Skip to main content
SpringerLink
Log in

DADE: a fast data anomaly detection engine for kernel integrity monitoring

  • Published:
The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

In computer systems, ensuring the integrity of the kernel assumes importance as attacks against the kernel allow an adversary to obtain the highest privilege within a compromised system. For this task, typically, an external monitor would perform memory introspection and verify the integrity of kernel data by checking whether certain integrity specifications hold or not. These specifications were commonly written by hand in the past. However, as adversaries turned their eyes to attacking a system through non-control kernel data, the need arose for verifying non-control kernel data, which is, unfortunately, nontrivial to do manually. Acknowledging this, Baliga et al. (Computer security applications conference, 2008. ACSAC 2008. Annual. IEEE, 2008) suggested a framework leveraging machine learning to generate integrity specifications. This generated specifications for both control and non-control data across the entire kernel with little human involvement. Unfortunately, there is a problem in the original design of this framework in regard to its practicality for deployment in real-world systems. In this paper, we propose a new design that accelerates the overall introspection process by virtually eliminating the booting delay that was needed in prior work. To evaluate the effectiveness of our design, we have implemented a prototype engine DADE and found that it only induces a delay of 68.49 ms with each reboot and a delay of 900 ms for an initial scan and an average of 160 ms for subsequent scans.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

References

  1. Arndale Development Board. http://www.arndaleboard.org/wiki/index.php/Main_Page

  2. Baliga A, Ganapathy V, Iftode L (2008) Automatic inference and enforcement of kernel data structure invariants. In: Computer Security Applications Conference, 2008. ACSAC 2008. Annual. IEEE, pp 77–86

  3. Bickford J, Lagar-Cavilla HA, Varshavsky A, Ganapathy V, Iftode L (2011) Security versus energy tradeoffs in host-based mobile malware detection. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services. ACM, pp 225–238

  4. Bonwick J et al (1994) The slab allocator: an object-caching kernel memory allocator. In: USENIX Summer, vol 16. Boston, MA

  5. Bovet DP, Cesati M (2002) Understanding the linux kernel, 2nd edn. OReilly and Associates, Sebastopol, CA

    Google Scholar 

  6. bzip2. http://www.bzip.org/

  7. Carbone M, Cui W, Lu L, Lee W, Peinado M, Jiang X (2009) Mapping kernel objects to enable systematic integrity checking. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. ACM, pp 555–565

  8. Cui W, Peinado M, Xu Z, Chan E (2012) Tracking rootkit footprints with a practical memory analysis system. In: USENIX Security Symposium, pp 601–615

  9. Dall C, Nieh J (2014) KVM/ARM: the design and implementation of the linux ARM hypervisor. In: Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems. ACM, pp 333–348

  10. Dolan-Gavitt B, Srivastava A, Traynor P, Giffin J (2009) Robust signatures for kernel data structures. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. ACM, pp 566–577

  11. Dolan-Gavitt B, Leek T, Zhivich M, Giffin J, Lee W (2011) Virtuoso: narrowing the semantic gap in virtual machine introspection. In: 2011 IEEE Symposium on Security and Privacy (SP). IEEE, pp 297–312

  12. Ernst MD, Perkins JH, Guo PJ, McCamant S, Pacheco C, Tschantz MS, Xiao C (2007) The Daikon system for dynamic detection of likely invariants. Sci Comput Program 69(1):35–45

    Article  MathSciNet  MATH  Google Scholar 

  13. Fu Y, Lin Z (2012) Space traveling across VM: automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: 2012 IEEE Symposium on Security and Privacy (SP). IEEE, pp 586–600

  14. Fu Y, Lin Z (2013) Exterior: using a dual-VM based external shell for guest-OS introspection, configuration, and recovery. In: ACM SIGPLAN Notices, vol 48. ACM, pp 97–110

  15. Fiore U, Palmieri F, Castiglione A, De Santis A (2013) Network anomaly detection with the restricted Boltzmann machine. Neurocomputing 122:13–23

    Article  Google Scholar 

  16. GCC, the GNU Compiler Collection. https://gcc.gnu.org/

  17. Hofmann OS, Dunn AM, Kim S, Roy I, Witchel E (2011) Ensuring operating system kernel integrity with OSCK. In: ACM SIGPLAN Notices, vol 46. ACM, pp 279–290

  18. Kernel-based virtual machine. https://www.linux-kvm.org/

  19. Kolosnjaji B, Zarras A, Webster G, Eckert C (2016) Deep learning for classification of malware system call sequences. In: Australasian Joint Conference on Artificial Intelligence. Springer, pp 137–149

  20. Lee H, Moon H, Jang D, Kim K, Lee J, Paek Y, Kang BB (2013) KI-Mon: a hardware-assisted event-triggered monitoring platform for mutable kernel object. In: USENIX Security, pp 511–526

  21. Lin Z, Rhee J, Zhang X, Xu D, Jiang X (2011) Siggraph: brute force scanning of kernel data structure instances using graph-based signatures. In: NDSS

  22. Mcafee labs threats report: May 2015. http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2015.pdf

  23. McVoy LW, Staelin C et al (1996) lmbench: portable tools for performance analysis. In: USENIX Annual Technical Conference. San Diego, CA, pp 279–294

  24. Moon H, Lee H, Lee J, Kim K, Paek Y, Kang BB (2012) Vigilare: toward snoop-based kernel integrity monitor. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM, pp 28–37

  25. Palmieri F, Fiore U, Castiglione A (2014) A distributed approach to network anomaly detection based on independent component analysis. Concurr Comput Pract Exp 26(5):1113–1129

  26. Pascanu R, Stokes JW, Sanossian H, Marinescu M, Thomas A (2015) Malware classification with recurrent networks. In: 2015 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE, pp 1916–1920

  27. Petroni Jr NL, Hicks M (2007) Automated detection of persistent kernel control-flow attacks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, pp 103–115

  28. Petroni NL Jr, Fraser T, Molina J, Arbaugh WA (2004) Copilot—a coprocessor-based kernel runtime integrity monitor. In: USENIX Security Symposium. San Diego, pp 179–194

  29. Petroni Jr NL, Fraser T, Walters A, Arbaugh WA (2006) An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In: USENIX Security

  30. ProFTPD. http://www.proftpd.org/

  31. Rhee J, Riley R, Xu D, Jiang X (2010) Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In: Jha S, Sommer R, Kreibich C (eds) Recent Advances in Intrusion Detection: 13th International Symposium, RAID 2010, Ottawa, Ontario, Canada, September 15–17, 2010. Proceedings. Springer, Berlin, Heidelberg, pp 178–197. doi:10.1007/978-3-642-15512-3_10

  32. The SPEC CPU 2006 benchmark suite. http://www.spec.org

  33. Wu R, Chen P, Liu P, Mao B (2014) System call redirection: a practical approach to meeting real-world virtual machine introspection needs. In: 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, pp 574–585

Download references

Acknowledgements

This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (No. 2016-0-00078, Cloud-based Security Intelligence Technology Development for the Customized Security Service Provisioning), by IITP grant (MSIP 2017-0-01705) and by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT and Future Planning (2017030223). We thank Woomin Hwang from National Security Research Institute and Wonha Choi from Samsung for comments on early drafts of the paper which greatly improved the manuscript.

Author information

Authors and Affiliations

  1. Department of Electrical and Computer Engineering, Seoul National University, Seoul, Korea

    Hayoon Yi, Yeongpil Cho & Yunheung Paek

  2. Department of Computer Engineering, Sangji University, Wonju, Korea

    Kwangman Ko

Authors
  1. Hayoon Yi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yeongpil Cho
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yunheung Paek
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Kwangman Ko
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kwangman Ko.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Yi, H., Cho, Y., Paek, Y. et al. DADE: a fast data anomaly detection engine for kernel integrity monitoring. J Supercomput 75, 4575–4600 (2019). https://doi.org/10.1007/s11227-017-2131-6

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-017-2131-6

Keywords

Search

Navigation