KMAG: VMM-level malware detection via kernel data access profiling
暂无分享,去创建一个
Many malware attacks involve kernel data accesses. Existing approaches to data-centric malware analysis monitor memory accesses at binary-level. Binary-level analysis, however, is known to be slow and impractical for real-world systems. In contast, KMAG effectively performs kernel malware analysis at VMM-level. We first generate attack profiles by analyzing accesses to kernel data, and then use the profiles to detect attacks that have the same or similar data access patterns while the system is running. To monitor accesses to kernel data efficiently and transparently, we designed a page-level access detection mechanism built atop the KVM virtualization platform. This mechanism leverages the hardware-supported memory protection to mark the pages of interest as not accessible, and detects the violations to the pages when the corresponding kernel objects are accessed in the guest virtual machine.