Blacksheep: Detecting compromised hosts in homogeneous crowds

Antonio Bianchi, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna

Research output: Chapter in Book/Report/Conference proceedingConference contribution

26 Citations (Scopus)

Abstract

The lucrative rewards of security penetrations into large organizations have motivated the development and use of many sophisticated rootkit techniques to maintain an attacker's presence on a compromised system. Due to the evasive nature of such infections, detecting these rootkit infestations is a problem facing modern organizations. While many approaches to this problem have been proposed, various drawbacks that range from signature generation issues, to coverage, to performance, prevent these approaches from being ideal solutions. In this paper, we present Blacksheep, a distributed system for detecting a rootkit infestation among groups of similar machines. This approach was motivated by the homogenous natures of many corporate networks. Taking advantage of the similarity amongst the machines that it analyses, Blacksheep is able to efficiently and effectively detect both existing and new infestations by comparing the memory dumps collected from each host. We evaluate Blacksheep on two sets of memory dumps. One set is taken from virtual machines using virtual machine introspection, mimicking the deployment of Blacksheep on a cloud computing provider's network. The other set is taken from Windows XP machines via a memory acquisition driver, demonstrating Blacksheep's usage under more challenging image acquisition conditions. The results of the evaluation show that by leveraging the homogeneous nature of groups of computers, it is possible to detect rootkit infestations.

Original languageEnglish (US)
Title of host publicationCCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security
Pages341-352
Number of pages12
DOIs
StatePublished - Nov 26 2012
Externally publishedYes
Event2012 ACM Conference on Computer and Communications Security, CCS 2012 - Raleigh, NC, United States
Duration: Oct 16 2012Oct 18 2012

Other

Other2012 ACM Conference on Computer and Communications Security, CCS 2012
CountryUnited States
CityRaleigh, NC
Period10/16/1210/18/12

Fingerprint

Data storage equipment
Image acquisition
Cloud computing
Malware
Virtual machine

Keywords

  • Computer security
  • Kernel-based rootkits
  • Rootkit detection

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

Bianchi, A., Shoshitaishvili, Y., Kruegel, C., & Vigna, G. (2012). Blacksheep: Detecting compromised hosts in homogeneous crowds. In CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security (pp. 341-352) https://doi.org/10.1145/2382196.2382234

Blacksheep : Detecting compromised hosts in homogeneous crowds. / Bianchi, Antonio; Shoshitaishvili, Yan; Kruegel, Christopher; Vigna, Giovanni.

CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security. 2012. p. 341-352.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Bianchi, A, Shoshitaishvili, Y, Kruegel, C & Vigna, G 2012, Blacksheep: Detecting compromised hosts in homogeneous crowds. in CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security. pp. 341-352, 2012 ACM Conference on Computer and Communications Security, CCS 2012, Raleigh, NC, United States, 10/16/12. https://doi.org/10.1145/2382196.2382234
Bianchi A, Shoshitaishvili Y, Kruegel C, Vigna G. Blacksheep: Detecting compromised hosts in homogeneous crowds. In CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security. 2012. p. 341-352 https://doi.org/10.1145/2382196.2382234
Bianchi, Antonio ; Shoshitaishvili, Yan ; Kruegel, Christopher ; Vigna, Giovanni. / Blacksheep : Detecting compromised hosts in homogeneous crowds. CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security. 2012. pp. 341-352
@inproceedings{0aa8e4946ea64f6da181475fb08c99ad,
title = "Blacksheep: Detecting compromised hosts in homogeneous crowds",
abstract = "The lucrative rewards of security penetrations into large organizations have motivated the development and use of many sophisticated rootkit techniques to maintain an attacker's presence on a compromised system. Due to the evasive nature of such infections, detecting these rootkit infestations is a problem facing modern organizations. While many approaches to this problem have been proposed, various drawbacks that range from signature generation issues, to coverage, to performance, prevent these approaches from being ideal solutions. In this paper, we present Blacksheep, a distributed system for detecting a rootkit infestation among groups of similar machines. This approach was motivated by the homogenous natures of many corporate networks. Taking advantage of the similarity amongst the machines that it analyses, Blacksheep is able to efficiently and effectively detect both existing and new infestations by comparing the memory dumps collected from each host. We evaluate Blacksheep on two sets of memory dumps. One set is taken from virtual machines using virtual machine introspection, mimicking the deployment of Blacksheep on a cloud computing provider's network. The other set is taken from Windows XP machines via a memory acquisition driver, demonstrating Blacksheep's usage under more challenging image acquisition conditions. The results of the evaluation show that by leveraging the homogeneous nature of groups of computers, it is possible to detect rootkit infestations.",
keywords = "Computer security, Kernel-based rootkits, Rootkit detection",
author = "Antonio Bianchi and Yan Shoshitaishvili and Christopher Kruegel and Giovanni Vigna",
year = "2012",
month = "11",
day = "26",
doi = "10.1145/2382196.2382234",
language = "English (US)",
isbn = "9781450316507",
pages = "341--352",
booktitle = "CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security",

}

TY - GEN

T1 - Blacksheep

T2 - Detecting compromised hosts in homogeneous crowds

AU - Bianchi, Antonio

AU - Shoshitaishvili, Yan

AU - Kruegel, Christopher

AU - Vigna, Giovanni

PY - 2012/11/26

Y1 - 2012/11/26

N2 - The lucrative rewards of security penetrations into large organizations have motivated the development and use of many sophisticated rootkit techniques to maintain an attacker's presence on a compromised system. Due to the evasive nature of such infections, detecting these rootkit infestations is a problem facing modern organizations. While many approaches to this problem have been proposed, various drawbacks that range from signature generation issues, to coverage, to performance, prevent these approaches from being ideal solutions. In this paper, we present Blacksheep, a distributed system for detecting a rootkit infestation among groups of similar machines. This approach was motivated by the homogenous natures of many corporate networks. Taking advantage of the similarity amongst the machines that it analyses, Blacksheep is able to efficiently and effectively detect both existing and new infestations by comparing the memory dumps collected from each host. We evaluate Blacksheep on two sets of memory dumps. One set is taken from virtual machines using virtual machine introspection, mimicking the deployment of Blacksheep on a cloud computing provider's network. The other set is taken from Windows XP machines via a memory acquisition driver, demonstrating Blacksheep's usage under more challenging image acquisition conditions. The results of the evaluation show that by leveraging the homogeneous nature of groups of computers, it is possible to detect rootkit infestations.

AB - The lucrative rewards of security penetrations into large organizations have motivated the development and use of many sophisticated rootkit techniques to maintain an attacker's presence on a compromised system. Due to the evasive nature of such infections, detecting these rootkit infestations is a problem facing modern organizations. While many approaches to this problem have been proposed, various drawbacks that range from signature generation issues, to coverage, to performance, prevent these approaches from being ideal solutions. In this paper, we present Blacksheep, a distributed system for detecting a rootkit infestation among groups of similar machines. This approach was motivated by the homogenous natures of many corporate networks. Taking advantage of the similarity amongst the machines that it analyses, Blacksheep is able to efficiently and effectively detect both existing and new infestations by comparing the memory dumps collected from each host. We evaluate Blacksheep on two sets of memory dumps. One set is taken from virtual machines using virtual machine introspection, mimicking the deployment of Blacksheep on a cloud computing provider's network. The other set is taken from Windows XP machines via a memory acquisition driver, demonstrating Blacksheep's usage under more challenging image acquisition conditions. The results of the evaluation show that by leveraging the homogeneous nature of groups of computers, it is possible to detect rootkit infestations.

KW - Computer security

KW - Kernel-based rootkits

KW - Rootkit detection

UR - http://www.scopus.com/inward/record.url?scp=84869420333&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84869420333&partnerID=8YFLogxK

U2 - 10.1145/2382196.2382234

DO - 10.1145/2382196.2382234

M3 - Conference contribution

AN - SCOPUS:84869420333

SN - 9781450316507

SP - 341

EP - 352

BT - CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security

ER -