基于深度学习的Linux系统DKOM攻击检测  被引量：1

作　　者：陈亮 孙聪[1] CHEN Liang;SUN Cong(School of Cyber Engineering,Xidian University,Xi’an 710071,China;Huawei Technologies Co.,Ltd.,Xi’an 710100,China)

机构地区：[1]西安电子科技大学网络与信息安全学院,西安710071 [2]华为技术有限公司,西安710100

出　　处：《计算机科学》2024年第9期383-392,共10页Computer Science

基　　金：国家自然科学基金(62272366);陕西省重点研发计划(2023-YBGY-371)。

摘　　要：直接内核对象操纵(DKOM)攻击通过直接访问和修改内核对象来隐藏内核对象,是主流操作系统长期存在的关键安全问题。对DKOM攻击进行基于行为的在线扫描适用的恶意程序类型有限且检测过程本身易受DKOM攻击影响。近年来,针对潜在受DKOM攻击的系统进行基于内存取证的静态分析成为一种有效和安全的检测方法。现有方法已能够针对Windows内核对象采用图神经网络模型进行内核对象识别,但不适用于Linux系统内核对象,且对于缺少指针字段的小内核对象的识别有效性有限。针对以上问题,设计并实现了一种基于深度学习的Linux系统DKOM攻击检测方案。首先提出了一种扩展内存图结构刻画内核对象的指针指向关系和常量字段特征,利用关系图卷积网络对扩展内存图的拓扑结构进行学习以实现内存图节点分类,使用基于投票的对象推测算法得出内核对象地址,并通过与现有分析框架Volatility的识别结果对比实现对Linux系统DKOM攻击的检测。提出的扩展内存图结构相比现有的内存图结构能更好地表示缺乏指针但具有常量字段的小内核数据结构的特征,实现更高的内核对象检测有效性。与现有基于行为的在线扫描工具chkrootkit相比,针对5种现实世界Rootkit的DKOM行为,所提方案实现了更高的检测有效性,精确度提高20.1%,召回率提高32.4%。Direct kernel object manipulation(DKOM)attacks hide the kernel objects through direct access and modification to the kernel objects.Such attacks are a long-term critical security issue in mainstream operating systems.The behavior-based online scanning can efficiently detect limited types of DKOM attacks,and the detection procedure can be easily affected by the attacks.In recent years,memory-forensics-based static analysis has become an effective and secure detection approach in the systems potentially attacked by DKOM.The state-of-the-art approach can identify the Windows system kernel objects using a graph neural network model.However,this approach cannot be adapted to Linux kernel objects and has limitations in identifying small kernel objects with few pointer fields.This paper designs and implements a deep-learning-based DKOM attack detection approach for Linux systems to address these issues.An extended memory graph structure is proposed to depict the points-to relation and the constant fields’characteristics of the kernel objects.This paper uses relational graph convolutional networks to learn the topology of the extended memory graph to classify the graph nodes.A voting-based object inference algorithm is proposed to identify the kernel objects’addresses.The DKOM attack is detected by comparing our kernel object identification results and the results of the memory forensics framework Volatility.The contributions of this paper are as follows.1)An extended memory graph structure that improves the detection effectiveness of the existing memory graph on capturing the features of small kernel data structures with few pointers but with evident constant fields.2)On the DKOM attacks raised by five real-world Rootkits,our approach achieves 20.1%higher precision and 32.4%higher recall than the existing behavior-based online scanning tool chkrootkit.

关 键 词：内存取证 恶意软件检测 操作系统安全 图神经网络 二进制分析 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]