Virtual platform threat behavior analysis method and system based on KNN

A virtual platform and behavior analysis technology, applied in the field of virtual platform threat behavior analysis, can solve problems such as clue data counter-evidence technology software deception, achieve high accuracy and improve analysis efficiency

Inactive Publication Date: 2019-07-12
电子科技大学成都学院
View PDF10 Cites 1 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] The purpose of the present invention is to provide a KNN-based virtual platform threat behavior analysis method and system, which solves the problem that the current threat behavior analysis technology is installed in the virtual platform due to software installation, causing part of the clue data to be covered and partially possessed by counter-evidence technology Technical Problems of Software Deception

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Virtual platform threat behavior analysis method and system based on KNN
  • Virtual platform threat behavior analysis method and system based on KNN
  • Virtual platform threat behavior analysis method and system based on KNN

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0085] This embodiment is used to specifically illustrate the method of the present invention.

[0086] A KNN-based virtual platform threat behavior analysis method, comprising the following steps:

[0087] Step 1: extract the memory data in the virtual platform;

[0088] Step 101: use the Vcenter component to remotely log in to the ESXi component of the VMware Vshpere virtual platform management server;

[0089] Step 102: The Vcenter component suspends the virtual machine through the management server, and downloads a virtual machine file with an extension of VSMM, that is, memory data. The virtual machine file with an extension of VSMM is an image of memory data saved when the virtual machine is suspended.

[0090] Step 2: The image file obtained in step 1 saves the registry, process, thread, file, network connection, driver, import and export table and other information of the virtual platform at that time. These information are important source data for threat behavior an...

Embodiment 2

[0113] This embodiment is used to specifically describe the system of the present invention.

[0114] A KNN-based virtual platform threat behavior analysis system, including

[0115] Threat information extraction module: used to find and extract the memory data of the virtual platform, and solidify the memory data;

[0116] Threat data processing module: used to extract the threat source data in the memory data, and obtain the behavior characteristics of the software;

[0117] Threat behavior analysis module: used to identify and restore threat software in the threat source data;

[0118] Threat behavior presentation module: used to present the entire threat behavior analysis process.

[0119] Specifically:

[0120] The threat information extraction module searches and extracts the image file of memory data from the virtual platform, and downloads the image file without damage through the Vcenter component, stores it safely and solidifies it, and performs hash verification ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a virtual platform threat behavior analysis method and system based on KNN, and belongs to the field of network security, and the method comprises the steps: firstly, extracting memory data in a virtual platform; analyzing the memory data to obtain threat source data; finally, identifying threat software of the threat source data by using a K-nearest algorithm, and if the threat software does not exist, ending the algorithm; if the threatening software exists, finishing the behavior reduction of the threatening software by utilizing a clue database, and ending the algorithm; according to the method, clue data can be collected based on the outside of the VMware Vshpere virtual platform, clue coverage cannot be generated in the virtual platform, and the clue data cannot be deceived by threatening software; full-automatic analysis is peformed on the threat clues through the K-nearest algorithm, and the analysis efficiency of the threat behaviors is improved.

Description

technical field [0001] The invention relates to the field of network security, in particular to a KNN-based virtual platform threat behavior analysis method and system. Background technique [0002] The existing virtual platform threat analysis is mainly based on two virtual platforms, one is the version of VMware Workstation, which has a limited number of enterprise applications for personal PCs. The method of extracting memory file information; the other is bochs and other virtual platforms that are not commonly used in domestic enterprise servers, 2011, the document "Key Information Extraction and Analysis Based on Virtual Machine" uses bochs virtual machine simulation technology to complete virtual machine evidence data During the research process, the open-source virtual machine bochs was re-developed. By capturing and identifying the instructions and data during the running of the virtual machine, it analyzed the calling relationship of system modules, memory read-writ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06G06K9/62
CPCH04L63/1416G06F18/214
Inventor 杨玲邹倩颖代琪怡陈亦新王淼
Owner 电子科技大学成都学院
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap