1. Technical Field
The present invention generally relates to technology for monitoring an executable file in a virtual machine and, more particularly, to an apparatus and method for monitoring a virtual machine based on a hypervisor, which can monitor an executable file in the virtual machine using a hypervisor or a virtual host as the basis of trust in a virtualization environment.
2. Description of the Related Art
In a virtualization environment, in order to monitor an executable file and collect malicious files based on a virtual host, monitoring has been capable of being performed in the past by installing a security agent in a host Operating System (OS) kernel or in a user area. That is, there may be used methods, such as a method for monitoring the invocation of system calls related to the execution of an executable file through the security agent, or for monitoring the input/output of a block device and collecting malicious code in a specific path as evidence when an event occurs.
However, in the above example, since such a security agent or a security program is operated with the same authority as malicious code, there is a disadvantage in that malicious code may interfere with the task of monitoring a security program, or may even terminate the monitoring task. Further, in order for malicious code to hide its own existence, activity for concealing the malicious code or immediately deleting the malicious code at the moment at which the malicious code is executed occurs frequently, and thus it is difficult to collect the main body of malicious code, which is required to investigate incidents.
Since a hypervisor in this virtualization environment has higher authority than the guest Operating System (OS) of a virtual machine, it becomes the basis of trust that enables a security task to be performed without being influenced by malicious code in the virtual machine.
Therefore, there is urgently required new virtual machine monitoring technology that monitors an executable file in a virtual machine in a hypervisor area or a virtualization host area, having higher authority than that of the virtual machine, and that is capable of automatically collecting, as evidence, the main body of a malicious file or a related file, which is required for the investigation and analysis of infringement incidents, within a short period of time.