计算机科学

计算机科学 ›› 2024, Vol. 51 ›› Issue (9): 383-392.doi: 10.11896/jsjkx.230700035

• 信息安全 • 上一篇    下一篇

基于深度学习的Linux系统DKOM攻击检测

陈亮1,2, 孙聪1   

  1. 1 西安电子科技大学网络与信息安全学院 西安 710071
    2 华为技术有限公司 西安 710100
  • 收稿日期:2023-07-06 修回日期:2023-11-14 出版日期:2024-09-15 发布日期:2024-09-10
  • 通讯作者: 孙聪(suncong@xidian.edu.cn)
  • 作者简介:(18829056730@163.com)
  • 基金资助:
    国家自然科学基金(62272366);陕西省重点研发计划(2023-YBGY-371)

Deep-learning Based DKOM Attack Detection for Linux System

CHEN Liang1,2, SUN Cong1   

  1. 1 School of Cyber Engineering,Xidian University,Xi'an 710071,China
    2 Huawei Technologies Co.,Ltd.,Xi'an 710100,China
  • Received:2023-07-06 Revised:2023-11-14 Online:2024-09-15 Published:2024-09-10
  • About author:CHEN Liang,born in 1998,master,engineer.His main research interests include software security and memory forensics.
    SUN Cong,born in 1982,Ph.D,professor,Ph.D supervisor,is a member of CCF(No.28286M).His main research interests include software security,program analysis,and high-confidence software.
  • Supported by:
    National Natural Science Foundation of China(62272366) and Key Research and Development Program of Shaanxi Province(2023-YBGY-371).

PDF (PC)

354

摘要: 直接内核对象操纵(DKOM)攻击通过直接访问和修改内核对象来隐藏内核对象,是主流操作系统长期存在的关键安全问题。对DKOM 攻击进行基于行为的在线扫描适用的恶意程序类型有限且检测过程本身易受DKOM攻击影响。近年来,针对潜在受DKOM攻击的系统进行基于内存取证的静态分析成为一种有效和安全的检测方法。现有方法已能够针对Windows内核对象采用图神经网络模型进行内核对象识别,但不适用于Linux系统内核对象,且对于缺少指针字段的小内核对象的识别有效性有限。针对以上问题,设计并实现了一种基于深度学习的Linux系统DKOM 攻击检测方案。首先提出了一种扩展内存图结构刻画内核对象的指针指向关系和常量字段特征,利用关系图卷积网络对扩展内存图的拓扑结构进行学习以实现内存图节点分类,使用基于投票的对象推测算法得出内核对象地址,并通过与现有分析框架Volatility的识别结果对比实现对Linux系统DKOM攻击的检测。提出的扩展内存图结构相比现有的内存图结构能更好地表示缺乏指针但具有常量字段的小内核数据结构的特征,实现更高的内核对象检测有效性。与现有基于行为的在线扫描工具chkrootkit相比,针对5种现实世界Rootkit的DKOM行为,所提方案实现了更高的检测有效性,精确度提高20.1%,召回率提高32.4%。

关键词: 内存取证, 恶意软件检测, 操作系统安全, 图神经网络, 二进制分析

Abstract: Direct kernel object manipulation(DKOM) attacks hide the kernel objects through direct access and modification to the kernel objects.Such attacks are a long-term critical security issue in mainstream operating systems.The behavior-based online scanning can efficiently detect limited types of DKOM attacks,and the detection procedure can be easily affected by the attacks.In recent years,memory-forensics-based static analysis has become an effective and secure detection approach in the systems potentially attacked by DKOM.The state-of-the-art approach can identify the Windows system kernel objects using a graph neural network model.However,this approach cannot be adapted to Linux kernel objects and has limitations in identifying small kernel objects with few pointer fields.This paper designs and implements a deep-learning-based DKOM attack detection approach for Linux systems to address these issues.An extended memory graph structure is proposed to depict the points-to relation and the constant fields' characteristics of the kernel objects.This paper uses relational graph convolutional networks to learn the topology of the extended memory graph to classify the graph nodes.A voting-based object inference algorithm is proposed to identify the kernel objects' addresses.The DKOM attack is detected by comparing our kernel object identification results and the results of the memory forensics framework Volatility.The contributions of this paper are as follows.1) An extended memory graph structure that improves the detection effectiveness of the existing memory graph on capturing the features of small kernel data structures with few pointers but with evident constant fields.2) On the DKOM attacks raised by five real-world Rootkits,our approach achieves 20.1% higher precision and 32.4% higher recall than the existing behavior-based online scanning tool chkrootkit.

Key words: Memory forensics, Malware detection, Operating system security, Graph neural network, Binary analysis

中图分类号: 

  • TP309
[1]JOY J,JOHN A,JOY J.Rootkit detection mechanism:A survey[C]//Proceedings of International Conference on Parallel Distributed Computing Technologies and Applications.Berlin:Springer,2011:366-374.
[2]BUTLER J.Direct Kernel Object Manipulation [EB/OL].ht-tps://www.blackhat.com/presentations/win-usa-04/bh-win-04-butler.pdf.
[3]YIN H,SONG X,EGELE M,et al.Panorama:Capturing System-Wide Information Flow for Malware Detection and Analysis [C]//Proceedings of the 14th ACM Conference on Computer and Communications Security.New York:ACM,2007:116-127.
[4]KRUGEL C,ROBERTSON W,VIGNA G.Detecting Kernel-Level Rootkits through Binary Analysis [C]//Proceedings of the20th Annual Computer Security Applications Conference.Piscataway:IEEE,2004:91-100.
[5]BALIGA A,GANAPATHY V,IFTODE L.Automatic Infe-rence and Enforcement of Kernel Data Structure Invariants[C]//Proceedings of the 24th Annual Computer Security Applications Conference.Piscataway:IEEE,2008:77-86.
[6]DOLAN-GAVITT B,SRIVASTAVA A,TRAYNOR P,et al.Robust Signatures for Kernel Data Structures [C]//Proceedings of the 2009 Conference on Computer and Communications Security.New York:ACM,2009:566-577.
[7]SONG W,YIN H,LIU C,et al.DeepMem:Learning GraphNeural Network Models for Fast and Robust Memory Forensic Analysis [C]//Proceedings of the 2018 Conference on Compu-ter and Communications Security.New York:ACM,2018:606-618.
[8]CARBONE M,CUI W,LU L,et al.Mapping Kernel Objects to Enable Systematic Integrity Checking [C]//Proceedings of the 16th ACM Conference on Computer and Communications Secu-rity.New York:ACM,2009:555-565.
[9]LIN Z,ZHANG X,XU D.Automatic Reverse Engineering ofData Structures from Binary Execution [C]//Proceedings of the Network and Distributed System Security Symposium.The Internet Society,2010:1-18.
[10]COZZIE A,STRATTON F,XUE H,et al.Digging for DataStructures [C]//Proceedings of the 8th USENIX Symposium on Operating System Design and Implementation.USENIX Asso-ciation,2008:255-266.
[11]PETRONI J N,FRASER T,WALTERS A,et al.An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data [C]//Proceedings of the 15th USENIX Security Symposium.USENIX Association,2006:289-304.
[12]LIN Z,RHEE J,ZHANG X,et al.SigGraph:Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures [C]//Proceedings of the Network and Distributed System Security Symposium.The Internet Society,2011:1-18.
[13]MURILO N,STEDING-JESSON K.chkrootkit:Locally Checks for Signs of a Rootkit[EB/OL].http://www.chkrootkit.org/.
[14]The Volatility Foundation.Volatility Framework- Volatile Me-mory Extraction Utility Framework [EB/OL].(2020-12-11) [2023-04-03].https://github.com/volatilityfoundation/volati-lity.
[15]THANAPALASINGAM T,VAN BERKEL L,BLOEM P,et al.Relational Graph Convolutional Networks:a Closer Look [J].PeerJ Computer Science.PeerJ Publishing,2022,8:e1073.
[16]SCHLICHTKRULL M,KIPF T,BLOEM P,et al.Modeling Relational Data with Graph Convolutional Networks [C]//Proceedings of the 15th European Semantic Web Conference.Cham:Springer,2018:593-607.
[17]SCHMIDHUBER J.Deep Learning in Neural Networks:AnOverview [J].Neural Networks.Elsevier,2015,61:85-117.
[18]YAO Y.adore-ng [EB/OL].(2015-12-30) [2023-04-03].https://github.com/yaoyumeng/adore-ng.
[19]HAN J.Wukong:A LKM Rootkit for Linux Kernel 2.6.x,3.x and 4.x [EB/OL].(2016-04-07) [2023-04-03].https://github.com/hanj4096/wukong.
[20]IPSecs.Kbeast-v1[EB/OL].(2012-01-01) [2023-04-03]. ht-tp://core.ipsecs.com/rootkit/kernel-rootkit/kbeast-v1/.
[21]Chokepoint.JynxKit2 [EB/OL].(2012-12-15) [2023-04-03].https://github.com/chokepoint/Jynx2.
[22]En14c.LilyOfTheValley [EB/OL].(2017-12-25) [2023-04-03].https://github.com/En14c/LilyOfTheValley.
[23]SONG L,YIN H,LIU C.DeepMem [EB/OL].(2019-07-06) [2023-04-03].https://github.com/bitsecurerlab/DeepMem.
[24]昌武洋,付雄,王俊昌.基于 eBPF 与 LSTM 的 DDoS 攻击检测系统[J].重庆工商大学学报(自然科学版),2023,40(2):36-43.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发