Logo image
HProve: a hypervisor level provenance system to reconstruct attack story caused by kernel malware
Conference paper   Open access   Peer reviewed

HProve: a hypervisor level provenance system to reconstruct attack story caused by kernel malware

Chonghua Wang, Libo Yin, Jun Li, Xuehong Chen, Rongchao Yin, Xiaochun Yun, Yang Jiao, Shiqing Ma and Zhiyu Hao
EAI endorsed transactions on security and safety, Vol.5(18), p.157417
European Alliance for Innovation (EAI)
01/01/2019

Abstract

Kernel functions Linux Malware Object recognition Provenance Tracing
Provenance of system subjects (e.g., processes) and objects (e.g., files) are very useful for many forensics tasks. In our analysis and comparison of existing Linux provenance tracing systems, we found that most systems assume the Linux kernel to be in the trust base, making these systems vulnerable to kernel level malware. To address this problem, we present HProve, a hypervisor level provenance tracing system to reconstruct kernel malware attack story. It monitors the execution of kernel functions and sensitive objects, and correlates the system subjects and objects to form the causality dependencies for the attacks. We evaluated our prototype on 12 real world kernel malware samples, and the results show that it can correctly identify the provenance behaviors of the kernel malware with a minor performance overhead.
pdf
SecureComm2017 Hprove 20182.15 MBDownloadView
Version of Record (VoR) Open Access CC BY V4.0
url
http://eudl.eu/pdf/10.4108/eai.8-4-2019.157417View
Version of Record (VoR) Open
url
Report an accessibility issueView
Please complete a content remediation request to report an accessibility issue with a library electronic resource, website, or service.

Metrics

60 File downloads
52 Record Views

Details

Logo image