A hypervisor level provenance system to reconstruct attack story caused by Kernel Malware

Chonghua Wang, Shiqing Ma, Xiangyu Zhang, Junghwan Rhee, Xiaochun Yun, Zhiyu Hao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Scopus citations

Abstract

Provenance of system subjects (e.g., processes) and objects (e.g., files) are very useful for many forensics tasks. In our analysis and comparison of existing Linux provenance tracing systems, we found that most systems assume the Linux kernel to be in the trust base, making these systems vulnerable to kernel level malware. To address this problem, we present HProve, a hypervisor level provenance tracing system to reconstruct kernel malware attack story. It monitors the execution of kernel functions and sensitive objects, and correlates the system subjects and objects to form the causality dependencies for the attacks. We evaluated our prototype on 12 real world kernel malware samples, and the results show that it can correctly identify the provenance behaviors of the kernel malware.

Original languageEnglish (US)
Title of host publicationSecurity and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings
EditorsAli Ghorbani, Xiaodong Lin, Kui Ren, Sencun Zhu, Aiqing Zhang
PublisherSpringer Verlag
Pages778-792
Number of pages15
ISBN (Print)9783319788128
DOIs
StatePublished - Jan 1 2018
Externally publishedYes
Event13th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2017 - [state] ON, Canada
Duration: Oct 22 2017Oct 25 2017

Publication series

NameLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Volume238
ISSN (Print)1867-8211

Conference

Conference13th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2017
CountryCanada
City[state] ON
Period10/22/1710/25/17

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications

Keywords

  • Forensic investigation
  • Kernel malware
  • Provenance tracing

Fingerprint Dive into the research topics of 'A hypervisor level provenance system to reconstruct attack story caused by Kernel Malware'. Together they form a unique fingerprint.

  • Cite this

    Wang, C., Ma, S., Zhang, X., Rhee, J., Yun, X., & Hao, Z. (2018). A hypervisor level provenance system to reconstruct attack story caused by Kernel Malware. In A. Ghorbani, X. Lin, K. Ren, S. Zhu, & A. Zhang (Eds.), Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings (pp. 778-792). (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 238). Springer Verlag. https://doi.org/10.1007/978-3-319-78813-5_42