Abstract
In computer systems, ensuring the integrity of the kernel assumes importance as attacks against the kernel allow an adversary to obtain the highest privilege within a compromised system. For this task, typically, an external monitor would perform memory introspection and verify the integrity of kernel data by checking whether certain integrity specifications hold or not. These specifications were commonly written by hand in the past. However, as adversaries turned their eyes to attacking a system through non-control kernel data, the need arose for verifying non-control kernel data, which is, unfortunately, nontrivial to do manually. Acknowledging this, Baliga et al. (Computer security applications conference, 2008. ACSAC 2008. Annual. IEEE, 2008) suggested a framework leveraging machine learning to generate integrity specifications. This generated specifications for both control and non-control data across the entire kernel with little human involvement. Unfortunately, there is a problem in the original design of this framework in regard to its practicality for deployment in real-world systems. In this paper, we propose a new design that accelerates the overall introspection process by virtually eliminating the booting delay that was needed in prior work. To evaluate the effectiveness of our design, we have implemented a prototype engine DADE and found that it only induces a delay of 68.49 ms with each reboot and a delay of 900 ms for an initial scan and an average of 160 ms for subsequent scans.
Similar content being viewed by others
References
Arndale Development Board. http://www.arndaleboard.org/wiki/index.php/Main_Page
Baliga A, Ganapathy V, Iftode L (2008) Automatic inference and enforcement of kernel data structure invariants. In: Computer Security Applications Conference, 2008. ACSAC 2008. Annual. IEEE, pp 77–86
Bickford J, Lagar-Cavilla HA, Varshavsky A, Ganapathy V, Iftode L (2011) Security versus energy tradeoffs in host-based mobile malware detection. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services. ACM, pp 225–238
Bonwick J et al (1994) The slab allocator: an object-caching kernel memory allocator. In: USENIX Summer, vol 16. Boston, MA
Bovet DP, Cesati M (2002) Understanding the linux kernel, 2nd edn. OReilly and Associates, Sebastopol, CA
bzip2. http://www.bzip.org/
Carbone M, Cui W, Lu L, Lee W, Peinado M, Jiang X (2009) Mapping kernel objects to enable systematic integrity checking. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. ACM, pp 555–565
Cui W, Peinado M, Xu Z, Chan E (2012) Tracking rootkit footprints with a practical memory analysis system. In: USENIX Security Symposium, pp 601–615
Dall C, Nieh J (2014) KVM/ARM: the design and implementation of the linux ARM hypervisor. In: Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems. ACM, pp 333–348
Dolan-Gavitt B, Srivastava A, Traynor P, Giffin J (2009) Robust signatures for kernel data structures. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. ACM, pp 566–577
Dolan-Gavitt B, Leek T, Zhivich M, Giffin J, Lee W (2011) Virtuoso: narrowing the semantic gap in virtual machine introspection. In: 2011 IEEE Symposium on Security and Privacy (SP). IEEE, pp 297–312
Ernst MD, Perkins JH, Guo PJ, McCamant S, Pacheco C, Tschantz MS, Xiao C (2007) The Daikon system for dynamic detection of likely invariants. Sci Comput Program 69(1):35–45
Fu Y, Lin Z (2012) Space traveling across VM: automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: 2012 IEEE Symposium on Security and Privacy (SP). IEEE, pp 586–600
Fu Y, Lin Z (2013) Exterior: using a dual-VM based external shell for guest-OS introspection, configuration, and recovery. In: ACM SIGPLAN Notices, vol 48. ACM, pp 97–110
Fiore U, Palmieri F, Castiglione A, De Santis A (2013) Network anomaly detection with the restricted Boltzmann machine. Neurocomputing 122:13–23
GCC, the GNU Compiler Collection. https://gcc.gnu.org/
Hofmann OS, Dunn AM, Kim S, Roy I, Witchel E (2011) Ensuring operating system kernel integrity with OSCK. In: ACM SIGPLAN Notices, vol 46. ACM, pp 279–290
Kernel-based virtual machine. https://www.linux-kvm.org/
Kolosnjaji B, Zarras A, Webster G, Eckert C (2016) Deep learning for classification of malware system call sequences. In: Australasian Joint Conference on Artificial Intelligence. Springer, pp 137–149
Lee H, Moon H, Jang D, Kim K, Lee J, Paek Y, Kang BB (2013) KI-Mon: a hardware-assisted event-triggered monitoring platform for mutable kernel object. In: USENIX Security, pp 511–526
Lin Z, Rhee J, Zhang X, Xu D, Jiang X (2011) Siggraph: brute force scanning of kernel data structure instances using graph-based signatures. In: NDSS
Mcafee labs threats report: May 2015. http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2015.pdf
McVoy LW, Staelin C et al (1996) lmbench: portable tools for performance analysis. In: USENIX Annual Technical Conference. San Diego, CA, pp 279–294
Moon H, Lee H, Lee J, Kim K, Paek Y, Kang BB (2012) Vigilare: toward snoop-based kernel integrity monitor. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM, pp 28–37
Palmieri F, Fiore U, Castiglione A (2014) A distributed approach to network anomaly detection based on independent component analysis. Concurr Comput Pract Exp 26(5):1113–1129
Pascanu R, Stokes JW, Sanossian H, Marinescu M, Thomas A (2015) Malware classification with recurrent networks. In: 2015 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE, pp 1916–1920
Petroni Jr NL, Hicks M (2007) Automated detection of persistent kernel control-flow attacks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, pp 103–115
Petroni NL Jr, Fraser T, Molina J, Arbaugh WA (2004) Copilot—a coprocessor-based kernel runtime integrity monitor. In: USENIX Security Symposium. San Diego, pp 179–194
Petroni Jr NL, Fraser T, Walters A, Arbaugh WA (2006) An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In: USENIX Security
ProFTPD. http://www.proftpd.org/
Rhee J, Riley R, Xu D, Jiang X (2010) Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In: Jha S, Sommer R, Kreibich C (eds) Recent Advances in Intrusion Detection: 13th International Symposium, RAID 2010, Ottawa, Ontario, Canada, September 15–17, 2010. Proceedings. Springer, Berlin, Heidelberg, pp 178–197. doi:10.1007/978-3-642-15512-3_10
The SPEC CPU 2006 benchmark suite. http://www.spec.org
Wu R, Chen P, Liu P, Mao B (2014) System call redirection: a practical approach to meeting real-world virtual machine introspection needs. In: 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, pp 574–585
Acknowledgements
This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (No. 2016-0-00078, Cloud-based Security Intelligence Technology Development for the Customized Security Service Provisioning), by IITP grant (MSIP 2017-0-01705) and by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT and Future Planning (2017030223). We thank Woomin Hwang from National Security Research Institute and Wonha Choi from Samsung for comments on early drafts of the paper which greatly improved the manuscript.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Yi, H., Cho, Y., Paek, Y. et al. DADE: a fast data anomaly detection engine for kernel integrity monitoring. J Supercomput 75, 4575–4600 (2019). https://doi.org/10.1007/s11227-017-2131-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-017-2131-6