Free Online Productivity Tools
i2Speak
i2Symbol
i2OCR
iTex2Img
iWeb2Print
iWeb2Shot
i2Type
iPdf2Split
iPdf2Merge
i2Bopomofo
i2Arabic
i2Style
i2Image
i2PDF
iLatex2Rtf
Sci2ools
ICISC
2007
2007
Asynchronous Pseudo Physical Memory Snapshot and Forensics on Paravirtualized VMM Using Split Kernel Module
VMM (virtual machine monitor) based system provides the useful inspection and interposition of guest OS. With proper modification of guest OS, we can obtain event-driven memory snapshot for malicious code forensics. In this paper we propose an asynchronous memory snapshot and forensics using split kernel module. Our split kernel module works for virtualized interruption handling, which notifies malicious fault, illegal system call and file access. On frontend, we insert virtualized interruption into source code of MAC (mandatory access control) module, fault handler and gcc-extension. Then, Backend kernel module receives the asynchronous incident notification. In experiment, we take RAM snapshot of LKM-rootkit installation using system call extension. Frequently appeared n-grams is extracted by weighted resolution in order to find memory blocks which is used by LKM-rootkit. Proposed system can detect unknown malware (malicious software) of which name is not matched by signature. A...
Real-time Traffic| Added | 29 Oct 2010 |
| Updated | 29 Oct 2010 |
| Type | Conference |
| Year | 2007 |
| Where | ICISC |
| Authors | Ruo Ando, Youki Kadobayashi, Yoichi Shinoda |
Comments (0)
Researcher Info
|
