grizzly/deneir
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

backup before SnP

Browse source
This commit is contained in:
grizzly 2025-06-05 10:07:53 -04:00
parent 201c62b97d
commit f5712a3a73
13 changed files with 7506 additions and 68 deletions
Download patch file Download diff file Expand all files Collapse all files

592
procver/SnP/images/related_work.svg Normal file
View file

@ -0,0 +1,592 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
width="792.42957mm"
height="259.8837mm"
viewBox="0 0 792.42956 259.88371"
version="1.1"
id="svg5"
inkscape:version="1.4.1 (93de688d07, 2025-03-30)"
xml:space="preserve"
sodipodi:docname="related_work.svg"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns="http://www.w3.org/2000/svg"
xmlns:svg="http://www.w3.org/2000/svg"><sodipodi:namedview
id="namedview7"
pagecolor="#ffffff"
bordercolor="#000000"
borderopacity="1"
inkscape:showpageshadow="0"
inkscape:pageopacity="0"
inkscape:pagecheckerboard="0"
inkscape:deskcolor="#b5b5b5"
inkscape:document-units="mm"
showgrid="false"
inkscape:zoom="2.7891246"
inkscape:cx="1683.6824"
inkscape:cy="281.98812"
inkscape:window-width="1920"
inkscape:window-height="1022"
inkscape:window-x="0"
inkscape:window-y="0"
inkscape:window-maximized="1"
inkscape:current-layer="layer1"><inkscape:page
x="0"
y="0"
width="792.42957"
height="259.8837"
id="page1"
margin="0"
bleed="0" /></sodipodi:namedview><defs
id="defs2"><marker
style="overflow:visible"
id="Dot"
refX="0"
refY="0"
orient="auto"
inkscape:stockid="Dot"
markerWidth="1"
markerHeight="1"
viewBox="0 0 1 1"
inkscape:isstock="true"
inkscape:collect="always"
preserveAspectRatio="xMidYMid"><path
transform="scale(0.5)"
style="fill:context-stroke;fill-rule:evenodd;stroke:none"
d="M 5,0 C 5,2.76 2.76,5 0,5 -2.76,5 -5,2.76 -5,0 c 0,-2.76 2.3,-5 5,-5 2.76,0 5,2.24 5,5 z"
sodipodi:nodetypes="sssss"
id="path17" /></marker><marker
style="overflow:visible"
id="Triangle"
refX="0"
refY="0"
orient="auto-start-reverse"
inkscape:stockid="Triangle arrow"
markerWidth="1"
markerHeight="1"
viewBox="0 0 1 1"
inkscape:isstock="true"
inkscape:collect="always"
preserveAspectRatio="xMidYMid"><path
transform="scale(0.5)"
style="fill:context-stroke;fill-rule:evenodd;stroke:context-stroke;stroke-width:1pt"
d="M 5.77,0 -2.88,5 V -5 Z"
id="path135" /></marker></defs><g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(224.10697,45.791336)"><circle
style="fill:#e6e6e6;fill-opacity:1;stroke:#000000;stroke-width:1;stroke-linejoin:round;stroke-dasharray:none"
id="path87"
cx="-328.62012"
cy="299.08551"
r="59.431034"
transform="rotate(-135)" /><circle
style="fill:#999999;fill-opacity:1;stroke:#000000;stroke-width:1;stroke-linejoin:round;stroke-dasharray:none"
id="path78"
cx="-336.25137"
cy="291.13647"
r="42.21381"
transform="rotate(-135)" /><path
style="fill:none;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#Triangle)"
d="M -215.89073,87.23208 H 286.59341"
id="path1"
sodipodi:nodetypes="cc" /><text
xml:space="preserve"
style="font-size:3.88056px;line-height:1.25;font-family:'Monaspace Neon Var';-inkscape-font-specification:'Monaspace Neon Var';letter-spacing:-0.291042px;word-spacing:0px;stroke-width:0.264583"
x="327.862"
y="71.679672"
id="text36"><tspan
sodipodi:role="line"
style="stroke-width:0.264583"
x="327.862"
y="71.679672"
id="tspan37" /></text><path
id="path3"
style="color:#000000;fill:#000000;-inkscape-stroke:none"
d="m -147.72485,67.47964 v 15.777332 c -1.83131,0.128657 -3.28145,1.657668 -3.28145,3.521228 0,1.94765 1.5834,3.53157 3.53105,3.53157 1.94765,0 3.53156,-1.58392 3.53156,-3.53157 0,-1.86356 -1.45014,-3.392571 -3.28145,-3.521228 V 67.47964 Z m 0.2496,16.267224 c 1.67743,0 3.03134,1.353906 3.03134,3.031336 0,1.67743 -1.35391,3.03134 -3.03134,3.03134 -1.67743,0 -3.03082,-1.35391 -3.03082,-3.03134 0,-1.67743 1.35339,-3.031336 3.03082,-3.031336 z" /><text
xml:space="preserve"
style="font-size:3.88056px;line-height:1.25;font-family:'Monaspace Neon Var';-inkscape-font-specification:'Monaspace Neon Var';letter-spacing:-0.291042px;word-spacing:0px;stroke-width:0.264583"
x="-151.82608"
y="66.915802"
id="text50"><tspan
id="tspan50"
style="stroke-width:0.264583"
x="-151.82608"
y="66.915802"
sodipodi:role="line">1969</tspan></text><rect
style="fill:#cccccc;fill-opacity:1;stroke:#1a1a1a;stroke-width:0.577775;stroke-dasharray:none;stroke-opacity:1"
id="rect50"
width="56.265244"
height="25.585007"
x="-173.95004"
y="37.277485"
ry="1.3401735" /><text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.11667px;line-height:1.25;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono';letter-spacing:-0.291042px;word-spacing:0px;white-space:pre;inline-size:54.6704;display:inline;stroke-width:0.264583"
x="190.02438"
y="196.82707"
id="text81"
transform="translate(-362.699,-146.55585)"><tspan
x="190.02438"
y="196.82707"
id="tspan44">Invented the term &quot;Covert Channel&quot;.
</tspan><tspan
x="190.02438"
y="199.47292"
id="tspan45">This is though of in the case of programms </tspan><tspan
x="190.02438"
y="202.11876"
id="tspan46">communicating on the same machine. It is the early days </tspan><tspan
x="190.02438"
y="204.7646"
id="tspan47">of the idea of covert channels in computer science.</tspan></text><rect
style="fill:#ffc6a0;fill-opacity:1;stroke:#ff6803;stroke-width:0.577775;stroke-dasharray:none;stroke-opacity:1"
id="rect81"
width="56.26524"
height="10.447671"
x="-173.95004"
y="37.277485"
ry="1.3401735" /><text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:3.88056px;line-height:1.25;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono Bold';letter-spacing:-0.291042px;word-spacing:0px;white-space:pre;inline-size:88.3485;display:inline;stroke-width:0.264583"
x="320.76639"
y="166.06209"
id="text82"
transform="matrix(0.72076737,0,0,0.72076737,-402.47872,-76.749177)"><tspan
x="320.76639"
y="166.06209"
id="tspan48">A note on the confinement problem</tspan></text><text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:16.9333px;line-height:21.059px;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono Bold';text-align:center;letter-spacing:0px;writing-mode:lr-tb;direction:ltr;text-anchor:middle;fill:#000000;stroke:none;stroke-width:0.746001;stroke-linecap:round;stroke-linejoin:round"
x="-184.64418"
y="-28.716087"
id="text83"><tspan
sodipodi:role="line"
id="tspan83"
style="stroke:none;stroke-width:0.746"
x="-184.64418"
y="-28.716087">General</tspan></text><text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:16.9333px;line-height:21.059px;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono Bold';text-align:start;letter-spacing:0px;writing-mode:lr-tb;direction:ltr;text-anchor:start;fill:#000000;stroke:none;stroke-width:0.746001;stroke-linecap:round;stroke-linejoin:round"
x="-220.59908"
y="210.33742"
id="text84"><tspan
sodipodi:role="line"
id="tspan84"
style="text-align:start;text-anchor:start;stroke:none;stroke-width:0.746"
x="-220.59908"
y="210.33742">Specific</tspan></text><path
id="path84"
style="color:#000000;fill:#000000;-inkscape-stroke:none"
d="M 202.50751,106.54263 V 90.76529 c -1.83131,-0.12865 -3.28145,-1.65766 -3.28145,-3.52122 0,-1.94765 1.5834,-3.531573 3.53105,-3.531573 1.94765,0 3.53156,1.583923 3.53156,3.531573 0,1.86356 -1.45014,3.39257 -3.28145,3.52122 v 15.77734 z m 0.2496,-16.26723 c 1.67743,0 3.03134,-1.3539 3.03134,-3.03133 0,-1.67743 -1.35391,-3.031343 -3.03134,-3.031343 -1.67743,0 -3.03082,1.353913 -3.03082,3.031343 0,1.67743 1.35339,3.03133 3.03082,3.03133 z" /><text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.88056px;line-height:1.25;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono';letter-spacing:-0.291042px;word-spacing:0px;stroke-width:0.264583"
x="198.40628"
y="110.24815"
id="text85"><tspan
id="tspan85"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono';stroke-width:0.264583"
x="198.40628"
y="110.24815"
sodipodi:role="line">2008</tspan></text><rect
style="fill:#cccccc;fill-opacity:1;stroke:#1a1a1a;stroke-width:0.577775;stroke-dasharray:none;stroke-opacity:1"
id="rect85"
width="56.265244"
height="90.850403"
x="176.28232"
y="111.3315"
ry="1.3401735" /><rect
style="fill:#ffc6a0;fill-opacity:1;stroke:#ff6803;stroke-width:0.577775;stroke-dasharray:none;stroke-opacity:1"
id="rect90"
width="59.49057"
height="11.870605"
x="174.66965"
y="111.3315"
ry="1.3401735" /><text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:3.88056px;line-height:1.25;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono Bold';letter-spacing:-0.291042px;word-spacing:0px;white-space:pre;inline-size:78.7407;display:inline;stroke-width:0.264583"
x="320.76639"
y="166.06209"
id="text91"
transform="matrix(0.72076737,0,0,0.72076737,-54.807652,-4.4026833)"><tspan
x="320.76639"
y="166.06209"
id="tspan49">Implicit Detection of Hidden Processes </tspan><tspan
x="320.76639"
y="170.91278"
id="tspan51">with aFeather-Weight Hardware-Assisted </tspan><tspan
x="320.76639"
y="175.76347"
id="tspan52">Virtual Machine Monitor</tspan></text><path
id="path93"
style="color:#000000;fill:#000000;-inkscape-stroke:none"
d="M -6.7755952,106.54263 V 90.76529 c -1.83131,-0.12865 -3.2814498,-1.65766 -3.2814498,-3.52122 0,-1.94765 1.5833998,-3.531573 3.5310498,-3.531573 1.94765,0 3.53156,1.583923 3.53156,3.531573 0,1.86356 -1.45014,3.39257 -3.28145,3.52122 v 15.77734 z m 0.2496,-16.26723 c 1.67743,0 3.03134,-1.3539 3.03134,-3.03133 0,-1.67743 -1.35391,-3.031343 -3.03134,-3.031343 -1.67743,0 -3.03082,1.353913 -3.03082,3.031343 0,1.67743 1.35339,3.03133 3.03082,3.03133 z" /><text
xml:space="preserve"
style="font-size:3.88056px;line-height:1.25;font-family:'Monaspace Neon Var';-inkscape-font-specification:'Monaspace Neon Var';letter-spacing:-0.291042px;word-spacing:0px;stroke-width:0.264583"
x="-10.876826"
y="110.24815"
id="text94"><tspan
id="tspan94"
style="stroke-width:0.264583"
x="-10.876826"
y="110.24815"
sodipodi:role="line">1969</tspan></text><rect
style="fill:#cccccc;fill-opacity:1;stroke:#1a1a1a;stroke-width:0.577775;stroke-dasharray:none;stroke-opacity:1"
id="rect94"
width="56.265244"
height="25.585007"
x="-33.00079"
y="111.3315"
ry="1.3401735" /><rect
style="fill:#ffc6a0;fill-opacity:1;stroke:#ff6803;stroke-width:0.577775;stroke-dasharray:none;stroke-opacity:1"
id="rect95"
width="56.265244"
height="11.870608"
x="-33.00079"
y="111.3315"
ry="1.3401735" /><text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:3.88056px;line-height:1.25;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono Bold';letter-spacing:-0.291042px;word-spacing:0px;white-space:pre;inline-size:78.7407;display:inline;stroke-width:0.264583"
x="320.76639"
y="166.06209"
id="text97"
transform="matrix(0.72076737,0,0,0.72076737,-262.9524,-4.4026833)"><tspan
x="320.76639"
y="166.06209"
id="tspan53">Microsoft / Kaspersky Reports on </tspan><tspan
x="320.76639"
y="170.91278"
id="tspan54">rootkits</tspan></text><text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.11667px;line-height:1.25;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono';letter-spacing:-0.291042px;word-spacing:0px;white-space:pre;inline-size:54.6704;display:inline;stroke-width:0.264583"
x="190.02438"
y="196.82707"
id="text101"
transform="translate(-12.552264,-70.087023)"><tspan
x="190.02438"
y="196.82707"
id="tspan55">- Their solution affect the performance. Yes it is only </tspan><tspan
x="190.02438"
y="199.47292"
id="tspan56">~5% but it is still a performance loss. Our solution </tspan><tspan
x="190.02438"
y="202.11876"
id="tspan57">cannot affect the performance because the data </tspan><tspan
x="190.02438"
y="204.7646"
id="tspan58">collection and analysis is separated.
</tspan><tspan
x="190.02438"
y="207.41045"
id="tspan59">- They claim to support &quot;Dynamic OS migration&quot; which </tspan><tspan
x="190.02438"
y="210.05629"
id="tspan60">means the solution can be applied to an existing </tspan><tspan
x="190.02438"
y="212.70213"
id="tspan61">running VM without restarting/recreating it. We also </tspan><tspan
x="190.02438"
y="215.34798"
id="tspan62">have that and it seems like a desirable property so </tspan><tspan
x="190.02438"
y="217.99382"
id="tspan63">let's mention it.
</tspan><tspan
x="190.02438"
y="220.63967"
id="tspan64">- They provide &quot;non-bypassable interfaces&quot; as a way for </tspan><tspan
x="190.02438"
y="223.28551"
id="tspan65">the OS to communicate with the monitoring system and </tspan><tspan
x="190.02438"
y="225.93135"
id="tspan66">retrieve the True Process List. They apparently use </tspan><tspan
x="190.02438"
y="228.5772"
id="tspan67">very low level mechanisms specific to Intel processor </tspan><tspan
x="190.02438"
y="231.22304"
id="tspan68">to establish this communication but I am not sure what </tspan><tspan
x="190.02438"
y="233.86888"
id="tspan69">makes them completely &quot;non-bypassable&quot;.
</tspan><tspan
x="190.02438"
y="236.51473"
id="tspan70">- They have a more comprehensive evaluation of the </tspan><tspan
x="190.02438"
y="239.16057"
id="tspan71">detection performances compared with other softwares. </tspan><tspan
x="190.02438"
y="241.80641"
id="tspan73">However the same comparison would be unfaire to ProcVer </tspan><tspan
x="190.02438"
y="244.45226"
id="tspan74">because its achievement lies in the fact that it is </tspan><tspan
x="190.02438"
y="247.0981"
id="tspan75">completely remote from the OS and the fact that it </tspan><tspan
x="190.02438"
y="249.74394"
id="tspan82">should work the same on known malwares and zero-days </tspan><tspan
x="190.02438"
y="252.38979"
id="tspan86">attacks. Moreover, it is an additional layer of </tspan><tspan
x="190.02438"
y="255.03563"
id="tspan87">defense, not a silver bullet.
</tspan><tspan
x="190.02438"
y="257.68147"
id="tspan88">- Their solution is very hardware specific in the sense </tspan><tspan
x="190.02438"
y="260.3273"
id="tspan89">that it is designed for a processor model/family/</tspan><tspan
x="190.02438"
y="262.97315"
id="tspan90">manufacturer and would require significant rework to be </tspan><tspan
x="190.02438"
y="265.61899"
id="tspan91">ported to another hardware. Our solution is hardware </tspan><tspan
x="190.02438"
y="268.26483"
id="tspan92">specific for training but hardware agnostic in its </tspan><tspan
x="190.02438"
y="270.91068"
id="tspan93">design and capabilities.</tspan></text><path
id="path101"
style="color:#000000;fill:#000000;-inkscape-stroke:none"
d="M 136.23453,106.54263 V 90.76529 c -1.83131,-0.12865 -3.28145,-1.65766 -3.28145,-3.52122 0,-1.94765 1.5834,-3.531573 3.53105,-3.531573 1.94765,0 3.53156,1.583923 3.53156,3.531573 0,1.86356 -1.45014,3.39257 -3.28145,3.52122 v 15.77734 z m 0.2496,-16.26723 c 1.67743,0 3.03134,-1.3539 3.03134,-3.03133 0,-1.67743 -1.35391,-3.031343 -3.03134,-3.031343 -1.67743,0 -3.03082,1.353913 -3.03082,3.031343 0,1.67743 1.35339,3.03133 3.03082,3.03133 z" /><text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.88056px;line-height:1.25;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono';letter-spacing:-0.291042px;word-spacing:0px;stroke-width:0.264583"
x="132.1333"
y="110.24815"
id="text102"><tspan
id="tspan101"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono';stroke-width:0.264583"
x="132.1333"
y="110.24815"
sodipodi:role="line">2005</tspan></text><rect
style="fill:#cccccc;fill-opacity:1;stroke:#1a1a1a;stroke-width:0.577775;stroke-dasharray:none;stroke-opacity:1"
id="rect102"
width="56.667709"
height="41.683708"
x="110.00934"
y="111.3315"
ry="1.3401735" /><rect
style="fill:#ffc6a0;fill-opacity:1;stroke:#ff6803;stroke-width:0.577775;stroke-dasharray:none;stroke-opacity:1"
id="rect103"
width="59.49057"
height="11.870605"
x="108.39667"
y="111.3315"
ry="1.3401735" /><text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:3.88056px;line-height:1.25;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono Bold';letter-spacing:-0.291042px;word-spacing:0px;white-space:pre;inline-size:78.7407;display:inline;stroke-width:0.264583"
x="320.76639"
y="166.06209"
id="text105"
transform="matrix(0.72076737,0,0,0.72076737,-121.08064,-4.4026833)"><tspan
x="320.76639"
y="166.06209"
id="tspan95">Detecting Stealth Software with </tspan><tspan
x="320.76639"
y="170.91278"
id="tspan96">Strider GhostBuster</tspan></text><text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.11667px;line-height:1.25;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono';letter-spacing:-0.291042px;word-spacing:0px;white-space:pre;inline-size:54.6704;display:inline;stroke-width:0.264583"
x="190.02438"
y="196.82707"
id="text106"
transform="translate(-78.825247,-54.909023)" /><text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.11667px;line-height:1.25;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono';letter-spacing:-0.291042px;word-spacing:0px;white-space:pre;inline-size:54.6704;display:inline;stroke-width:0.264583"
x="190.02438"
y="196.82707"
id="text72"
transform="translate(-79.14574,-70.087023)"><tspan
x="190.02438"
y="196.82707"
id="tspan97">- Their solution relies on the comparison of two </tspan><tspan
x="190.02438"
y="199.47292"
id="tspan98">snapshot made at the same time using two different </tspan><tspan
x="190.02438"
y="202.11876"
id="tspan99">mechanism, assuming one goes through the hidden malware </tspan><tspan
x="190.02438"
y="204.7646"
id="tspan100">and one does not. The method is called cross-view diff.
</tspan><tspan
x="190.02438"
y="207.41045"
id="tspan102">- In a sense, there is a parallel to be drawn between </tspan><tspan
x="190.02438"
y="210.05629"
id="tspan103">their approach an mine. I also doo a cross-view diff of </tspan><tspan
x="190.02438"
y="212.70213"
id="tspan104">the state ofthe machine but one of my view is the power </tspan><tspan
x="190.02438"
y="215.34798"
id="tspan105">and the other one is the process list.
</tspan><tspan
x="190.02438"
y="217.99382"
id="tspan106">- Our method only exposes CPU-consuming malware. The </tspan><tspan
x="190.02438"
y="220.63967"
id="tspan107">file-hiding malware are invisible to us.</tspan></text><path
id="path72"
style="color:#000000;fill:#000000;-inkscape-stroke:none"
d="m 185.43665,67.933517 v 15.77734 c -1.83131,0.12865 -3.28145,1.657663 -3.28145,3.521223 0,1.94765 1.5834,3.53157 3.53105,3.53157 1.94765,0 3.53156,-1.58392 3.53156,-3.53157 0,-1.86356 -1.45014,-3.392573 -3.28145,-3.521223 v -15.77734 z m 0.2496,16.26723 c 1.67743,0 3.03134,1.353903 3.03134,3.031333 0,1.67743 -1.35391,3.03134 -3.03134,3.03134 -1.67743,0 -3.03082,-1.35391 -3.03082,-3.03134 0,-1.67743 1.35339,-3.031333 3.03082,-3.031333 z" /><text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.88056px;line-height:1.25;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono';letter-spacing:-0.291042px;word-spacing:0px;stroke-width:0.264583"
x="181.33542"
y="67.18058"
id="text73"><tspan
id="tspan72"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono';stroke-width:0.264583"
x="181.33542"
y="67.18058"
sodipodi:role="line">2005</tspan></text><rect
style="fill:#cccccc;fill-opacity:1;stroke:#1a1a1a;stroke-width:0.577775;stroke-dasharray:none;stroke-opacity:1"
id="rect73"
width="56.667709"
height="41.683708"
x="159.21146"
y="20.624043"
ry="1.3401735" /><rect
style="fill:#ffc6a0;fill-opacity:1;stroke:#ff6803;stroke-width:0.577775;stroke-dasharray:none;stroke-opacity:1"
id="rect74"
width="59.49057"
height="15.626968"
x="157.59879"
y="16.86768"
ry="1.3401735" /><text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:3.88056px;line-height:1.25;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono Bold';letter-spacing:-0.291042px;word-spacing:0px;white-space:pre;inline-size:78.7407;display:inline;stroke-width:0.264583"
x="320.76639"
y="166.06209"
id="text75"
transform="matrix(0.72076737,0,0,0.72076737,-71.878518,-99.356979)"><tspan
x="320.76639"
y="166.06209"
id="tspan108">Stealthy Malware Detection Through </tspan><tspan
x="320.76639"
y="170.91278"
id="tspan109">VMM-BasedS“Out-of-the-Box” Semantic </tspan><tspan
x="320.76639"
y="175.76347"
id="tspan110">View Reconstructiontealthy Malware </tspan><tspan
x="320.76639"
y="180.61416"
id="tspan111">Detection Through VMM-Based</tspan></text><text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.11667px;line-height:1.25;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono';letter-spacing:-0.291042px;word-spacing:0px;white-space:pre;inline-size:54.6704;display:inline;stroke-width:0.264583"
x="190.02438"
y="196.82707"
id="text76"
transform="translate(-29.943618,-160.79447)"><tspan
x="190.02438"
y="196.82707"
id="tspan112">Important paper in the field. Lots of citation.
</tspan><tspan
x="190.02438"
y="199.47292"
id="tspan113">
</tspan><tspan
x="190.02438"
y="202.11876"
id="tspan114">- They claim to have a method that is &quot;Out-of-the-Box&quot; </tspan><tspan
x="190.02438"
y="204.7646"
id="tspan115">opposit to the host-based methods. This follows the </tspan><tspan
x="190.02438"
y="207.41045"
id="tspan116">same idea that we have for independance but we take it </tspan><tspan
x="190.02438"
y="210.05629"
id="tspan117">one step further, making it &quot;out-of-the-case/rack&quot; for </tspan><tspan
x="190.02438"
y="212.70213"
id="tspan118">complete and undeniable independence. Their method only </tspan><tspan
x="190.02438"
y="215.34798"
id="tspan119">work on VM because there is a place between the VM and </tspan><tspan
x="190.02438"
y="217.99382"
id="tspan120">the hardware to install their detector. Our method is </tspan><tspan
x="190.02438"
y="220.63967"
id="tspan121">applicable to any hardware.</tspan></text><circle
style="fill:#cccccc;fill-opacity:1;stroke:#000000;stroke-width:1;stroke-linejoin:round;stroke-dasharray:none"
id="path76"
cx="-404.80991"
cy="185.1604"
r="22.767"
transform="rotate(-150)" /><text
xml:space="preserve"
style="font-size:4.5861px;line-height:5.70346px;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono';text-align:start;letter-spacing:0px;writing-mode:lr-tb;direction:ltr;text-anchor:start;fill:#000000;stroke:none;stroke-width:2.1;stroke-linejoin:round"
id="text77"
transform="translate(-1.4757142,-1.8781817)"><textPath
xlink:href="#path76"
id="textPath86"><tspan
id="tspan77"
style="fill:#000000;stroke:none;stroke-width:2.1">Target OS</tspan></textPath></text><text
xml:space="preserve"
style="font-size:4.5861px;line-height:5.70346px;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono';text-align:start;letter-spacing:0px;writing-mode:lr-tb;direction:ltr;text-anchor:start;fill:#000000;stroke:none;stroke-width:2.1;stroke-linejoin:round"
x="424.49768"
y="43.393692"
id="text78"><tspan
sodipodi:role="line"
id="tspan78"
style="fill:#000000;stroke:none;stroke-width:2.1"
x="424.49768"
y="43.393692">Host-Based IDS</tspan></text><text
xml:space="preserve"
style="font-size:4.5861px;line-height:5.70346px;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono';text-align:start;letter-spacing:0px;writing-mode:lr-tb;direction:ltr;text-anchor:start;fill:#000000;stroke:none;stroke-width:2.1;stroke-linejoin:round"
id="text79"
transform="translate(-2.0123375,-1.2074025)"><textPath
xlink:href="#path78"
id="textPath87"><tspan
id="tspan79"
style="fill:#000000;stroke:none;stroke-width:2.1">Hardware</tspan></textPath></text><text
xml:space="preserve"
style="font-size:4.5861px;line-height:5.70346px;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono';text-align:start;letter-spacing:0px;writing-mode:lr-tb;direction:ltr;text-anchor:start;fill:#000000;stroke:none;stroke-width:2.1;stroke-linejoin:round"
x="430.40054"
y="4.8795161"
id="text80"><tspan
sodipodi:role="line"
id="tspan80"
style="fill:#000000;stroke:none;stroke-width:2.1"
x="430.40054"
y="4.8795161">VM Monitors</tspan></text><text
xml:space="preserve"
style="font-size:4.5861px;line-height:5.70346px;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono';text-align:start;letter-spacing:0px;writing-mode:lr-tb;direction:ltr;text-anchor:start;fill:#000000;stroke:none;stroke-width:2.1;stroke-linejoin:round"
x="421.81458"
y="-23.579235"
id="text86"><tspan
sodipodi:role="line"
id="tspan81"
style="fill:#000000;stroke:none;stroke-width:2.1"
x="421.81458"
y="-23.579235">Physics-Based IDS</tspan></text><text
xml:space="preserve"
style="font-size:4.5861px;line-height:5.70346px;font-family:'Adwaita Mono';-inkscape-font-specification:'Adwaita Mono';text-align:start;letter-spacing:0px;writing-mode:lr-tb;direction:ltr;text-anchor:start;fill:#000000;stroke:none;stroke-width:2.1;stroke-linejoin:round"
id="text88"
transform="translate(-1.8877159,-1.615455)"><textPath
xlink:href="#path87"
id="textPath88">Server Room</textPath></text><path
style="fill:none;fill-opacity:1;stroke:#ffb37e;stroke-width:1;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#Dot)"
d="M 427.02924,4.6755133 C 361.20707,11.587768 304.15054,22.636116 216.62419,24.122327"
id="path88"
sodipodi:nodetypes="cc" /><path
style="fill:none;fill-opacity:1;stroke:#ffb37e;stroke-width:1;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#Dot)"
d="M 420.38886,13.497726 C 378.0926,35.018806 321.13093,116.07567 233.60458,117.56189"
id="path89"
sodipodi:nodetypes="cc" /></g></svg>
Side by side

After

Width:  |  Height:  |  Size: 30 KiB