research-article

On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters

Authors:

Dmitry Evtyushkin,

Iliano CervesatoAuthors Info & Claims

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Pages 483 - 493

https://doi.org/10.1145/3052973.3052999

Published: 02 April 2017 Publication History

Abstract

Recent work has investigated the use of hardware performance counters (HPCs) for the detection of malware running on a system. These works gather traces of HPCs for a variety of applications (both malicious and non-malicious) and then apply machine learning to train a detector to distinguish between benign applications and malware. In this work, we provide a more comprehensive analysis of the applicability of using machine learning and HPCs for a specific subset of malware: kernel rootkits.

We design five synthetic rootkits, each providing a single piece of rootkit functionality, and execute each while collecting HPC traces of its impact on a specific benchmark application. We then apply machine learning feature selection techniques in order to determine the most relevant HPCs for the detection of these rootkits. We identify 16 HPCs that are useful for the detection of hooking based roots, and also find that rootkits employing direct kernel object manipulation (DKOM) do not significantly impact HPCs. We then use these synthetic rootkit traces to train a detection system capable of detecting new rootkits it has not seen previously with an accuracy of over 99%. Our results indicate that HPCs have the potential to be an effective tool for rootkit detection, even against new rootkits not previously seen by the detector.

References

[1]

Intel® Software Guard Extensions Programming Reference, 2014. Accessed Apr. 2016 at https://software.intel.com/sites/default/files/managed/48/88/329298-002.pdf.

[2]

S. Bandyopadhyay. A Study on Performance Monitoring Counters in x86-Architecture. Indian Statistical Institute, 2004.

[3]

R. Berrendorf and H. Ziegler. PCL--the Performance Counter Library: A Common Interface to Access Hardware Performance Counters on Microprocessors, Version 1.3, 1998.

[4]

D. Bilar. Opcodes as Predictor for Malware. International Journal of Electronic Security and Digital Forensics, 1(2):156--168, 2007.

Digital Library

[5]

S. Browne, J. Dongarra, N. Garner, G. Ho, and P. Mucci. A Portable Programming Interface for Performance Evaluation on Modern Processors. International Journal of High Performance Computing Applications, 14(3):189--204, 2000.

Digital Library

[6]

J. Demme, M. Maycock, J. Schmitz, A. Tang, A. Waksman, S. Sethumadhavan, and S. Stolfo. On the Feasibility of Online Malware Detection with Performance Counters. In Proceedings of the 40th Annual International Symposium on Computer Architecture (ISCA 2013), 2013.

Digital Library

[7]

D. Evtyushkin, J. Elwell, M. Ozsoy, D. Ponomarev, N. A. Ghazaleh, and R. Riley. Iso-x: A flexible architecture for hardware-managed isolated execution. In 47th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO), pages 190--202. IEEE, 2014.

Digital Library

[8]

M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutemann, and I. H. Witten. The WEKA Data Mining Software: An Update. ACM SIGKDD explorations newsletter, 11(1):10--18, 2009.

Digital Library

[9]

G. Hoglund and J. Butler. Rootkits: Subverting the Windows kernel. Addison-Wesley Professional, 2006.

Digital Library

[10]

R. Hund, T. Holz, and F. C. Freiling. Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms. In USENIX Security Symposium, pages 383--398, 2009.

Digital Library

[11]

Intel Corporation. Intel VTune Amplifier 2015. https://software.intel.com/en-us/intel-vtune-amplifier-xe. Last accessed January 2016.

[12]

K.-J. Lee and K. Skadron. Using Performance Counters for Runtime Temperature Sensing in High-Performance Processors. In Parallel and Distributed Processing Symposium, 2005. Proceedings. 19th IEEE International, pages 8--pp. IEEE, 2005.

Digital Library

[13]

K. London, S. Moore, P. Mucci, K. Seymour, and R. Luczak. The PAPI Cross-Platform Interface to Hardware Performance Counters. In Department of Defense Users' Group Conference Proceedings, pages 18--21, 2001.

[14]

C. Malone, M. Zahran, and R. Karri. Are Hardware Performance Counters a Cost Effective Way for Integrity Checking of Programs. In Proceedings of the Sixth ACM Workshop on Scalable Trusted Computing, STC '11, pages 71--76, New York, NY, USA, 2011. ACM.

Digital Library

[15]

C. Maurice, N. Scouarnec, C. Neumann, O. Heen, and A. Francillon. Reverse Engineering Intel Last-Level Cache Complex Addressing Using Performance Counters. In Proceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID 2015), pages 48--65. Springer International Publishing, 2015.

Digital Library

[16]

J. M. May. MPX: Software for Multiplexing Hardware Performance Counters in Multithreaded Programs. In Proceedings of the 15th International Parallel and Distributed Processing Symposium. IEEE, 2001.

Digital Library

[17]

Microsoft Corporation. Introduction to File System Filter Drivers. https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/introduction-to-file-system-filter-drivers. Last Accessed February 2017.

[18]

M. Ozsoy, C. Donovick, I. Gorelik, N. Abu-Ghazaleh, and D. Ponomarev. Malware-Aware Processors: A Framework for Efficient Online Malware Detection. In IEEE 21st International Symposium on High Performance Computer Architecture (HPCA 2015), pages 651--661, 2015.

[19]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP Exploit Mitigation Using Indirect Branch Tracing. In USENIX Security, pages 447--462, 2013.

Digital Library

[20]

F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, J. Vanderplas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and E. Duchesnay. Scikit-learn: Machine Learning in Python. Journal of Machine Learning Research, 12:2825--2830, 2011.

Digital Library

[21]

J. Rhee, R. Riley, D. Xu, and X. Jiang. Defeating Dynamic Data Kernel Rootkit Attacks via VMM-based Guest-Transparent Monitoring. In Proceedings of International Conference on Availability, Reliability and Security (ARES), pages 74--81. IEEE, 2009.

[22]

R. Riley. A Framework for Prototyping and Testing Data-Only Rootkit Attacks. Computers and Security, 37(0):62 -- 71, 2013.

Digital Library

[23]

I. Santos, F. Brezo, J. Nieves, Y. K. Penya, B. Sanz, C. Laorden, and P. G. Bringas. Idea: Opcode-sequence-based Malware Detection. In Engineering Secure Software and Systems, pages 35--43. Springer, 2010.

Digital Library

[24]

H. Shacham. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 552--561. ACM, 2007.

Digital Library

[25]

K. Singh, M. Bhadauria, and S. A. McKee. Real Time Power Estimation and Thread Scheduling via Performance Counters. ACM SIGARCH Computer Architecture News, 37(2):46--55, 2009.

Digital Library

[26]

B. Sprunt. The Basics of Performance-Monitoring Hardware. IEEE Micro, pages 64--71, 2002.

Digital Library

[27]

A. Tang, S. Sethumadhavan, and S. J. Stolfo. Unsupervised Anomaly-Based Malware Detection Using Hardware Features. In Proceedings of Research in Attacks, Intrusions and Defenses (RAID 2014), 2014.

[28]

VirusTotal. VirusTotal-Free Online Virus, Malware and URL Scanner. https://www.virustotal.com/. Last accessed February 2016.

[29]

X. Wang and R. Karri. NumChecker: Detecting Kernel Control-Flow Modifying Rootkits by Using Hardware Performance Counters. In Design Automation Conference (DAC), 2013 50th ACM/EDAC/IEEE, pages 1--7. IEEE, 2013.

Digital Library

[30]

Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering Kernel Rootkits with Lightweight Hook Protection. In Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS '09, pages 545--554, New York, NY, USA, 2009. ACM.

Digital Library

[31]

V. M. Weaver and S. McKee. Can Hardware Performance Counters be Trusted? In IEEE International Symposium on Workload Characterization (IISWC 2008), pages 141--150. IEEE, 2008.

[32]

G. Yan, N. Brown, and D. Kong. Exploring Discriminatory Features for Automated Malware Classification. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 41--61. Springer, 2013.

Digital Library

Cited By

Schulze MLindenmeier CRöckl JFreiling FSchrittwieser SIanni M(2024)IlluminaTEE: Effective Man-At-The-End Attacks from within ARM TrustZoneProceedings of the 2024 Workshop on Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks10.1145/3689934.3690838(11-21)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689934.3690838
Langehaug TGraham S(2024)CuMONITOR: Continuous Monitoring of Microarchitecture for Software Task Identification and ClassificationDigital Threats: Research and Practice10.1145/36528615:3(1-22)Online publication date: 28-Mar-2024
https://dl.acm.org/doi/10.1145/3652861
Alvarenga EBrands JDoliwa Pden Hartog JKraft EMedwed MNikov VRenes JRosso MSchneider TVeshchikov N(2024)Cyber Resilience for the Internet of Things: Implementations With Resilience Engines and Attack ClassificationsIEEE Transactions on Emerging Topics in Computing10.1109/TETC.2022.323169212:2(583-600)Online publication date: Apr-2024
https://doi.org/10.1109/TETC.2022.3231692
Show More Cited By

Index Terms

On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters
1. Computing methodologies
  1. Machine learning
    1. Learning paradigms
      1. Supervised learning
        Supervised learning by classification
2. Security and privacy

Recommendations

Hardware Performance Counters Can Detect Malware: Myth or Fact?
ASIACCS '18: Proceedings of the 2018 on Asia Conference on Computer and Communications Security

The ever-increasing prevalence of malware has led to the explorations of various detection mechanisms. Several recent works propose to use Hardware Performance Counters (HPCs) values with machine learning classification models for malware detection. ...
On the feasibility of online malware detection with performance counters
ICSA '13

The proliferation of computers in any domain is followed by the proliferation of malware in that domain. Systems, including the latest mobile platforms, are laden with viruses, rootkits, spyware, adware and other classes of malware. Despite the ...
Automated containment of rootkits attacks

Rootkit attacks are a serious threat to computer systems. Packaged with other malwares such as worms, viruses and spyware, rootkits pose a more potent threat than ever before by allowing malware to evade detection. In the absence of appropriate tools to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

April 2017

952 pages

ISBN:9781450349444

DOI:10.1145/3052973

General Chairs:
Ramesh Karri
New York University, New York, USA
,
Ozgur Sinanoglu
New York University Abu Dhabi, UAE
,
Program Chairs:
Ahmad-Reza Sadeghi
Technische Universität Darmstadt, Germany
,
Xun Yi
RMIT University, Australia

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Qatar National Research Fund

Conference

ASIA CCS '17

Sponsor:

SIGSAC

ASIA CCS '17: ACM Asia Conference on Computer and Communications Security

April 2 - 6, 2017

Abu Dhabi, United Arab Emirates

Acceptance Rates

ASIA CCS '17 Paper Acceptance Rate 67 of 359 submissions, 19%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

89
Total Citations
View Citations
628
Total Downloads

Downloads (Last 12 months)82
Downloads (Last 6 weeks)6

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Schulze MLindenmeier CRöckl JFreiling FSchrittwieser SIanni M(2024)IlluminaTEE: Effective Man-At-The-End Attacks from within ARM TrustZoneProceedings of the 2024 Workshop on Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks10.1145/3689934.3690838(11-21)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689934.3690838
Langehaug TGraham S(2024)CuMONITOR: Continuous Monitoring of Microarchitecture for Software Task Identification and ClassificationDigital Threats: Research and Practice10.1145/36528615:3(1-22)Online publication date: 28-Mar-2024
https://dl.acm.org/doi/10.1145/3652861
Alvarenga EBrands JDoliwa Pden Hartog JKraft EMedwed MNikov VRenes JRosso MSchneider TVeshchikov N(2024)Cyber Resilience for the Internet of Things: Implementations With Resilience Engines and Attack ClassificationsIEEE Transactions on Emerging Topics in Computing10.1109/TETC.2022.323169212:2(583-600)Online publication date: Apr-2024
https://doi.org/10.1109/TETC.2022.3231692
Sayadi HHe ZMiari TAliasgari M(2024)Redefining Trust: Assessing Reliability of Machine Learning Algorithms in Intrusion Detection Systems2024 IEEE International Symposium on Circuits and Systems (ISCAS)10.1109/ISCAS58744.2024.10558202(1-5)Online publication date: 19-May-2024
https://doi.org/10.1109/ISCAS58744.2024.10558202
Alonso MAndreu DCanal RDi Carlo SChatzopoulos OChenet CCosta JGirones AGizopoulos DPapadimitriou GMorancho EOtero BSavino A(2024)Special Session: Security and RAS in the Computing Continuum2024 IEEE International Symposium on Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFT)10.1109/DFT63277.2024.10753548(1-6)Online publication date: 8-Oct-2024
https://doi.org/10.1109/DFT63277.2024.10753548
Ilahi SOmotosho AHammer C(2024)Towards Anomaly Detection in Embedded Systems Application Using LLVM Passes2024 IEEE 48th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC61105.2024.00393(2448-2453)Online publication date: 2-Jul-2024
https://doi.org/10.1109/COMPSAC61105.2024.00393
Li ZZhao D(2024)DeepIncept: Diversify Performance Counters with Deep Learning to Detect Malware2024 29th Asia and South Pacific Design Automation Conference (ASP-DAC)10.1109/ASP-DAC58780.2024.10473871(362-367)Online publication date: 22-Jan-2024
https://doi.org/10.1109/ASP-DAC58780.2024.10473871
Chenet CSavino ADi Carlo S(2024)A Survey on Hardware-Based Malware Detection ApproachesIEEE Access10.1109/ACCESS.2024.338871612(54115-54128)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3388716
Zheng LZhang JWang XLin FMeng Z(2024)Multimodal-based abnormal behavior detection method in virtualization environmentComputers & Security10.1016/j.cose.2024.103908143(103908)Online publication date: Aug-2024
https://doi.org/10.1016/j.cose.2024.103908
Hu YLi SXue WZhao YWen Y(2024)CarePlus: A general framework for hardware performance counter based malware detection under system resource competitionComputers & Security10.1016/j.cose.2024.103884143(103884)Online publication date: Aug-2024
https://doi.org/10.1016/j.cose.2024.103884
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten