Poster: CompareView - A Provenance Verification Framework for Detecting Rootkit-Based Malware

نویسنده

  • Chehai Wu
چکیده

Using rootkit mechanisms to hide malware presence is pervasive in today’s computer attacks. We propose the CompareView framework, a host-based solution to detect stealthy outbound traffic generated by rootkit-based malware. Using a lightweight cryptographic protocol, our CompareView framework compares the views of outbound network packets at different layers of the host network stack and verify the provenance information of each packet. CompareView identifies and blocks suspicious network traffic that is not accompanied with proper digital signature stating its origin. The prototype is implemented in Windows XP and leverages on-chip TPM to enforce its own integrity. Our evaluation results show that our provenance verification approach is effective and efficient.

برای دانلود رایگان متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

A Cryptographic Provenance Verification Approach For Host-Based Malware Detection

We present a malware detection approach by focusing on the characteristic behaviors of human users. We explore the human-malware differences and utilize them to aid the detection of infected hosts. There are two main research challenges in this study: one is how to select characteristic behavior features, and the other is how to prevent malware forgeries. We address both questions in this paper...

متن کامل

Ensuring Host Integrity With Cryptographic Provenance Verification∗

We propose a malware detection approach based on the characteristic behaviors of human users. We explore the humanmalware differences and utilize them to aid the detection of infected hosts. There are two main research challenges in this study: one is how to select characteristic behavior features, and the other is how to prevent malware forgeries. We aim to address both questions in this poster.

متن کامل

Knowing Where Your Input is From: Kernel-Level Data-Provenance Verification

We describe a cryptographic provenance verification approach for ensuring system properties and system-data integrity at kernel-level. Its two concrete applications are demonstrated in malware traffic detection and keystroke-based bot identification. Specifically, we first demonstrate our provenance verification approach by realizing a lightweight framework for blocking outbound malware traffic...

متن کامل

Data-provenance Verification for Secure Hosts

Network or host-based signature scanning approaches alone were proven inadequate against new and emerging malware. We view malicious bots or malware in general as entities stealthily residing on a human user’s computer and interacting with the user’s computing resources. In this existing work we need to improve the trustworthiness of a host and its system data. Specifically, we provide a new me...

متن کامل

Towards a Malware Detection Framework Based on Power Consumption Monitoring

As our personal, organizational, and critical infrastructure are increasingly dependent on networked computing assets, malicious software —malware—is one of the most serious national security threats. Common malware detection practices are proving insufficient, and the task poses significant challenges when faced with automatically generated and polymorphic malware, as well as rootkits, which a...

متن کامل

ذخیره در منابع من

ذخیره در منابع من قبلا به منابع من ذحیره شده

{@ msg_add @}


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2009