HProve: A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware

Wang, Chonghua and Yin, Libo and Li, Jun and Chen, Xuehong and Yin, Rongchao and Yun, Xiaochun and Jiao, Yang and Hao, Zhiyu (2019) HProve: A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware. EAI Endorsed Transactions on Security and Safety, 5 (18). e5. ISSN 2032-9393

[thumbnail of eai.8-4-2019.157417.pdf]
Available under License Creative Commons Attribution No Derivatives.

Download (2MB) | Preview


Provenance of system subjects (e.g., processes) and objects (e.g., files) are very useful for many forensics tasks. In our analysis and comparison of existing Linux provenance tracing systems, we found that most systems assume the Linux kernel to be in the trust base, making these systems vulnerable to kernel level malware. To address this problem, we present HProve, a hypervisor level provenance tracing system to reconstruct kernel malware attack story. It monitors the execution of kernel functions and sensitive objects, and correlates the system subjects and objects to form the causality dependencies for the attacks. We evaluated our prototype on 12 real world kernel malware samples, and the results show that it can correctly identify the provenance behaviors of the kernel malware with a minor performance overhead.

Item Type: Article
Uncontrolled Keywords: Provenance Tracing; System Logging; Kernel Malware; Forensic Investigation
Subjects: H Social Sciences > H Social Sciences (General)
Q Science > QA Mathematics > QA75 Electronic computers. Computer science
QA75 Electronic computers. Computer science
Depositing User: EAI Editor IV
Date Deposited: 26 Mar 2021 13:59
Last Modified: 26 Mar 2021 13:59
URI: https://eprints.eudl.eu/id/eprint/2106

Actions (login required)

View Item
View Item