In-Execution Malware Detection Using Task Structures of Linux Processes

In this paper, we present a novel framework -- it uses the information in kernel structures of a process -- to do run-time analysis of the behavior of an executing program. Our analysis shows that classifying a process as malicious or benign -- using the information in kernel structures of a process -- is not only very accurate but also has very low processing overheads; as a result, this lightweight framework can be incorporated within operating system kernel. To provide a proof-of-concept of our thesis, we design and implement our system as a kernel module in Linux. We perform the time series analysis of 118 parameters of Linux task structures and pre-process them to come up with a minimal features' set of 11 features. Our analysis show that these features have remarkably different values for benign and malicious processes; as a result, a number of classifiers operating on these features provide 93% detection accuracy with 0% false alarm rate within 100 milliseconds. Last but not the least, we justify that it is very difficult for a crafty attacker to evade these low-level system specific features.

[1]  Martin Chovanec,et al.  INTRUSION DETECTION SYSTEM USING SELF ORGANIZING MAP , 2006 .

[2]  Ohad Ben-Cohen Korset: Automated, Zero False-Alarm Intrusion Detection for Linux , 2010 .

[3]  Somesh Jha,et al.  Formalizing sensitivity in static analysis for intrusion detection , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[4]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[5]  Somesh Jha,et al.  Environment-Sensitive Intrusion Detection , 2005, RAID.

[6]  Abhinav Srivastava,et al.  Robust signatures for kernel data structures , 2009, CCS.

[7]  Muhammad Zubair Shafiq,et al.  Using spatio-temporal information in API calls with machine learning algorithms for malware detection , 2009, AISec '09.

[8]  Somesh Jha,et al.  Efficient Context-Sensitive Intrusion Detection , 2004, NDSS.

[9]  Xun Wang,et al.  Detecting worms via mining dynamic program execution , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[10]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[11]  Parag Kulkarni,et al.  Intrusion Detection System using Self Organizing Maps , 2009, 2009 International Conference on Intelligent Agent & Multi-Agent Systems.

[12]  Ian Witten,et al.  Data Mining , 2000 .

[13]  Raman K. Mehra,et al.  Detection and classification of intrusions and faults using sequences of system calls , 2001, SGMD.

[14]  Qiang Li,et al.  Design and Implementation of Secure Auditing System in Linux Kernel , 2007, 2007 International Workshop on Anti-Counterfeiting, Security and Identification (ASID).