磁碟傷害範圍估測機制

Abstract

利用行為比對偵測惡意程式有很高的偵測率。然而觀測行為時，惡意程式仍持續對系統造成傷害，因此在判定惡意程式後，對其造成的傷害進行估測，可以協助管理者修復造成的系統傷害。 在半虛擬化的環境下，我們設計一套傷害範圍估測機制，藉由記錄在虛擬機中程式寫入的檔案路徑以及磁區位置，估測惡意程式造成的傷害範圍。我們修改xen-blkback攔截磁碟寫入的磁區位置，修改Xen hypervisor攔截系統呼叫，將兩者的I/O資訊合併進行傷害範圍估測。

Behavior matching is a malware detection method with high detection rate. However, during the time matching behaviors, the malware is continually making damage. Thus, estimating the damaged area the detected malware made can help administrator relieve the damage. In paravirtualized environment, we design a storage-layer damage estimation mechanism. We estimate the damage that a malware made by using the disk I/O information from guest VM. We modify xen-blkback to intercept raw disk I/O information, and Xen hypervisor to intercept system calls. We combine raw disk information and system call information to estimate damaged area.