Abstract

Provenance of system subjects (e.g., processes) and objects (e.g., files) are very useful for many forensics tasks. In our analysis and comparison of existing Linux provenance tracing systems, we found that most systems assume the Linux kernel to be in the trust base, making these systems vulnerable

Highlights

  • Nowadays, enterprises are suffering from rapidly increasing serious attack threats, especially Advanced Persistent Threat (APT)

  • To validate our experiments results with the ground truth, we have collected 12 kernel malware samples that contain a mix of malicious capabilities found in the wild, including 10 system services hijacking malware, 1 DOH malware, and 1 DKOM malware

  • Before verifying the effectiveness of HProve, we show that kernel malware could bypass Linux audit utilized by state-of-the-art provenance systems like BEEP [24], LogGC [25], and ProTracer [29]

Read more

Summary

Introduction

Enterprises are suffering from rapidly increasing serious attack threats, especially Advanced Persistent Threat (APT). APT attacks are stealthier and more sophisticated by employing multi-step intrusive attacks This kind of attacks would impose disastrous impacts on the systems if the associated attack vector aims at kernel [1,2,3, 6, 7]. To achieve an malicious goal, the kernel-mode components of malware typically employ hooking or DKOM (Direct Kernel Object Manipulation) strategies [4]. The malware hijacks the key functionalities of the operating system such as the system call table, VFS (Virtual File System) functions, or IDT(Interrupt Descriptor Table) and points to malicious functions They are loaded in terms of LKM (Loadable Kernel Module) that have the same privilege of kernel. There are several categories that kernel malware falls into: system service hijacking ( e.g., hooking system call table entries and replacing system call table), dynamic kernel object hooking (KOH, e.g., VFS hooking) and DKOM [36, 40]

Methods
Results
Discussion
Conclusion
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Similar Papers

Paper Title
Journal
Date
Author
A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware
Chonghua Wang ... Shiqing Ma
-
Chonghua Wang, et. al.Chonghua Wang ... Shiqing Ma
01 Jan 2018
Kernel Malware Core Implementation: A Survey
Xiang Yu Li ... Yi Zhang
-
Xiang Yu Li, et. al.Xiang Yu Li ... Yi Zhang
01 Sep 2015
CAPT: Context-aware provenance tracing for attack investigation
Cheng Tan ... Lai Xu
China Communications | VOL. 15
Cheng Tan, et. al.Cheng Tan ... Lai Xu
01 Feb 2018
Blockchain Based Provenance for Agricultural Products: A Distributed Platform with Duplicated and Shared Bookkeeping
Jing Hua ... Mengzhen Kang
-
Jing Hua, et. al.Jing Hua ... Mengzhen Kang
01 Jun 2018
View more papers

More From: ICST Transactions on Security and Safety

Paper Title
Journal
Date
Author
A Systemic Security and Privacy Review: Attacks and Prevention Mechanisms over IOT Layers
Muhammad Shoaib Akhtar ... Tao Feng
ICST Transactions on Security and Safety | VOL. 8
Muhammad Shoaib Akhtar, et. al.Muhammad Shoaib Akhtar ... Tao Feng
05 Aug 2022
Mitigating Vulnerabilities in Closed Source Software
Zhen Huang ... Xiaowei Yu
ICST Transactions on Security and Safety | VOL. 8
Zhen Huang, et. al.Zhen Huang ... Xiaowei Yu
04 Aug 2022
Comparing Online Surveys for Cybersecurity: SONA and MTurk
Anne Wagner ... Shelia Kennison
ICST Transactions on Security and Safety | VOL. -
Anne Wagner, et. al.Anne Wagner ... Shelia Kennison
08 Feb 2022
A Comprehensive Survey on Intrusion Detection based Machine Learning for IoT Networks
Hela Mliki ... Lamia Chaari
ICST Transactions on Security and Safety | VOL. 8
Hela Mliki, et. al.Hela Mliki ... Lamia Chaari
30 Nov 2021
View more papers