂性也增加了。大规模应用程序会产生大尺寸的流量,并且难以理解为镜头,虽然这对管理员的巨大负担可视化可能是此问题的解决方案之一。在本文中,我们使用虚拟机Introspente提出了全虚拟化Windows OS的异常内存行为的可视化技术。建议的系统已在树步骤中实现:(1通过插入库和过滤器驱动程序修改Windows OS,(2)修改虚拟机监视器的调试寄存器处理程序,以及(3)在主机操作系统上部署可视化工具。我们生成使用虚拟机内省的内存行为序列。在Guest Windows OS侧,我们拦截内存API,虚拟机监视器生成序列并将其传输到主机操作系统。通过提出的系统来呈现可视化,我们处理两个流行的安全问题:BOF(缓冲区溢出)基于shellcode执行和P2P网络应用程序。我们已成功检测到基于BOF的Shellcode检测的事件,并可视化P2P应用程序的内存状态转换。我们可以得出结论,可视化是发现和检测异常记忆的有效方法基于BOF的ShellCode执行和P2P应用程序使用引起的行为。
展开▼
