KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Lightweight Intrusion Detection of Rootkit with VMI-Based Driver Separation Mechanism

  • Cui, Chaoyuan (Institute of Intelligent Machines, Hefei Institutes of Physical Science, Chinese Academy of Sciences Hefei) ;
  • Wu, Yun (Institute of Applied Technology, Hefei Institutes of Physical Science, Chinese Academy of Sciences Hefei) ;
  • Li, Yonggang (Institute of Intelligent Machines, Hefei Institutes of Physical Science, Chinese Academy of Sciences Hefei) ;
  • Sun, Bingyu (Institute of Intelligent Machines, Hefei Institutes of Physical Science, Chinese Academy of Sciences Hefei)
  • Received : 2016.09.06
  • Accepted : 2017.01.14
  • Published : 2017.03.31
Download PDF
⟨ Previous Next ⟩

Abstract

Intrusion detection techniques based on virtual machine introspection (VMI) provide high temper-resistance in comparison with traditional in-host anti-virus tools. However, the presence of semantic gap also leads to the performance and compatibility problems. In order to map raw bits of hardware to meaningful information of virtual machine, detailed knowledge of different guest OS is required. In this work, we present VDSM, a lightweight and general approach based on driver separation mechanism: divide semantic view reconstruction into online driver of view generation and offline driver of semantics extraction. We have developed a prototype of VDSM and used it to do intrusion detection on 13 operation systems. The evaluation results show VDSM is effective and practical with a small performance overhead.

Keywords

References

  1. Bhushan Jain, Mirza Basim Baig, Dongli Zhang, Donald E. Porter and Radu Sion, "Sok: Introspections on trust and the semantic gap," in Proc. of The 2014 IEEE Symposium on Security and Privacy, pp.605-620, May 18-21,2014.
  2. Pearce M, Zeadally S and Hunt R. "Virtualization: Issues, security threats, and solutions," ACM Computing Surveys (CSUR), vol.45, no.17, pp.94-111, February, 2013.
  3. Laniepce S, Lacoste M, Kassi-Lahlou M, et al., "Engineering intrusion prevention services for iaas clouds: The way of the hypervisor," in Proc. of the 2013 IEEE Seventh International Symposium on Service-Oriented System Engineering, pp.25-36, March 25-28, 2013.
  4. Egele M, Scholte T, Kirda E, et al., "A survey on automated dynamic malware-analysis techniques and tools," ACM Computing Surveys (CSUR), vol.44, no.6, pp.1-42, February, 2012.
  5. Davis M,Bodmer S and Lemasters A,"HACKING EXPOSED MALWARE AND ROOTKITS," McGraw-Hill Osborne Media, 2009.
  6. McAfee Labs Threat Report,2015.Available: http://www.mcafee.com/cn/resources/reports/rp-quarterly- threat-q1-2015.pdf.
  7. Internet Security Threat Report, vol.20, 2015. Available:https://www4.symantec.com/mktginfo/ whitepaper/ISTR/21347932GA-internet-security-threat-report-volume-20-2015-social v2.pdf.
  8. Vasilomanolakis E, Karuppayah S, Muhlhauser M and Fischer M, "Taxonomy and Survey of Collaborative Intrusion Detection," ACM Computing Surveys, vol.47, no.55, pp.55-88, July, 2015.
  9. Kabiri P, Ghorbani A, "Research on Intrusion Detection and Response: A Survey," International Journal of Network Security, vol.1, no.2, pp.84-102, September, 2005.
  10. Garfinkel T, Rosenblum M., "A Virtual Machine Introspection Based Architecture for Intrusion Detection," in Proc. of The Network & Distributed Systems Security Symposium, pp.191-206, 2003.
  11. LKCD Linux Kernel Crash Dump[EB/OL]. Available:http://lkcd.sourceforge.net/.
  12. Jiang X, Wang X, Xu D, "Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction," in Proc. of The 14th ACM conference on Computer and communications security, pp.128-138, 2007.
  13. Pfoh J, Schneider C, Eckert C, "A formal model for virtual machine introspection," in Proc. of The 1st ACM workshop on Virtual machine security, pp.1-10, 2009.
  14. Carbone M, Conover M, Montague B, et al., "Secure and Robust Monitoring of Virtual Machines through Guest-Assisted Introspection," Research in Attacks, Intrusions, and Defenses, vol.7462, pp.22-41, 2012.
  15. Graziano M, Lanzi A, Balzarotti D, "Hypervisor memory forensics," in Proc. of International Workshop on Recent Advances in Intrusion Detection, vol.8145, pp.21-40, 2013.
  16. Xiong H, Liu Z, Xu W, et al., "Libvmi: a library for bridging the semantic gap between guest OS and VMM," Computer and Information Technology (CIT), in Proc. of The IEEE 12th International Conference on IEEE, pp.549-556, 2012.
  17. Hay B, Nance K," Forensics examination of volatile system data using virtual introspection," ACM SIGOPS Operating Systems Review, vol. 42, no.3, pp.74-82, 2008. https://doi.org/10.1145/1368506.1368517
  18. Jones S T, Arpaci-Dusseau A C, Arpaci-Dusseau R H, "Antfarm: Tracking Processes in a Virtual Machine Environment," in Proc. of The 2006 USENIX Annual Technical Conference, pp.1-14, 2006.
  19. Jones S T, Arpaci-Dusseau A C, Arpaci-Dusseau R H, "VMM-based hidden process detection and identification using Lycosid," in Proc. of The fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, pp. 91-100, 2008.
  20. Dolan-Gavitt B, Leek T, Zhivich M, et al.. "Virtuoso: Narrowing the semantic gap in virtual machine introspection," in Proc. of The 2011 IEEE Symposium on Security and Privacy, pp.297-312, May 22-25, 2011.
  21. Fu Y, Lin Z., "Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection," in Proc. of the 2012 IEEE Symposium on Security and Privacy, pp.586-600, May 20-25, 2012.
  22. ROBERT L. Linux Kernel Development,New York: Mac Millan Computer Publication, 2005.
  23. The Xen Project Power. [online] Available: http://www.xenproject.org/
  24. KVM. [online] Available: http://www.linux-kvm.org/page/Main Page
  25. QEMU. [online] Available: http://wiki.qemu.org/Main Page
  26. Cui C, Wu Y, Li P and Zhang X., "Narrowing the semantic gap in virtual machine introspection," vol.36, no.8, pp.31-37, 2015.
  27. Adore-ng. [online] Available: http://stealth.openwall.net/rootkits/
  28. KBeast. [online] Available: https://packetstormsecurity.com/files/108286/ipsecs-kbeast-v1.tar.gz
  29. Suterusu. [online] Available: https://github.com/dschuermann/suterusu
  30. Suneja S, Isci C, De Lara E, et al., "Exploring VM Introspection: Techniques and Trade-offs," Acm Sigplan Notices, vol. 50, no.7, pp.133-146, 2015. https://doi.org/10.1145/2817817.2731196