This article presents an asset-based security system where security practitioners build their systems based on information they own and not solicited by observing attackers’behavior.Current security solutions rely on...This article presents an asset-based security system where security practitioners build their systems based on information they own and not solicited by observing attackers’behavior.Current security solutions rely on information coming from attackers.Examples are current monitoring and detection security solutions such as intrusion prevention/detection systems and firewalls.This article envisions creating an imbalance between attackers and defenders in favor of defenders.As such,we are proposing to flip the security game such that it will be led by defenders and not attackers.We are proposing a security system that does not observe the behavior of the attack.On the contrary,we draw,plan,and follow up our own protection strategy regardless of the attack behavior.The objective of our security system is to protect assets rather than protect against attacks.Virtual machine introspection is used to intercept,inspect,and analyze system calls.The system callbased approach is utilized to detect zero-day ransomware attacks.The core idea is to take advantage of Xen and DRAKVUF for system call interception,and leverage system calls to detect illegal operations towards identified critical assets.We utilize our vision by proposing an asset-based approach to mitigate zero-day ransomware attacks.The obtained results are promising and indicate that our prototype will achieve its goals.展开更多
For the lack of detailed semantic in prior works, a transparent fine-grained monitoring technique (cMonitor) is pro- posed. Deployed outside the virtual machines, the cMonitor util- izes the elevated privileges of t...For the lack of detailed semantic in prior works, a transparent fine-grained monitoring technique (cMonitor) is pro- posed. Deployed outside the virtual machines, the cMonitor util- izes the elevated privileges of the virtual machine monitor to monitor the network connection, the processes and the relationship between them in protected systems by reconstructing fine-grained system semantics. These semantics contain process states and corresponding network connection. Experimental results show that cMonitor not only can be rapidly deployed in realistic cloud, but also can effectively and universally obtain these fine-grained semantics to assist detection of some advanced network attack. Meanwhile, the network performance overhead is about 3%, which is acceptable.展开更多
Malicious software programs usually bypass the detection of anti-virus software by hiding themselves among apparently legitimate programs.In this work,we propose Windows Virtual Machine Introspection(WVMI)to accurat...Malicious software programs usually bypass the detection of anti-virus software by hiding themselves among apparently legitimate programs.In this work,we propose Windows Virtual Machine Introspection(WVMI)to accurately detect those hidden processes by analyzing memory data.WVMI dumps in-memory data of the target Windows operating systems from hypervisor and retrieves EPROCESS structures’address of process linked list first,and then generates Data Type Confidence Table(DTCT).Next,it traverses the memory and identifies the similarities between the nodes in process linked list and the corresponding segments in the memory by utilizing DTCT.Finally,it locates the segments of Windows’EPROCESS and identifies the hidden processes by further comparison.Through extensive experiments,our experiment shows that the WVMI detects the hidden process with high identification rate,and it is independent of different versions of Windows operating system.展开更多
基金This project is funded by King Abdulaziz City for Science and Technology(KACST)under the National Science,Technology,and Innovation Plan(Project Number 11-INF1657-04).
文摘This article presents an asset-based security system where security practitioners build their systems based on information they own and not solicited by observing attackers’behavior.Current security solutions rely on information coming from attackers.Examples are current monitoring and detection security solutions such as intrusion prevention/detection systems and firewalls.This article envisions creating an imbalance between attackers and defenders in favor of defenders.As such,we are proposing to flip the security game such that it will be led by defenders and not attackers.We are proposing a security system that does not observe the behavior of the attack.On the contrary,we draw,plan,and follow up our own protection strategy regardless of the attack behavior.The objective of our security system is to protect assets rather than protect against attacks.Virtual machine introspection is used to intercept,inspect,and analyze system calls.The system callbased approach is utilized to detect zero-day ransomware attacks.The core idea is to take advantage of Xen and DRAKVUF for system call interception,and leverage system calls to detect illegal operations towards identified critical assets.We utilize our vision by proposing an asset-based approach to mitigate zero-day ransomware attacks.The obtained results are promising and indicate that our prototype will achieve its goals.
基金Supported by the National Natural Science Foundation of China(61373169,61103219,61303213)the Program of National Development and Reform Commission([2013]1309)the Ph.D.Programs Foundation of Ministry of Education of China(20110141130006)
文摘For the lack of detailed semantic in prior works, a transparent fine-grained monitoring technique (cMonitor) is pro- posed. Deployed outside the virtual machines, the cMonitor util- izes the elevated privileges of the virtual machine monitor to monitor the network connection, the processes and the relationship between them in protected systems by reconstructing fine-grained system semantics. These semantics contain process states and corresponding network connection. Experimental results show that cMonitor not only can be rapidly deployed in realistic cloud, but also can effectively and universally obtain these fine-grained semantics to assist detection of some advanced network attack. Meanwhile, the network performance overhead is about 3%, which is acceptable.
基金Supported by the National Natural Science Foundation of China(61170026)
文摘Malicious software programs usually bypass the detection of anti-virus software by hiding themselves among apparently legitimate programs.In this work,we propose Windows Virtual Machine Introspection(WVMI)to accurately detect those hidden processes by analyzing memory data.WVMI dumps in-memory data of the target Windows operating systems from hypervisor and retrieves EPROCESS structures’address of process linked list first,and then generates Data Type Confidence Table(DTCT).Next,it traverses the memory and identifies the similarities between the nodes in process linked list and the corresponding segments in the memory by utilizing DTCT.Finally,it locates the segments of Windows’EPROCESS and identifies the hidden processes by further comparison.Through extensive experiments,our experiment shows that the WVMI detects the hidden process with high identification rate,and it is independent of different versions of Windows operating system.