Blacksheep: Detecting compromised hosts in homogeneous crowds

Antonio Bianchi; Yan Shoshitaishvili; Christopher Kruegel; Giovanni Vigna

doi:10.1145/2382196.2382234

Blacksheep: Detecting compromised hosts in homogeneous crowds

Antonio Bianchi, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

26 Citations (Scopus)

Abstract

The lucrative rewards of security penetrations into large organizations have motivated the development and use of many sophisticated rootkit techniques to maintain an attacker's presence on a compromised system. Due to the evasive nature of such infections, detecting these rootkit infestations is a problem facing modern organizations. While many approaches to this problem have been proposed, various drawbacks that range from signature generation issues, to coverage, to performance, prevent these approaches from being ideal solutions. In this paper, we present Blacksheep, a distributed system for detecting a rootkit infestation among groups of similar machines. This approach was motivated by the homogenous natures of many corporate networks. Taking advantage of the similarity amongst the machines that it analyses, Blacksheep is able to efficiently and effectively detect both existing and new infestations by comparing the memory dumps collected from each host. We evaluate Blacksheep on two sets of memory dumps. One set is taken from virtual machines using virtual machine introspection, mimicking the deployment of Blacksheep on a cloud computing provider's network. The other set is taken from Windows XP machines via a memory acquisition driver, demonstrating Blacksheep's usage under more challenging image acquisition conditions. The results of the evaluation show that by leveraging the homogeneous nature of groups of computers, it is possible to detect rootkit infestations.

Original language	English (US)
Title of host publication	CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security
Pages	341-352
Number of pages	12
DOIs	https://doi.org/10.1145/2382196.2382234
State	Published - Nov 26 2012
Externally published	Yes
Event	2012 ACM Conference on Computer and Communications Security, CCS 2012 - Raleigh, NC, United States Duration: Oct 16 2012 → Oct 18 2012

Other

Other	2012 ACM Conference on Computer and Communications Security, CCS 2012
Country	United States
City	Raleigh, NC
Period	10/16/12 → 10/18/12

Fingerprint

Data storage equipment

Image acquisition

Cloud computing

Malware

Virtual machine

Keywords

Computer security
Kernel-based rootkits
Rootkit detection

ASJC Scopus subject areas

Software
Computer Networks and Communications

Cite this

Bianchi, A., Shoshitaishvili, Y., Kruegel, C., & Vigna, G. (2012). Blacksheep: Detecting compromised hosts in homogeneous crowds. In CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security (pp. 341-352) https://doi.org/10.1145/2382196.2382234

Blacksheep : Detecting compromised hosts in homogeneous crowds. / Bianchi, Antonio; Shoshitaishvili, Yan; Kruegel, Christopher; Vigna, Giovanni.

CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security. 2012. p. 341-352.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Bianchi, A, Shoshitaishvili, Y, Kruegel, C & Vigna, G 2012, Blacksheep: Detecting compromised hosts in homogeneous crowds. in CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security. pp. 341-352, 2012 ACM Conference on Computer and Communications Security, CCS 2012, Raleigh, NC, United States, 10/16/12. https://doi.org/10.1145/2382196.2382234

Bianchi A, Shoshitaishvili Y, Kruegel C, Vigna G. Blacksheep: Detecting compromised hosts in homogeneous crowds. In CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security. 2012. p. 341-352 https://doi.org/10.1145/2382196.2382234

Bianchi, Antonio ; Shoshitaishvili, Yan ; Kruegel, Christopher ; Vigna, Giovanni. / Blacksheep : Detecting compromised hosts in homogeneous crowds. CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security. 2012. pp. 341-352

@inproceedings{0aa8e4946ea64f6da181475fb08c99ad,

title = "Blacksheep: Detecting compromised hosts in homogeneous crowds",

abstract = "The lucrative rewards of security penetrations into large organizations have motivated the development and use of many sophisticated rootkit techniques to maintain an attacker's presence on a compromised system. Due to the evasive nature of such infections, detecting these rootkit infestations is a problem facing modern organizations. While many approaches to this problem have been proposed, various drawbacks that range from signature generation issues, to coverage, to performance, prevent these approaches from being ideal solutions. In this paper, we present Blacksheep, a distributed system for detecting a rootkit infestation among groups of similar machines. This approach was motivated by the homogenous natures of many corporate networks. Taking advantage of the similarity amongst the machines that it analyses, Blacksheep is able to efficiently and effectively detect both existing and new infestations by comparing the memory dumps collected from each host. We evaluate Blacksheep on two sets of memory dumps. One set is taken from virtual machines using virtual machine introspection, mimicking the deployment of Blacksheep on a cloud computing provider's network. The other set is taken from Windows XP machines via a memory acquisition driver, demonstrating Blacksheep's usage under more challenging image acquisition conditions. The results of the evaluation show that by leveraging the homogeneous nature of groups of computers, it is possible to detect rootkit infestations.",

keywords = "Computer security, Kernel-based rootkits, Rootkit detection",

author = "Antonio Bianchi and Yan Shoshitaishvili and Christopher Kruegel and Giovanni Vigna",

year = "2012",

month = "11",

day = "26",

doi = "10.1145/2382196.2382234",

language = "English (US)",

isbn = "9781450316507",

pages = "341--352",

booktitle = "CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security",

}

TY - GEN

T1 - Blacksheep

T2 - Detecting compromised hosts in homogeneous crowds

AU - Bianchi, Antonio

AU - Shoshitaishvili, Yan

AU - Kruegel, Christopher

AU - Vigna, Giovanni

PY - 2012/11/26

Y1 - 2012/11/26

N2 - The lucrative rewards of security penetrations into large organizations have motivated the development and use of many sophisticated rootkit techniques to maintain an attacker's presence on a compromised system. Due to the evasive nature of such infections, detecting these rootkit infestations is a problem facing modern organizations. While many approaches to this problem have been proposed, various drawbacks that range from signature generation issues, to coverage, to performance, prevent these approaches from being ideal solutions. In this paper, we present Blacksheep, a distributed system for detecting a rootkit infestation among groups of similar machines. This approach was motivated by the homogenous natures of many corporate networks. Taking advantage of the similarity amongst the machines that it analyses, Blacksheep is able to efficiently and effectively detect both existing and new infestations by comparing the memory dumps collected from each host. We evaluate Blacksheep on two sets of memory dumps. One set is taken from virtual machines using virtual machine introspection, mimicking the deployment of Blacksheep on a cloud computing provider's network. The other set is taken from Windows XP machines via a memory acquisition driver, demonstrating Blacksheep's usage under more challenging image acquisition conditions. The results of the evaluation show that by leveraging the homogeneous nature of groups of computers, it is possible to detect rootkit infestations.

AB - The lucrative rewards of security penetrations into large organizations have motivated the development and use of many sophisticated rootkit techniques to maintain an attacker's presence on a compromised system. Due to the evasive nature of such infections, detecting these rootkit infestations is a problem facing modern organizations. While many approaches to this problem have been proposed, various drawbacks that range from signature generation issues, to coverage, to performance, prevent these approaches from being ideal solutions. In this paper, we present Blacksheep, a distributed system for detecting a rootkit infestation among groups of similar machines. This approach was motivated by the homogenous natures of many corporate networks. Taking advantage of the similarity amongst the machines that it analyses, Blacksheep is able to efficiently and effectively detect both existing and new infestations by comparing the memory dumps collected from each host. We evaluate Blacksheep on two sets of memory dumps. One set is taken from virtual machines using virtual machine introspection, mimicking the deployment of Blacksheep on a cloud computing provider's network. The other set is taken from Windows XP machines via a memory acquisition driver, demonstrating Blacksheep's usage under more challenging image acquisition conditions. The results of the evaluation show that by leveraging the homogeneous nature of groups of computers, it is possible to detect rootkit infestations.

KW - Computer security

KW - Kernel-based rootkits

KW - Rootkit detection

UR - http://www.scopus.com/inward/record.url?scp=84869420333&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84869420333&partnerID=8YFLogxK

U2 - 10.1145/2382196.2382234

DO - 10.1145/2382196.2382234

M3 - Conference contribution

AN - SCOPUS:84869420333

SN - 9781450316507

SP - 341

EP - 352

BT - CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security

ER -

Access to Document

10.1145/2382196.2382234