OS KERNEL MALWARE DETECTION USING KERNEL CRIME DATA MINING

Transcription

1 OS KERNEL MALWARE DETECTION USING KERNEL CRIME DATA MINING MONISHA.T #1 and Mrs.UMA.S *2 # ME,PG Scholar,Department of CSE, SKR Engineering College,Poonamallee,Chennai,TamilNadu * ME,Assist.professor, Department of CSE, SKR Engineering College,Poonamallee,Chennai,TamilNadu. Abstract-Traditional malware detection and analysis approaches have been focusing on code-centric aspects of malicious programs, such as detection of the injection of malicious code or matching malicious code sequences. However, modern malware has been employing advanced strategies, such as reusing legitimate code or obfuscating malware code to circumvent the detection. This framework consists of four system components with novel features: First, a runtime kernel object mapping system which has an un-tampered view of kernel data objects resistant to manipulation by malware. This concept explains emerging cybercrimes, kernel forensic analysis steps in the storage media, hidden data analysis in the file system, network forensic methods, Memory Forensic Modules and cybercrime data mining. This paper introduces the K- Means and Apriori algorithm for finding the kernel attack and the counting of the attacks during the system working time. For this purpose, system uses the tools of Wincap, jpcap and wmic.thus this tool provides the defense and reduces the vulnerability. Index Terms: kernel, malicious code, forensic, mapping. I. INTRODUCTION Malware is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of executable code, scripts, active content, and other software. 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software.although recent intrusion detection systems can recognize and take against attacks, comparatively little research focuses on after-the-fact investigation. This is, in part, because network owners are more willing to absorb losses from computer crime that risk their reputations by letting details of their exploited vulnerabilities become public. More number of cyber attacks is also possible in the systems. Those are hacking, Dos attack, DDoS attacks, Software Piracy attacks, Pornography attacks, Spoofing attack, Virus attack, Threatening attacks, Phishing attacks, Salami attack, Zero day attack and war driving attack. This cyber attacks are mostly identified by the Kernel forensic investigation. The goal of Kernel forensic analysis is to identify Kernel evidence for an investigation. An investigation typically uses both physical and Kernel evidence with the scientific method to draw conclusions. Examples of investigations that use Kernel forensics include computer intrusion, unauthorized use of corporate computers, child pornography, and any physical crime whose suspect had a computer.in this paper, system performs three types of analyzers.these are Network forensic analyzer, file analyzer and memory forensic analyzer. Network forensic analyzer is the process of network traffic analyzer. Network traffic analyzer is performed by network 590

2 monitoring. A network analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a Kernel network or part of a network. As data streams flow across the network, the sniffer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications. For monitor this process here we use the jpcap tool. This jpcap tool monitors the networking details of the system. This jpcap tool monitors the traffic and displays the details like Source Mac, Destination Mac, Source IP, Destination IP and Captured Time. Then this data is stored as thumb data in the system. This thumb data is given to the input as the crime detection process. This kernel detection process is detecting the attacks which are finding in the whole data. Next module is the file analyzer module. This file analyzer module is the process of analyze the file details. When system receive any other file from another system, here this file analyzer first monitor the receiving data, and analyze the modifying of this files and analyze the deletion of this file. This all analyzing data is then provided to the crime data mining. Here system identify the crime occurs in the system.finally, performing the memory forensic module. In these memory forensic modules, System goes to use the wmic tool. From this tool it detects what are the process running in the system, what are the ports opened in the system, list out what are the services running in the system, which system has booted up till that moment and finally login session details of the users. Then this result also moves to the Kernel data mining. Here it detects what are the attacks occurred in the system.these are all the attacks in Kernel which are detected by using the kernel data mining process. Kernel Data mining is the extraction of Computer crime related data to determine crime patterns. With the growing sizes of databases, law enforcement and intelligence agencies face the challenge of analyzing large volumes of data involved in criminal and terrorist 591 activities. Thus, a suitable scientific method for Kernel forensics is data mining. This kernel data mining is working under the algorithm of DSA, k-mean and apriori algorithm. Finally, the results and graph for the system prediction were displayed. II. PROBLEM DESCRIPTION The current kernel characterization mechanisms in DataGene are centralized and are therefore unsuitable for detecting the signature based malware Characterization. DataGene monitors kernel memory access behavior such as reads and writes on OS kernel objects is done by execution compromised by kernel rootkits. There are no attack patterns of kernel stacks in the existing rootkits. The bottleneck problem may occur in the centralized DataGene is due to large data set networks.the Data Gene generates only the runtime Kernel object mapping sequences. To the best of our knowledge, there is no proper database loader to collect the evidences from the os kernel and the hidden data from the system. Kernel stacks that have irregular access patterns. Whenever a kernel function is called or returns, the stack is accessed for various purposes such as return values, function arguments, and local variables. III. EXISITING SYSTEM In order to detect such malware attacks, a group of defense techniques focus on identifying malware based on behavior. These approaches generate malware DataGene by using a pattern of malware code sequence (e.g., instruction sequences or system call sequences) to match malware behavior [8]. However, some malware employ techniques that obfuscate or vary the patterns of code execution. For example, code obfuscation and code emulation techniques can confuse behavior-based malware detectors and hence avoid detection. This armsrace between malware and malware detectors centers on properties of malicious code, injection/integrity of code or the causal sequences of malicious code patterns. While

3 the majority of existing work focuses on the code malware executes, relatively little work has been done which focuses on the data it modifies. A. ISSUES IN EXISTING SYSTEM In existing systems there is a possibility of to draw conclusions. If additional data is sought for detail investigation will call for in depth data collection. Reporting: This is the process of preparing and presenting the outcome of the Analysis phase. IV. SYSTEM ARCHITECTURE DESIGN The binary value forwarded is more costly and fully transparent analysis system of examination and difficult to predict the attackers involved in the network. Existing methods are not efficient to provide good results. It produces incompleteness of the dependence graph from a finite set of execution traces. Graphs are failed to examine the complete set of detection. Volatile memory does not perform well in the DataGene generated. System architecture is the conceptual model that defines the structure, behavior, and more views of a system provides a descriptive plan for the file analyzer, memory analyzer and network analyzer. It shows how the components are procured to process and the steps involved in the entire modules, works together to implement in overall system. B. PROPOSED SYSTEM The proposed scheme addresses the kernel forensic investigation is an inquiry into the unfamiliar or questionable activities in the crime space or digital world. The investigation process is as follows (As per National Institute of Standards and Technology). Collection phase: The first step in the kernel forensic process is to identify potential sources of data and acquire forensic data from them. Major sources of data are desktops, storage media, Routers, Cell Phones, Digital Camera etc. A plan is developed to acquire data according to their importance, volatility and amount of effort to collect. Examination: Once data has been collected, the next phase is to examine it, which involves assessing and extracting the relevant pieces of information from the collected data. Analysis: Extracted and relevant data has been analyzed 592 V. MODULE DESCRIPTION A. FILE SYSTEM FORENSICS The first module is file system investigation is the identification, collection and analysis of the evidence from the storage media. File systems or file management systems is a part of operating system which organize and locate sectors for file storage. B. HIDDEN EVIDENCE ANALYSIS IN THE FILE SYSTEM Suspects can hide their sensitive data in various areas of the file system such as Volume slack; file slack, bad clusters, deleted file spaces. The maintenance track/protected Area on ATA disks are used to hide information. The evidence collection tools can copy the above contents. A file allocation table in FAT and Master File Table (MFT) are used to keep track of files. Figure

4 4.1.2 shows MFT structure. MFT en-tries are manipulated to hide vital and sensitive information. When a file is deleted, the record of the file is removed from the table, thereby making it appear that it does not exist anymore. The clusters used by the deleted file are marked as being free and can now be used to store other data. However, although the record is gone, the data may still reside in the clusters of the hard disk. That data we can recover by calculate starting and end of the file in Hex format and copy it into a text file and save with corresponding extension. Fig B. MFT structure. Information about how partitions are set up on a machine is stored in a partition table, which is a part of the Master Boot Record (MBR). When the computer is booted, the partition table allows the computer to understand how the hard disk is organized and then passes this information to the operating system. When a partition is deleted, the entry in the partition table is removed, making the data inaccessible. However, even though the partition entry has been removed, the data still resides on the hard disk. A file system may not use an entire partition. The space after the end of the volume called volume slack that can be used to hide data. The space between Partitions is also vulnerable for hiding data, file slack space is another hidden storage. Figure shows slack spaces in a Disk. lusters marked as bad may be used to hide data. C. Apriori Algorithm 1) Identify variables/item sets from a case report (our proposed system stores these variables as attributes of tables, filesystem table, network table). 2) Item sets I = {I1, I2, I3 Im}. 3) Set of actions D = {t1, t2, t3 tn}. 4) Find frequent item sets by using Apriori algorithm. Employs an iterative level to find set of frequent item sets. E.g. if an attacker attacked database, login attempt results a data loss/data tampering and case report show actions like Data deleted, Login attempt, attack type = SQL injection, If these item sets are frequent then we can set a rule motive of attack is Data theft. 5) Make Association Rules i.e. It is a rule in the form X Y showing an association between X and Y that if X occurs then Y will occur. If the attacker accessed operating system files then we can say motive of attack is system Crash. If the attacker attacked Database login and Password steel then we can say criminal motive for data theft/data change. Finding other signs of evidence Correlation, contingences (Consider these values while making rule sets). 6) Set SQL queries according to the rules. 7) Retrieve data. D. MEMORY FORENSIC ANALYSIS Memory Forensic Analysis process consist of the browser history and active process in the system. This process consists of Process (lists all processes running on system), Port (list all ports in the system), Services (list out services running on system); Load order (gives order in which system has booted up till that moment), and Net login (gives login session details of the users). E.PHASES OF MEMORY FORENSICS: The memory forensic module consists of five processes. 1. Process: lists all processes running on system. 2. Port : list all ports open 1&2 will later be mined for classification into unknown( potentially malicious) and known connections. 3. Services: list out services running on system. (to know if some malicious services are running on the system) 593

5 4. Load order: gives order in which system has booted up till that moment.( to see if some malicious processes were involved) 5. Net login: gives login session details of the users. Finally all these details are store as csv file or other format as per our convenience. VI. CONCLUSION This paper explains the hidden evidence acquisition from kernel data mining. In the first phase, first two modules are explained in detail. The file analyzer module is the process of analyze the file details. When system receive any other file from another system, here this file analyzer first monitor the receiving data, and analyze the modifying of this files and analyze the deletion of this file. This all analyzing data is then provided to the kernel crime data mining. Here system identify the crime occurs in the system. Second module explains investigation on the internal memory and Detection is achieved by generating the Kernel crime data mining (KCDM).The proposed apriori and K-means algorithms are used to analyses the network system and finally the attacks in Kernel are detect by using the kernel data mining process. Kernel Data mining is the extraction of computer crime related data to determine crime patterns. Finally, the results and graph for the system prediction were displayed.in future, we can implement a Linux based compiler level tool that takes a source program and automatically produces a source code of detecting the kernel malware attacks and its characterization. [4] M. Christodorescu, C. Kruegel, and S. Jha, Mining specifications of malicious behavior, in Proc. 6th Joint Meeting ESEC/FSE, Sep. 2007, pp [5] D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, E. Kirda, and G. Vigna, Efficient detection of split personalities in malware, in Proc.17th Annu. NDSS, Feb. 2010, pp [6] M. Sharif, A. Lanzi, J. Giffin, and W. Lee, Impeding malware analysis using conditional code obfuscation, in Proc. 15th Annu. NDSS, 2008,pp [7] M. Sharif, A. Lanzi, J. Giffin, and W. Lee, Automatic reverse engineering of malware emulators, in Proc. 30th IEEE Symp. Sec. Privacy, Mar. 2009, pp [8] U. Bayer, P. Milani Comparetti, C. Hlauscheck, C. Kruegel, and E. Kirda, Scalable, behavior-based malware clustering, in Proc. 16 th Symp. NDSS, Feb. 2009, pp [9] D. Klieiman, K. Timothy and M. Cross, The Official CHFI Study Guide for Forensic Investigators, [10] B. Carrier, File System Forensic Analysis, Addison Wesley Professional, [11] C. Kaiwee, Analysis of Hidden Data in NTFS File Sys-tem, Whitepaper REFERENCES [1] C. Kolbitsch, P. Milani Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang, Effective and efficient malware detection at the end host, in Proc. 18th USENIX Sec. Symp., Aug. 2009, pp [2] C. Kruegel, W. Robertson, and G. Vigna, Detecting kernel-level rootkits through binary analysis, in Proc. 20th ACSAC, Dec. 2004, pp [3] P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie, DROP: Detecting return-oriented programming malicious code, in Proc. 5 th ICISS, Dec. 2009, pp