OS KERNEL MALWARE DETECTION USING KERNEL CRIME DATA MINING



Similar documents
Framework for Live Digital Forensics using Data Mining

Digital Forensic Tool for Decision Making in Computer Security Domain

Digital Forensics and Cyber Crime Datamining

Secure Software Programming and Vulnerability Analysis

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

LASTLINE WHITEPAPER. In-Depth Analysis of Malware

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

EC-Council Ethical Hacking and Countermeasures

Keyword: Cloud computing, service model, deployment model, network layer security.

Radware s Behavioral Server Cracking Protection

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

A B S T R A C T. Index Terms: DoubleGuard; database server; intruder; web server I INTRODUCTION

Sindhu. K. K. Computer Engineering Department, Shah and Anchor Engineering, Mumbai University Mumbai, India.

Detailed Description about course module wise:

Network Incident Report

Where every interaction matters.

Loophole+ with Ethical Hacking and Penetration Testing

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

Certified Cyber Security Analyst VS-1160

Threat Events: Software Attacks (cont.)

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

Digital Forensic Techniques

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Full System Emulation:

Barracuda Intrusion Detection and Prevention System

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

IQware's Approach to Software and IT security Issues

Hands-On How-To Computer Forensics Training

CERIAS Tech Report Basic Dynamic Processes Analysis of Malware in Hypervisors Type I & II by Ibrahim Waziri Jr, Sam Liles Center for Education

SURVEY OF INTRUSION DETECTION SYSTEM

Application of Data Mining based Malicious Code Detection Techniques for Detecting new Spyware

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

Computer Hacking Forensic Investigator v8

Network Forensics: Log Analysis

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

CAS : A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY

Information Security Incident Management Guidelines

Using big data analytics to identify malicious content: a case study on spam s

Firewalls Overview and Best Practices. White Paper

Scene of the Cybercrime Second Edition. Michael Cross

Ovation Security Center Data Sheet

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

CS5008: Internet Computing

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Flexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks

Global Partner Management Notice

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

Network Based Intrusion Detection Using Honey pot Deception

CMPT 471 Networking II

Preprocessing Web Logs for Web Intrusion Detection

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

A Protocol Based Packet Sniffer

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Vulnerability Analysis of Hash Tables to Sophisticated DDoS Attacks

How To Detect Denial Of Service Attack On A Network With A Network Traffic Characterization Scheme

Information Security for Modern Enterprises

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

MODERN malware use a variety of techniques to cause

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

INFORMATION SECURITY TRAINING CATALOG (2015)

Cybercrime in Canadian Criminal Law

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages

Index Terms: Smart phones, Malwares, security, permission violation, malware detection, mobile devices, Android, security

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

COSC 472 Network Security

Ovation Security Center Data Sheet

Banking Security using Honeypot

The Key to Secure Online Financial Transactions

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

CYBERTRON NETWORK SOLUTIONS

September 20, 2013 Senior IT Examiner Gene Lilienthal

FORBIDDEN - Ethical Hacking Workshop Duration

Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections

FRONT RUNNER DIPLOMA PROGRAM INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

Thick Client Application Security

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

International Journal of Computer Science and Network (IJCSN) Volume 1, Issue 5, October ISSN Bhopal, M.P.

McAfee Deep Safe. Security beyond the OS. Kai-Ping Seidenschnur Senior Security Engineer. October 16, 2012

Second-generation (GenII) honeypots

Penetration Testing Service. By Comsec Information Security Consulting

LASTLINE WHITEPAPER. Why Anti-Virus Solutions Based on Static Signatures Are Easy to Evade

Cloud Computing Architecture and Forensic Investigation Challenges

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

Transcription:

OS KERNEL MALWARE DETECTION USING KERNEL CRIME DATA MINING MONISHA.T #1 and Mrs.UMA.S *2 # ME,PG Scholar,Department of CSE, SKR Engineering College,Poonamallee,Chennai,TamilNadu * ME,Assist.professor, Department of CSE, SKR Engineering College,Poonamallee,Chennai,TamilNadu. Abstract-Traditional malware detection and analysis approaches have been focusing on code-centric aspects of malicious programs, such as detection of the injection of malicious code or matching malicious code sequences. However, modern malware has been employing advanced strategies, such as reusing legitimate code or obfuscating malware code to circumvent the detection. This framework consists of four system components with novel features: First, a runtime kernel object mapping system which has an un-tampered view of kernel data objects resistant to manipulation by malware. This concept explains emerging cybercrimes, kernel forensic analysis steps in the storage media, hidden data analysis in the file system, network forensic methods, Memory Forensic Modules and cybercrime data mining. This paper introduces the K- Means and Apriori algorithm for finding the kernel attack and the counting of the attacks during the system working time. For this purpose, system uses the tools of Wincap, jpcap and wmic.thus this tool provides the defense and reduces the vulnerability. Index Terms: kernel, malicious code, forensic, mapping. I. INTRODUCTION Malware is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of executable code, scripts, active content, and other software. 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software.although recent intrusion detection systems can recognize and take against attacks, comparatively little research focuses on after-the-fact investigation. This is, in part, because network owners are more willing to absorb losses from computer crime that risk their reputations by letting details of their exploited vulnerabilities become public. More number of cyber attacks is also possible in the systems. Those are hacking, Dos attack, DDoS attacks, Software Piracy attacks, Pornography attacks, Spoofing attack, Virus attack, Threatening attacks, Phishing attacks, Salami attack, Zero day attack and war driving attack. This cyber attacks are mostly identified by the Kernel forensic investigation. The goal of Kernel forensic analysis is to identify Kernel evidence for an investigation. An investigation typically uses both physical and Kernel evidence with the scientific method to draw conclusions. Examples of investigations that use Kernel forensics include computer intrusion, unauthorized use of corporate computers, child pornography, and any physical crime whose suspect had a computer.in this paper, system performs three types of analyzers.these are Network forensic analyzer, file analyzer and memory forensic analyzer. Network forensic analyzer is the process of network traffic analyzer. Network traffic analyzer is performed by network 590

monitoring. A network analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a Kernel network or part of a network. As data streams flow across the network, the sniffer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications. For monitor this process here we use the jpcap tool. This jpcap tool monitors the networking details of the system. This jpcap tool monitors the traffic and displays the details like Source Mac, Destination Mac, Source IP, Destination IP and Captured Time. Then this data is stored as thumb data in the system. This thumb data is given to the input as the crime detection process. This kernel detection process is detecting the attacks which are finding in the whole data. Next module is the file analyzer module. This file analyzer module is the process of analyze the file details. When system receive any other file from another system, here this file analyzer first monitor the receiving data, and analyze the modifying of this files and analyze the deletion of this file. This all analyzing data is then provided to the crime data mining. Here system identify the crime occurs in the system.finally, performing the memory forensic module. In these memory forensic modules, System goes to use the wmic tool. From this tool it detects what are the process running in the system, what are the ports opened in the system, list out what are the services running in the system, which system has booted up till that moment and finally login session details of the users. Then this result also moves to the Kernel data mining. Here it detects what are the attacks occurred in the system.these are all the attacks in Kernel which are detected by using the kernel data mining process. Kernel Data mining is the extraction of Computer crime related data to determine crime patterns. With the growing sizes of databases, law enforcement and intelligence agencies face the challenge of analyzing large volumes of data involved in criminal and terrorist 591 activities. Thus, a suitable scientific method for Kernel forensics is data mining. This kernel data mining is working under the algorithm of DSA, k-mean and apriori algorithm. Finally, the results and graph for the system prediction were displayed. II. PROBLEM DESCRIPTION The current kernel characterization mechanisms in DataGene are centralized and are therefore unsuitable for detecting the signature based malware Characterization. DataGene monitors kernel memory access behavior such as reads and writes on OS kernel objects is done by execution compromised by kernel rootkits. There are no attack patterns of kernel stacks in the existing rootkits. The bottleneck problem may occur in the centralized DataGene is due to large data set networks.the Data Gene generates only the runtime Kernel object mapping sequences. To the best of our knowledge, there is no proper database loader to collect the evidences from the os kernel and the hidden data from the system. Kernel stacks that have irregular access patterns. Whenever a kernel function is called or returns, the stack is accessed for various purposes such as return values, function arguments, and local variables. III. EXISITING SYSTEM In order to detect such malware attacks, a group of defense techniques focus on identifying malware based on behavior. These approaches generate malware DataGene by using a pattern of malware code sequence (e.g., instruction sequences or system call sequences) to match malware behavior [8]. However, some malware employ techniques that obfuscate or vary the patterns of code execution. For example, code obfuscation and code emulation techniques can confuse behavior-based malware detectors and hence avoid detection. This armsrace between malware and malware detectors centers on properties of malicious code, injection/integrity of code or the causal sequences of malicious code patterns. While

the majority of existing work focuses on the code malware executes, relatively little work has been done which focuses on the data it modifies. A. ISSUES IN EXISTING SYSTEM In existing systems there is a possibility of to draw conclusions. If additional data is sought for detail investigation will call for in depth data collection. Reporting: This is the process of preparing and presenting the outcome of the Analysis phase. IV. SYSTEM ARCHITECTURE DESIGN The binary value forwarded is more costly and fully transparent analysis system of examination and difficult to predict the attackers involved in the network. Existing methods are not efficient to provide good results. It produces incompleteness of the dependence graph from a finite set of execution traces. Graphs are failed to examine the complete set of detection. Volatile memory does not perform well in the DataGene generated. System architecture is the conceptual model that defines the structure, behavior, and more views of a system provides a descriptive plan for the file analyzer, memory analyzer and network analyzer. It shows how the components are procured to process and the steps involved in the entire modules, works together to implement in overall system. B. PROPOSED SYSTEM The proposed scheme addresses the kernel forensic investigation is an inquiry into the unfamiliar or questionable activities in the crime space or digital world. The investigation process is as follows (As per National Institute of Standards and Technology). Collection phase: The first step in the kernel forensic process is to identify potential sources of data and acquire forensic data from them. Major sources of data are desktops, storage media, Routers, Cell Phones, Digital Camera etc. A plan is developed to acquire data according to their importance, volatility and amount of effort to collect. Examination: Once data has been collected, the next phase is to examine it, which involves assessing and extracting the relevant pieces of information from the collected data. Analysis: Extracted and relevant data has been analyzed 592 V. MODULE DESCRIPTION A. FILE SYSTEM FORENSICS The first module is file system investigation is the identification, collection and analysis of the evidence from the storage media. File systems or file management systems is a part of operating system which organize and locate sectors for file storage. B. HIDDEN EVIDENCE ANALYSIS IN THE FILE SYSTEM Suspects can hide their sensitive data in various areas of the file system such as Volume slack; file slack, bad clusters, deleted file spaces. The maintenance track/protected Area on ATA disks are used to hide information. The evidence collection tools can copy the above contents. A file allocation table in FAT and Master File Table (MFT) are used to keep track of files. Figure

4.1.2 shows MFT structure. MFT en-tries are manipulated to hide vital and sensitive information. When a file is deleted, the record of the file is removed from the table, thereby making it appear that it does not exist anymore. The clusters used by the deleted file are marked as being free and can now be used to store other data. However, although the record is gone, the data may still reside in the clusters of the hard disk. That data we can recover by calculate starting and end of the file in Hex format and copy it into a text file and save with corresponding extension. Fig B. MFT structure. Information about how partitions are set up on a machine is stored in a partition table, which is a part of the Master Boot Record (MBR). When the computer is booted, the partition table allows the computer to understand how the hard disk is organized and then passes this information to the operating system. When a partition is deleted, the entry in the partition table is removed, making the data inaccessible. However, even though the partition entry has been removed, the data still resides on the hard disk. A file system may not use an entire partition. The space after the end of the volume called volume slack that can be used to hide data. The space between Partitions is also vulnerable for hiding data, file slack space is another hidden storage. Figure 3.1.3 shows slack spaces in a Disk. lusters marked as bad may be used to hide data. C. Apriori Algorithm 1) Identify variables/item sets from a case report (our proposed system stores these variables as attributes of tables, filesystem table, network table). 2) Item sets I = {I1, I2, I3 Im}. 3) Set of actions D = {t1, t2, t3 tn}. 4) Find frequent item sets by using Apriori algorithm. Employs an iterative level to find set of frequent item sets. E.g. if an attacker attacked database, login attempt results a data loss/data tampering and case report show actions like Data deleted, Login attempt, attack type = SQL injection, If these item sets are frequent then we can set a rule motive of attack is Data theft. 5) Make Association Rules i.e. It is a rule in the form X Y showing an association between X and Y that if X occurs then Y will occur. If the attacker accessed operating system files then we can say motive of attack is system Crash. If the attacker attacked Database login and Password steel then we can say criminal motive for data theft/data change. Finding other signs of evidence Correlation, contingences (Consider these values while making rule sets). 6) Set SQL queries according to the rules. 7) Retrieve data. D. MEMORY FORENSIC ANALYSIS Memory Forensic Analysis process consist of the browser history and active process in the system. This process consists of Process (lists all processes running on system), Port (list all ports in the system), Services (list out services running on system); Load order (gives order in which system has booted up till that moment), and Net login (gives login session details of the users). E.PHASES OF MEMORY FORENSICS: The memory forensic module consists of five processes. 1. Process: lists all processes running on system. 2. Port : list all ports open 1&2 will later be mined for classification into unknown( potentially malicious) and known connections. 3. Services: list out services running on system. (to know if some malicious services are running on the system) 593

4. Load order: gives order in which system has booted up till that moment.( to see if some malicious processes were involved) 5. Net login: gives login session details of the users. Finally all these details are store as csv file or other format as per our convenience. VI. CONCLUSION This paper explains the hidden evidence acquisition from kernel data mining. In the first phase, first two modules are explained in detail. The file analyzer module is the process of analyze the file details. When system receive any other file from another system, here this file analyzer first monitor the receiving data, and analyze the modifying of this files and analyze the deletion of this file. This all analyzing data is then provided to the kernel crime data mining. Here system identify the crime occurs in the system. Second module explains investigation on the internal memory and Detection is achieved by generating the Kernel crime data mining (KCDM).The proposed apriori and K-means algorithms are used to analyses the network system and finally the attacks in Kernel are detect by using the kernel data mining process. Kernel Data mining is the extraction of computer crime related data to determine crime patterns. Finally, the results and graph for the system prediction were displayed.in future, we can implement a Linux based compiler level tool that takes a source program and automatically produces a source code of detecting the kernel malware attacks and its characterization. [4] M. Christodorescu, C. Kruegel, and S. Jha, Mining specifications of malicious behavior, in Proc. 6th Joint Meeting ESEC/FSE, Sep. 2007, pp. 1 10. [5] D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, E. Kirda, and G. Vigna, Efficient detection of split personalities in malware, in Proc.17th Annu. NDSS, Feb. 2010, pp. 1 17. [6] M. Sharif, A. Lanzi, J. Giffin, and W. Lee, Impeding malware analysis using conditional code obfuscation, in Proc. 15th Annu. NDSS, 2008,pp. 65 88. [7] M. Sharif, A. Lanzi, J. Giffin, and W. Lee, Automatic reverse engineering of malware emulators, in Proc. 30th IEEE Symp. Sec. Privacy, Mar. 2009, pp. 116. [8] U. Bayer, P. Milani Comparetti, C. Hlauscheck, C. Kruegel, and E. Kirda, Scalable, behavior-based malware clustering, in Proc. 16 th Symp. NDSS, Feb. 2009, pp. 1 26. [9] D. Klieiman, K. Timothy and M. Cross, The Official CHFI Study Guide for Forensic Investigators, 2007. [10] B. Carrier, File System Forensic Analysis, Addison Wesley Professional, 2005. [11] C. Kaiwee, Analysis of Hidden Data in NTFS File Sys-tem, Whitepaper. 2010. REFERENCES [1] C. Kolbitsch, P. Milani Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang, Effective and efficient malware detection at the end host, in Proc. 18th USENIX Sec. Symp., Aug. 2009, pp. 351 366. [2] C. Kruegel, W. Robertson, and G. Vigna, Detecting kernel-level rootkits through binary analysis, in Proc. 20th ACSAC, Dec. 2004, pp. 91 100. [3] P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie, DROP: Detecting return-oriented programming malicious code, in Proc. 5 th ICISS, Dec. 2009, pp. 163 177. 594

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information