Computer Science

Computer Science ›› 2024, Vol. 51 ›› Issue (9): 383-392.doi: 10.11896/jsjkx.230700035

• Information Security • Previous Articles     Next Articles

Deep-learning Based DKOM Attack Detection for Linux System

CHEN Liang1,2, SUN Cong1   

  1. 1 School of Cyber Engineering,Xidian University,Xi'an 710071,China
    2 Huawei Technologies Co.,Ltd.,Xi'an 710100,China
  • Received:2023-07-06 Revised:2023-11-14 Online:2024-09-15 Published:2024-09-10
  • About author:CHEN Liang,born in 1998,master,engineer.His main research interests include software security and memory forensics.
    SUN Cong,born in 1982,Ph.D,professor,Ph.D supervisor,is a member of CCF(No.28286M).His main research interests include software security,program analysis,and high-confidence software.
  • Supported by:
    National Natural Science Foundation of China(62272366) and Key Research and Development Program of Shaanxi Province(2023-YBGY-371).

PDF (PC)

350

Abstract: Direct kernel object manipulation(DKOM) attacks hide the kernel objects through direct access and modification to the kernel objects.Such attacks are a long-term critical security issue in mainstream operating systems.The behavior-based online scanning can efficiently detect limited types of DKOM attacks,and the detection procedure can be easily affected by the attacks.In recent years,memory-forensics-based static analysis has become an effective and secure detection approach in the systems potentially attacked by DKOM.The state-of-the-art approach can identify the Windows system kernel objects using a graph neural network model.However,this approach cannot be adapted to Linux kernel objects and has limitations in identifying small kernel objects with few pointer fields.This paper designs and implements a deep-learning-based DKOM attack detection approach for Linux systems to address these issues.An extended memory graph structure is proposed to depict the points-to relation and the constant fields' characteristics of the kernel objects.This paper uses relational graph convolutional networks to learn the topology of the extended memory graph to classify the graph nodes.A voting-based object inference algorithm is proposed to identify the kernel objects' addresses.The DKOM attack is detected by comparing our kernel object identification results and the results of the memory forensics framework Volatility.The contributions of this paper are as follows.1) An extended memory graph structure that improves the detection effectiveness of the existing memory graph on capturing the features of small kernel data structures with few pointers but with evident constant fields.2) On the DKOM attacks raised by five real-world Rootkits,our approach achieves 20.1% higher precision and 32.4% higher recall than the existing behavior-based online scanning tool chkrootkit.

Key words: Memory forensics, Malware detection, Operating system security, Graph neural network, Binary analysis

CLC Number: 

  • TP309
[1]JOY J,JOHN A,JOY J.Rootkit detection mechanism:A survey[C]//Proceedings of International Conference on Parallel Distributed Computing Technologies and Applications.Berlin:Springer,2011:366-374.
[2]BUTLER J.Direct Kernel Object Manipulation [EB/OL].ht-tps://www.blackhat.com/presentations/win-usa-04/bh-win-04-butler.pdf.
[3]YIN H,SONG X,EGELE M,et al.Panorama:Capturing System-Wide Information Flow for Malware Detection and Analysis [C]//Proceedings of the 14th ACM Conference on Computer and Communications Security.New York:ACM,2007:116-127.
[4]KRUGEL C,ROBERTSON W,VIGNA G.Detecting Kernel-Level Rootkits through Binary Analysis [C]//Proceedings of the20th Annual Computer Security Applications Conference.Piscataway:IEEE,2004:91-100.
[5]BALIGA A,GANAPATHY V,IFTODE L.Automatic Infe-rence and Enforcement of Kernel Data Structure Invariants[C]//Proceedings of the 24th Annual Computer Security Applications Conference.Piscataway:IEEE,2008:77-86.
[6]DOLAN-GAVITT B,SRIVASTAVA A,TRAYNOR P,et al.Robust Signatures for Kernel Data Structures [C]//Proceedings of the 2009 Conference on Computer and Communications Security.New York:ACM,2009:566-577.
[7]SONG W,YIN H,LIU C,et al.DeepMem:Learning GraphNeural Network Models for Fast and Robust Memory Forensic Analysis [C]//Proceedings of the 2018 Conference on Compu-ter and Communications Security.New York:ACM,2018:606-618.
[8]CARBONE M,CUI W,LU L,et al.Mapping Kernel Objects to Enable Systematic Integrity Checking [C]//Proceedings of the 16th ACM Conference on Computer and Communications Secu-rity.New York:ACM,2009:555-565.
[9]LIN Z,ZHANG X,XU D.Automatic Reverse Engineering ofData Structures from Binary Execution [C]//Proceedings of the Network and Distributed System Security Symposium.The Internet Society,2010:1-18.
[10]COZZIE A,STRATTON F,XUE H,et al.Digging for DataStructures [C]//Proceedings of the 8th USENIX Symposium on Operating System Design and Implementation.USENIX Asso-ciation,2008:255-266.
[11]PETRONI J N,FRASER T,WALTERS A,et al.An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data [C]//Proceedings of the 15th USENIX Security Symposium.USENIX Association,2006:289-304.
[12]LIN Z,RHEE J,ZHANG X,et al.SigGraph:Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures [C]//Proceedings of the Network and Distributed System Security Symposium.The Internet Society,2011:1-18.
[13]MURILO N,STEDING-JESSON K.chkrootkit:Locally Checks for Signs of a Rootkit[EB/OL].http://www.chkrootkit.org/.
[14]The Volatility Foundation.Volatility Framework- Volatile Me-mory Extraction Utility Framework [EB/OL].(2020-12-11) [2023-04-03].https://github.com/volatilityfoundation/volati-lity.
[15]THANAPALASINGAM T,VAN BERKEL L,BLOEM P,et al.Relational Graph Convolutional Networks:a Closer Look [J].PeerJ Computer Science.PeerJ Publishing,2022,8:e1073.
[16]SCHLICHTKRULL M,KIPF T,BLOEM P,et al.Modeling Relational Data with Graph Convolutional Networks [C]//Proceedings of the 15th European Semantic Web Conference.Cham:Springer,2018:593-607.
[17]SCHMIDHUBER J.Deep Learning in Neural Networks:AnOverview [J].Neural Networks.Elsevier,2015,61:85-117.
[18]YAO Y.adore-ng [EB/OL].(2015-12-30) [2023-04-03].https://github.com/yaoyumeng/adore-ng.
[19]HAN J.Wukong:A LKM Rootkit for Linux Kernel 2.6.x,3.x and 4.x [EB/OL].(2016-04-07) [2023-04-03].https://github.com/hanj4096/wukong.
[20]IPSecs.Kbeast-v1[EB/OL].(2012-01-01) [2023-04-03]. ht-tp://core.ipsecs.com/rootkit/kernel-rootkit/kbeast-v1/.
[21]Chokepoint.JynxKit2 [EB/OL].(2012-12-15) [2023-04-03].https://github.com/chokepoint/Jynx2.
[22]En14c.LilyOfTheValley [EB/OL].(2017-12-25) [2023-04-03].https://github.com/En14c/LilyOfTheValley.
[23]SONG L,YIN H,LIU C.DeepMem [EB/OL].(2019-07-06) [2023-04-03].https://github.com/bitsecurerlab/DeepMem.
[24]昌武洋,付雄,王俊昌.基于 eBPF 与 LSTM 的 DDoS 攻击检测系统[J].重庆工商大学学报(自然科学版),2023,40(2):36-43.
[1] TANG Ying, WANG Baohui. Study on SSL/TLS Encrypted Malicious Traffic Detection Algorithm Based on Graph Neural Networks [J]. Computer Science, 2024, 51(9): 365-370.
[2] CHEN Shanshan, YAO Subin. Study on Recommendation Algorithms Based on Knowledge Graph and Neighbor PerceptionAttention Mechanism [J]. Computer Science, 2024, 51(8): 313-323.
[3] HU Haibo, YANG Dan, NIE Tiezheng, KOU Yue. Graph Contrastive Learning Incorporating Multi-influence and Preference for Social Recommendation [J]. Computer Science, 2024, 51(7): 146-155.
[4] WEI Ziang, PENG Jian, HUANG Feihu, JU Shenggen. Text Classification Method Based on Multi Graph Convolution and Hierarchical Pooling [J]. Computer Science, 2024, 51(7): 303-309.
[5] PENG Bo, LI Yaodong, GONG Xianfu, LI Hao. Method for Entity Relation Extraction Based on Heterogeneous Graph Neural Networks and TextSemantic Enhancement [J]. Computer Science, 2024, 51(6A): 230700071-5.
[6] WANG Zhen, ZHOU Chao, FAN Yongwen, Shi Pengfei. Overview of Unmanned Aerial Vehicle Systems Security [J]. Computer Science, 2024, 51(6A): 230800086-6.
[7] LIU Wei, SONG You, ZHUO Peiyan, WU Weiqiang, LIAN Xin. Study on Kcore-GCN Anti-fraud Algorithm Fusing Multi-source Graph Features [J]. Computer Science, 2024, 51(6A): 230600040-7.
[8] DONG Wanqing, ZHAO Zirong, LIAO Huimin, XIAO Hui, ZHANG Xiaoliang. Research and Implementation of Urban Traffic Accident Risk Prediction in Dynamic Road Network [J]. Computer Science, 2024, 51(6A): 230500118-10.
[9] CHU Xiaoxi, ZHANG Jianhui, ZHANG Desheng, SU Hui. Browser Fingerprint Tracking Based on Improved GraphSAGE Algorithm [J]. Computer Science, 2024, 51(6): 409-415.
[10] CHEN Sishuo, WANG Xiaodong, LIU Xiyang. Survey of Breast Cancer Pathological Image Analysis Methods Based on Graph Neural Networks [J]. Computer Science, 2024, 51(6): 172-185.
[11] LU Min, YUAN Ziting. Graph Contrast Learning Based Multi-graph Neural Network for Session-based RecommendationMethod [J]. Computer Science, 2024, 51(5): 54-61.
[12] LAN Yongqi, HE Xingxing, LI Yingfang, LI Tianrui. New Graph Reduction Representation and Graph Neural Network Model for Premise Selection [J]. Computer Science, 2024, 51(5): 193-199.
[13] HE Jiaojun, CAI Manchun, LU Tianliang. Android Malware Detection Method Based on GCN and BiLSTM [J]. Computer Science, 2024, 51(4): 388-395.
[14] ZHANG Liying, SUN Haihang, SUN Yufa , SHI Bingbo. Review of Node Classification Methods Based on Graph Convolutional Neural Networks [J]. Computer Science, 2024, 51(4): 95-105.
[15] ZHANG Tao, LIAO Bin, YU Jiong, LI Ming, SUN Ruina. Benchmarking and Analysis for Graph Neural Network Node Classification Task [J]. Computer Science, 2024, 51(4): 132-150.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.