Fluorescence: Detecting Kernel-Resident Malware in Clouds

Kernel-resident malware remains a significant threat. An effective way to detect such malware is to examine the kernel memory of many similar (virtual) machines, as one might find in an enterprise network or cloud, in search of anomalies: i.e., the relatively rare infected hosts within a large population of healthy hosts. It is challenging, however, to compare the kernel memories of different hosts against each other. Previous work has relied on knowledge of specific kernels— e.g., the locations of important variables and the layouts of key data structures—to cross the “semantic gap” and allow kernels to be compared. As a result, those previous systems work only with the kernels they were built for, and they make assumptions about the malware being searched for. We present a new approach to detecting kernel-resident malware within a “herd” of similar virtual machines. Our approach uses limited knowledge of the kernels under examination—e.g., the location of the page global directory and the processor’s instruction set—to concisely fingerprint each kernel. It uses no kernel-specific semantics to compare the fingerprints and find those that represent anomalous hosts. We implement our method in a tool called Fluorescence and demonstrate its ability to identify Linux and Windows hosts infected with real-world, kernel-resident malware. Fluorescence can examine a herd of 200 virtual machines with Linux guests in about an hour.

[1]  Xuxian Jiang,et al.  Data-Centric OS Kernel Malware Characterization , 2014, IEEE Transactions on Information Forensics and Security.

[2]  Rajendra Patil,et al.  An Exhaustive Survey on Security Concerns and Solutions at Different Components of Virtualization , 2019, ACM Comput. Surv..

[3]  Jesse D. Kornblum Exploiting the Rootkit Paradox with Windows Memory Analysis , 2006, Int. J. Digit. EVid..

[4]  Xuxian Jiang,et al.  Multi-aspect profiling of kernel rootkit behavior , 2009, EuroSys '09.

[5]  Aggelos Kiayias,et al.  Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system , 2014, ACSAC.

[6]  Matthew D. Zeiler ADADELTA: An Adaptive Learning Rate Method , 2012, ArXiv.

[7]  Xuxian Jiang,et al.  Graph-based signatures for kernel data structures , 2011 .

[8]  Stephen McCamant,et al.  The Daikon system for dynamic detection of likely invariants , 2007, Sci. Comput. Program..

[9]  Christopher Krügel,et al.  Blacksheep: detecting compromised hosts in homogeneous crowds , 2012, CCS '12.

[10]  Bill Blunden The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System , 2009 .

[11]  Ming-Yang Kao,et al.  Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[12]  Tzi-cker Chiueh,et al.  Automatic Generation of String Signatures for Malware Detection , 2009, RAID.

[13]  Wenke Lee,et al.  K-Tracer: A System for Extracting Kernel Malware Behavior , 2009, NDSS.

[14]  Jesse D. Kornblum Identifying almost identical files using context triggered piecewise hashing , 2006, Digit. Investig..

[15]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[16]  Wouter Joosen,et al.  HyperForce: Hypervisor-enForced Execution of Security-Critical Code , 2012, SEC.

[17]  Radu Sion,et al.  POSTER: KXRay: Introspecting the Kernel for Rootkit Timing Footprints , 2016, CCS.

[18]  Mike Hibler,et al.  An integrated experimental environment for distributed systems and networks , 2002, OSDI '02.

[19]  William A. Arbaugh,et al.  An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data , 2006, USENIX Security Symposium.

[20]  Zhenkai Liang,et al.  HookFinder: Identifying and Understanding Malware Hooking Behaviors , 2008, NDSS.

[21]  Hans-Peter Kriegel,et al.  A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise , 1996, KDD.