TY - GEN
T1 - Blacksheep
T2 - 2012 ACM Conference on Computer and Communications Security, CCS 2012
AU - Bianchi, Antonio
AU - Shoshitaishvili, Yan
AU - Kruegel, Christopher
AU - Vigna, Giovanni
PY - 2012/11/26
Y1 - 2012/11/26
N2 - The lucrative rewards of security penetrations into large organizations have motivated the development and use of many sophisticated rootkit techniques to maintain an attacker's presence on a compromised system. Due to the evasive nature of such infections, detecting these rootkit infestations is a problem facing modern organizations. While many approaches to this problem have been proposed, various drawbacks that range from signature generation issues, to coverage, to performance, prevent these approaches from being ideal solutions. In this paper, we present Blacksheep, a distributed system for detecting a rootkit infestation among groups of similar machines. This approach was motivated by the homogenous natures of many corporate networks. Taking advantage of the similarity amongst the machines that it analyses, Blacksheep is able to efficiently and effectively detect both existing and new infestations by comparing the memory dumps collected from each host. We evaluate Blacksheep on two sets of memory dumps. One set is taken from virtual machines using virtual machine introspection, mimicking the deployment of Blacksheep on a cloud computing provider's network. The other set is taken from Windows XP machines via a memory acquisition driver, demonstrating Blacksheep's usage under more challenging image acquisition conditions. The results of the evaluation show that by leveraging the homogeneous nature of groups of computers, it is possible to detect rootkit infestations.
AB - The lucrative rewards of security penetrations into large organizations have motivated the development and use of many sophisticated rootkit techniques to maintain an attacker's presence on a compromised system. Due to the evasive nature of such infections, detecting these rootkit infestations is a problem facing modern organizations. While many approaches to this problem have been proposed, various drawbacks that range from signature generation issues, to coverage, to performance, prevent these approaches from being ideal solutions. In this paper, we present Blacksheep, a distributed system for detecting a rootkit infestation among groups of similar machines. This approach was motivated by the homogenous natures of many corporate networks. Taking advantage of the similarity amongst the machines that it analyses, Blacksheep is able to efficiently and effectively detect both existing and new infestations by comparing the memory dumps collected from each host. We evaluate Blacksheep on two sets of memory dumps. One set is taken from virtual machines using virtual machine introspection, mimicking the deployment of Blacksheep on a cloud computing provider's network. The other set is taken from Windows XP machines via a memory acquisition driver, demonstrating Blacksheep's usage under more challenging image acquisition conditions. The results of the evaluation show that by leveraging the homogeneous nature of groups of computers, it is possible to detect rootkit infestations.
KW - Computer security
KW - Kernel-based rootkits
KW - Rootkit detection
UR - http://www.scopus.com/inward/record.url?scp=84869420333&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84869420333&partnerID=8YFLogxK
U2 - 10.1145/2382196.2382234
DO - 10.1145/2382196.2382234
M3 - Conference contribution
AN - SCOPUS:84869420333
SN - 9781450316507
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 341
EP - 352
BT - CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security
Y2 - 16 October 2012 through 18 October 2012
ER -