中文摘要：

针对安全攸关的客户机在安全工具发生警报时往往会进行暂停、检测、恢复等操作,而安全工具误报（虚报、漏报）的发生和发现存在延迟,从而对客户机造成可用性影响的问题,提出一种基于虚拟化技术的有效解决方案。在误报发生时,首先正确控制可疑进程行为,避免该进程对系统造成实质性影响。其次记录可疑进程行为,并根据其与系统其他进程的交互行为形成进程间依赖关系。当误报被发现时,以记录的进程行为及进程间依赖关系为依据,对可疑进程及与其存在依赖关系的相关进程采取恢复进程行为、杀死相关进程等措施,使系统快速达到正确运行状态。实验结果表明,所提方案能够在安全工具发生误报时,避免回滚、恢复等操作带来的时间开销,相对于未采取措施的情况,所提方案将误报存在时的处理时间减少20%-50%。所提方案能够有效降低安全工具误报对客户机可用性造成的影响,可应用在安全攸关的客户机所在的云平台之上。

英文摘要：

In terms of the problem that a safety-critical system will be paused, detected and resumed when security tools alert, and the delay between the occurrence and discovery of the false alarms（false positive or false negative） results in an effect on the availability of the guest Operating System（OS）, a scheme based on virtualization was proposed. When a false alarm occurred, the operations of the suspicious application were quarantined correctly to avoid substantial system-wide damages. Then the operations of the suspicious application were logged and application inter-dependency information was generated according to its interactions with other applications. When the false alarm was determined, measures such as resuming the application＇s operations and killing the relevant applications according to the operation logs and inter-dependency information were taken so that the guest OS could reach the correct operating status quickly. The experimental results show that the scheme can reduce the overhead caused by rollback and recovery when a false alarm occurs. Compared to the situation without the proposed scheme, the overhead of handling the false alarm is reduced by 20%-50%. The proposed scheme can effectively reduce the effect of false alarm on the availability of clients, and can be applied in the cloud platform which provides services to safety-critical clients.