HProve: A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware

HProve: A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware

Provenance of system subjects (e.g., processes) and objects (e.g., files) are very useful for many forensics tasks. In our analysis and comparison of existing Linux provenance tracing systems, we found that most systems assume the Linux kernel to be in the trust base, making these systems vulnerable...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:EAI endorsed transactions on security and safety 2019-04, Vol.5 (18), p.157417
Hauptverfasser: Wang, Chonghua, Yin, Libo, Li, Jun, Chen, Xuehong, Yin, Rongchao, Yun, Xiaochun, Jiao, Yang, Hao, Zhiyu
Format: Artikel
Sprache:eng
Schlagworte:
Kernel functions
Linux
Malware
Object recognition
Provenance
Tracing
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Provenance of system subjects (e.g., processes) and objects (e.g., files) are very useful for many forensics tasks. In our analysis and comparison of existing Linux provenance tracing systems, we found that most systems assume the Linux kernel to be in the trust base, making these systems vulnerable to kernel level malware. To address this problem, we present HProve, a hypervisor level provenance tracing system to reconstruct kernel malware attack story. It monitors the execution of kernel functions and sensitive objects, and correlates the system subjects and objects to form the causality dependencies for the attacks. We evaluated our prototype on 12 real world kernel malware samples, and the results show that it can correctly identify the provenance behaviors of the kernel malware with a minor performance overhead.
ISSN:2032-9393
2032-9393
DOI:10.4108/eai.8-4-2019.157417