Data-Centric OS Kernel Malware Characterization
Traditional malware detection and analysis approaches have been focusing on code-centric aspects of malicious programs, such as detection of the injection of malicious code or matching malicious code sequences. However, modern malware has been employing advanced strategies, such as reusing legitimat...
Gespeichert in:
| Veröffentlicht in: | IEEE transactions on information forensics and security 2014-01, Vol.9 (1), p.72-87 |
|---|---|
| Hauptverfasser: | , , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 87 |
|---|---|
| container_issue | 1 |
| container_start_page | 72 |
| container_title | IEEE transactions on information forensics and security |
| container_volume | 9 |
| creator | Junghwan Rhee Riley, Ryan Zhiqiang Lin Xuxian Jiang Dongyan Xu |
| description | Traditional malware detection and analysis approaches have been focusing on code-centric aspects of malicious programs, such as detection of the injection of malicious code or matching malicious code sequences. However, modern malware has been employing advanced strategies, such as reusing legitimate code or obfuscating malware code to circumvent the detection. As a new perspective to complement code-centric approaches, we propose a data-centric OS kernel malware characterization architecture that detects and characterizes malware attacks based on the properties of data objects manipulated during the attacks. This framework consists of two system components with novel features: First, a runtime kernel object mapping system which has an un-tampered view of kernel data objects resistant to manipulation by malware. This view is effective at detecting a class of malware that hides dynamic data objects. Second, this framework consists of a new kernel malware detection approach that generates malware signatures based on the data access patterns specific to malware attacks. This approach has an extended coverage that detects not only the malware with the signatures, but also the malware variants that share the attack patterns by modeling the low level data access behaviors as signatures. Our experiments against a variety of real-world kernel rootkits demonstrate the effectiveness of data-centric malware signatures. |
| doi_str_mv | 10.1109/TIFS.2013.2291964 |
| format | Article |
| fullrecord | <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_proquest_miscellaneous_1671609362</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>6671356</ieee_id><sourcerecordid>1671609362</sourcerecordid><originalsourceid>FETCH-LOGICAL-c399t-a415619469c9ab80d8549b8ba4f152b7a8695937506dfdc42b940e40363e90223</originalsourceid><addsrcrecordid>eNpdkE1Lw0AQhhdRsFZ_gHgJiOAl7c5-JXuU1Gqx0kPreZlsN5iSJnU3RfTXm9DSg6cZmOcdXh5CboGOAKger2bT5YhR4CPGNGglzsgApFSxogzOTzvwS3IVwoZSIUClAzKeYItx5urWlzZaLKM352tXRe9YfaN3UfaJHm3rfPmLbdnU1-SiwCq4m-Mcko_p8yp7jeeLl1n2NI8t17qNUYBUoIXSVmOe0nUqhc7THEUBkuUJpkpLzRNJ1bpYW8FyLagTlCvuNGWMD8nj4e_ON197F1qzLYN1VYW1a_bBgEpAUc1Vj97_QzfN3tddOwNdAaUTKpOOggNlfROCd4XZ-XKL_scANb1C0ys0vUJzVNhlHo6fMVisCo-1LcMpyFJGOedpx90duNI5dzqrriKXiv8BULR2LA</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>1469697057</pqid></control><display><type>article</type><title>Data-Centric OS Kernel Malware Characterization</title><source>IEEE Electronic Library (IEL)</source><creator>Junghwan Rhee ; Riley, Ryan ; Zhiqiang Lin ; Xuxian Jiang ; Dongyan Xu</creator><creatorcontrib>Junghwan Rhee ; Riley, Ryan ; Zhiqiang Lin ; Xuxian Jiang ; Dongyan Xu</creatorcontrib><description>Traditional malware detection and analysis approaches have been focusing on code-centric aspects of malicious programs, such as detection of the injection of malicious code or matching malicious code sequences. However, modern malware has been employing advanced strategies, such as reusing legitimate code or obfuscating malware code to circumvent the detection. As a new perspective to complement code-centric approaches, we propose a data-centric OS kernel malware characterization architecture that detects and characterizes malware attacks based on the properties of data objects manipulated during the attacks. This framework consists of two system components with novel features: First, a runtime kernel object mapping system which has an un-tampered view of kernel data objects resistant to manipulation by malware. This view is effective at detecting a class of malware that hides dynamic data objects. Second, this framework consists of a new kernel malware detection approach that generates malware signatures based on the data access patterns specific to malware attacks. This approach has an extended coverage that detects not only the malware with the signatures, but also the malware variants that share the attack patterns by modeling the low level data access behaviors as signatures. Our experiments against a variety of real-world kernel rootkits demonstrate the effectiveness of data-centric malware signatures.</description><identifier>ISSN: 1556-6013</identifier><identifier>EISSN: 1556-6021</identifier><identifier>DOI: 10.1109/TIFS.2013.2291964</identifier><identifier>CODEN: ITIFA6</identifier><language>eng</language><publisher>New York, NY: IEEE</publisher><subject>Anti-virus software ; Applied sciences ; Computer science; control theory; systems ; Computer viruses ; Data structures ; data-centric malware analysis ; Dynamic scheduling ; Dynamical systems ; Dynamics ; Exact sciences and technology ; Focusing ; Kernel ; Kernels ; Malware ; Memory and file management (including protection and security) ; Memory organisation. Data processing ; Monitoring ; Operating systems ; OS kernel malware characterization ; Resource management ; Runtime ; Signatures ; Software ; Software packages ; Strategy ; virtual machine monitor</subject><ispartof>IEEE transactions on information forensics and security, 2014-01, Vol.9 (1), p.72-87</ispartof><rights>2015 INIST-CNRS</rights><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) Jan 2014</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c399t-a415619469c9ab80d8549b8ba4f152b7a8695937506dfdc42b940e40363e90223</citedby><cites>FETCH-LOGICAL-c399t-a415619469c9ab80d8549b8ba4f152b7a8695937506dfdc42b940e40363e90223</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/6671356$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,796,4021,27921,27922,27923,54756</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/6671356$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc><backlink>$$Uhttp://pascal-francis.inist.fr/vibad/index.php?action=getRecordDetail&idt=28203338$$DView record in Pascal Francis$$Hfree_for_read</backlink></links><search><creatorcontrib>Junghwan Rhee</creatorcontrib><creatorcontrib>Riley, Ryan</creatorcontrib><creatorcontrib>Zhiqiang Lin</creatorcontrib><creatorcontrib>Xuxian Jiang</creatorcontrib><creatorcontrib>Dongyan Xu</creatorcontrib><title>Data-Centric OS Kernel Malware Characterization</title><title>IEEE transactions on information forensics and security</title><addtitle>TIFS</addtitle><description>Traditional malware detection and analysis approaches have been focusing on code-centric aspects of malicious programs, such as detection of the injection of malicious code or matching malicious code sequences. However, modern malware has been employing advanced strategies, such as reusing legitimate code or obfuscating malware code to circumvent the detection. As a new perspective to complement code-centric approaches, we propose a data-centric OS kernel malware characterization architecture that detects and characterizes malware attacks based on the properties of data objects manipulated during the attacks. This framework consists of two system components with novel features: First, a runtime kernel object mapping system which has an un-tampered view of kernel data objects resistant to manipulation by malware. This view is effective at detecting a class of malware that hides dynamic data objects. Second, this framework consists of a new kernel malware detection approach that generates malware signatures based on the data access patterns specific to malware attacks. This approach has an extended coverage that detects not only the malware with the signatures, but also the malware variants that share the attack patterns by modeling the low level data access behaviors as signatures. Our experiments against a variety of real-world kernel rootkits demonstrate the effectiveness of data-centric malware signatures.</description><subject>Anti-virus software</subject><subject>Applied sciences</subject><subject>Computer science; control theory; systems</subject><subject>Computer viruses</subject><subject>Data structures</subject><subject>data-centric malware analysis</subject><subject>Dynamic scheduling</subject><subject>Dynamical systems</subject><subject>Dynamics</subject><subject>Exact sciences and technology</subject><subject>Focusing</subject><subject>Kernel</subject><subject>Kernels</subject><subject>Malware</subject><subject>Memory and file management (including protection and security)</subject><subject>Memory organisation. Data processing</subject><subject>Monitoring</subject><subject>Operating systems</subject><subject>OS kernel malware characterization</subject><subject>Resource management</subject><subject>Runtime</subject><subject>Signatures</subject><subject>Software</subject><subject>Software packages</subject><subject>Strategy</subject><subject>virtual machine monitor</subject><issn>1556-6013</issn><issn>1556-6021</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2014</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNpdkE1Lw0AQhhdRsFZ_gHgJiOAl7c5-JXuU1Gqx0kPreZlsN5iSJnU3RfTXm9DSg6cZmOcdXh5CboGOAKger2bT5YhR4CPGNGglzsgApFSxogzOTzvwS3IVwoZSIUClAzKeYItx5urWlzZaLKM352tXRe9YfaN3UfaJHm3rfPmLbdnU1-SiwCq4m-Mcko_p8yp7jeeLl1n2NI8t17qNUYBUoIXSVmOe0nUqhc7THEUBkuUJpkpLzRNJ1bpYW8FyLagTlCvuNGWMD8nj4e_ON197F1qzLYN1VYW1a_bBgEpAUc1Vj97_QzfN3tddOwNdAaUTKpOOggNlfROCd4XZ-XKL_scANb1C0ys0vUJzVNhlHo6fMVisCo-1LcMpyFJGOedpx90duNI5dzqrriKXiv8BULR2LA</recordid><startdate>201401</startdate><enddate>201401</enddate><creator>Junghwan Rhee</creator><creator>Riley, Ryan</creator><creator>Zhiqiang Lin</creator><creator>Xuxian Jiang</creator><creator>Dongyan Xu</creator><general>IEEE</general><general>Institute of Electrical and Electronics Engineers</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>IQODW</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>7TB</scope><scope>8FD</scope><scope>FR3</scope><scope>JQ2</scope><scope>KR7</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>F28</scope></search><sort><creationdate>201401</creationdate><title>Data-Centric OS Kernel Malware Characterization</title><author>Junghwan Rhee ; Riley, Ryan ; Zhiqiang Lin ; Xuxian Jiang ; Dongyan Xu</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c399t-a415619469c9ab80d8549b8ba4f152b7a8695937506dfdc42b940e40363e90223</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2014</creationdate><topic>Anti-virus software</topic><topic>Applied sciences</topic><topic>Computer science; control theory; systems</topic><topic>Computer viruses</topic><topic>Data structures</topic><topic>data-centric malware analysis</topic><topic>Dynamic scheduling</topic><topic>Dynamical systems</topic><topic>Dynamics</topic><topic>Exact sciences and technology</topic><topic>Focusing</topic><topic>Kernel</topic><topic>Kernels</topic><topic>Malware</topic><topic>Memory and file management (including protection and security)</topic><topic>Memory organisation. Data processing</topic><topic>Monitoring</topic><topic>Operating systems</topic><topic>OS kernel malware characterization</topic><topic>Resource management</topic><topic>Runtime</topic><topic>Signatures</topic><topic>Software</topic><topic>Software packages</topic><topic>Strategy</topic><topic>virtual machine monitor</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Junghwan Rhee</creatorcontrib><creatorcontrib>Riley, Ryan</creatorcontrib><creatorcontrib>Zhiqiang Lin</creatorcontrib><creatorcontrib>Xuxian Jiang</creatorcontrib><creatorcontrib>Dongyan Xu</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>Pascal-Francis</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics & Communications Abstracts</collection><collection>Mechanical & Transportation Engineering Abstracts</collection><collection>Technology Research Database</collection><collection>Engineering Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Civil Engineering Abstracts</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>ANTE: Abstracts in New Technology & Engineering</collection><jtitle>IEEE transactions on information forensics and security</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Junghwan Rhee</au><au>Riley, Ryan</au><au>Zhiqiang Lin</au><au>Xuxian Jiang</au><au>Dongyan Xu</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Data-Centric OS Kernel Malware Characterization</atitle><jtitle>IEEE transactions on information forensics and security</jtitle><stitle>TIFS</stitle><date>2014-01</date><risdate>2014</risdate><volume>9</volume><issue>1</issue><spage>72</spage><epage>87</epage><pages>72-87</pages><issn>1556-6013</issn><eissn>1556-6021</eissn><coden>ITIFA6</coden><abstract>Traditional malware detection and analysis approaches have been focusing on code-centric aspects of malicious programs, such as detection of the injection of malicious code or matching malicious code sequences. However, modern malware has been employing advanced strategies, such as reusing legitimate code or obfuscating malware code to circumvent the detection. As a new perspective to complement code-centric approaches, we propose a data-centric OS kernel malware characterization architecture that detects and characterizes malware attacks based on the properties of data objects manipulated during the attacks. This framework consists of two system components with novel features: First, a runtime kernel object mapping system which has an un-tampered view of kernel data objects resistant to manipulation by malware. This view is effective at detecting a class of malware that hides dynamic data objects. Second, this framework consists of a new kernel malware detection approach that generates malware signatures based on the data access patterns specific to malware attacks. This approach has an extended coverage that detects not only the malware with the signatures, but also the malware variants that share the attack patterns by modeling the low level data access behaviors as signatures. Our experiments against a variety of real-world kernel rootkits demonstrate the effectiveness of data-centric malware signatures.</abstract><cop>New York, NY</cop><pub>IEEE</pub><doi>10.1109/TIFS.2013.2291964</doi><tpages>16</tpages><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | ISSN: 1556-6013 |
| ispartof | IEEE transactions on information forensics and security, 2014-01, Vol.9 (1), p.72-87 |
| issn | 1556-6013 1556-6021 |
| language | eng |
| recordid | cdi_proquest_miscellaneous_1671609362 |
| source | IEEE Electronic Library (IEL) |
| subjects | Anti-virus software Applied sciences Computer science control theory systems Computer viruses Data structures data-centric malware analysis Dynamic scheduling Dynamical systems Dynamics Exact sciences and technology Focusing Kernel Kernels Malware Memory and file management (including protection and security) Memory organisation. Data processing Monitoring Operating systems OS kernel malware characterization Resource management Runtime Signatures Software Software packages Strategy virtual machine monitor |
| title | Data-Centric OS Kernel Malware Characterization |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-14T05%3A52%3A21IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Data-Centric%20OS%20Kernel%20Malware%20Characterization&rft.jtitle=IEEE%20transactions%20on%20information%20forensics%20and%20security&rft.au=Junghwan%20Rhee&rft.date=2014-01&rft.volume=9&rft.issue=1&rft.spage=72&rft.epage=87&rft.pages=72-87&rft.issn=1556-6013&rft.eissn=1556-6021&rft.coden=ITIFA6&rft_id=info:doi/10.1109/TIFS.2013.2291964&rft_dat=%3Cproquest_RIE%3E1671609362%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=1469697057&rft_id=info:pmid/&rft_ieee_id=6671356&rfr_iscdi=true |