Abstract: Aimed at the problem that the existing virtual machine introspection technology is difficult to take into account both completeness and efficiency in control flow anomaly detection, a lightweight kernel control flow anomaly detection method named HyperCache is proposed. By setting special detection code and target address cache, the compliance checking of jump target address of function indirect call could be achieved dynamically in the kernel. This method made most of the security detection work do not need to fall into the virtual machine monitor, which greatly reduced the performance overhead caused by mode switching. This method can detect control flow anomalies before rootkit jumps to malicious code, and only bring about 4%~10% additional performance overhead to native Linux.