IJRIT International Journal of Research in Information Technology, Volume 2, Issue 3, March 2014, Pg: 343-348
International Journal of Research in Information Technology (IJRIT) www.ijrit.com
ISSN 2001-5569
Enhanced Dynamic Detection of Code Injection Attack in OS-Level Virtual Machine P.Banupriya PG Student Department of CSE Vivekananda College of Technology for Women Tiruchengode, Tamil Nadu, India
[email protected] V.Chandrasekar Assistant Professor Department of CSE Vivekananda College of Technology for Women Tiruchengode, Tamil Nadu, India
[email protected]
Abstract – Now-a-days the number of attacks and complexity of attacks on computer systems are increasing. We want control and avoid growth of attacks by using proper defense mechanisms. Intrusion detection systems play an important role in detecting and disrupting attacks before they can compromise software. Existing methods provide statically find the malwares, but during runtime could not notice the malwares. We propose multivariant execution method for intrusion detection mechanism, that executes some slightly different versions called variants, of the same program in lockstep. The variants are built to have identical behavior under normal execution conditions. However, when the variants are under attack, there are detectable differences in their execution behavior. At runtime, a monitor compares the behavior of the variants at certain synchronization points and raises an alarm when a discrepancy is detected. This paper presents a monitoring mechanism that does not need any kernel privileges to supervise the variants. Many sources of inconsistencies, including asynchronous signals and scheduling of multithreaded or multiprocessing applications, can cause divergence in behavior of variants. These divergences cause false alarms. New technique provides solutions to remove these false alarms.
Keywords --- Multivariant, Monitor, Vulnerability, Defense, malware
I.INTRODUCTION Security vulnerabilities in software have been a significant problem for the computer industry for decades. While the use of safer programming languages such as Java and C# has alleviated the problem, there are still many software packages that are created and maintained in C and C++. Our main defense against malware (malicious software) has usually been antivirus software, which use static signature-based detection techniques to identify potential malware. Popular due to their low false-alarm rates and ease of use, antivirus software require new malware samples to be discovered and analyzed before they can be detected, leaving hosts vulnerable to new malware during the time period between the sample being used in a cyber-attack and the creation of detection signatures for that sample [1]. The complex, ultra large-scale systems used by governments, corporations, and other institutions, are particularly vulnerable to new malware, since these systems are constantly subject to cyber-attacks and their size and complexity complicate detection [2]. Antivirus software is also ineffective at detecting obfuscated variants of known malware [3], [4]. Obfuscations are applied to malware using specialized software that reorders, encrypts, compresses, recompiles, or otherwise changes the code without altering P.Banupriya, IJRIT
343
IJRIT International Journal of Research in Information Technology, Volume 2, Issue 3, March 2014, Pg: 343-348
its function [5]. Obfuscations can also be applied automatically and incrementally, as is the case with metamorphic and polymorphic malware that mutate as they propagate [6]. Obfuscating malware to evade detection is now common practice since the engineering effort required to design new malware far exceeds the effort to obfuscate existing malware. Accordingly, the majority of new antivirus detection signatures are not created for new malware, but rather for obfuscated variants of known malware [7]. In this paper, we present a malware detection system designed to detect obfuscated variants of known malware and previously unseen malware that are behaviorally similar to known malware. The malware detection system monitors data from a suite of sensors installed on a host server at both the operating system and hypervisor levels, and processes the sensor data sequentially as they become available, using the data to infer whether the host is executing malware. We pose the malware detection problem as a change-point detection problem [8], wherein the goal is to detect whether a host is infected with malware by detecting changes in distribution of the sensor data as quickly as possible. We assume that the host being monitored is initially clean and free of malware and that during this period of time we are able to establish a baseline of normal operation for the host. Assuming that the host may become infected with malware at any time, our goal is to determine whether the host is infected so that appropriate actions can be performed to limit data loss, data theft, further propagation of the malware, and disruption of services. We present a malware detection system that treats the malware detection problem as a multi-channel, decentralized detection problem. The problem is multi-channel because each sensor measures a unique phenomenon and reports data that are governed by a distinct probability distribution. The problem is decentralized because detection is performed at the sensor level, wherein each local detector uses data from only one sensor to infer whether the host is infected. The global decision is made by a data fusion center, which sequentially processes the decisions from the local detectors to infer whether the host is infected. Finally, we present a case study using the described malware detection system on a virtual machine host running a web server under heavy computational load. During testing, the host is originally clean and becomes infected with malware at a randomly selected time instance [10]. Two hundred different malware samples, all gathered from the wild in the past year, are used for the study. We examine the effectiveness of the detection system both in terms of its overall detection accuracy and its average time to detection. Modern static analysis tools are capable of finding many varieties of programming errors, but a lack of runtime information limits their abilities. Some also have a relatively high false positive rate, making them expensive to use in practice. Dynamic and runtime tools are often not effective because they lack a baseline to use for detection. Also, the performance overhead of sophisticated algorithms used by such runtime tools is often prohibitively high in some production systems. Multivariant code execution is a runtime monitoring technique that prevents system damage resulting from malicious code execution and addresses the above problems with dynamic detection tools. Multivariant execution protects against malicious code execution attacks by running two or more slightly different versions of the same program, called variants, in lockstep. At defined synchronization points, the variants’ behavior is compared against each other. Divergence among the behavior is an indication of an anomaly and raises an alarm. Since the application is web service oriented and platform independent data from various data sources are possible. The remainder of this paper has been prepared as follows: Section 2 discusses the related work in the field of enhanced dynamic detection of code injection attack. Section 3 tells system design of server and client. Conclusions and future work are provided in Section 4. II.RELATED WORK In the related area of network intrusion detection, sequential detection techniques applied to network-based features have been demonstrated to provide an accurate means of detecting network intrusions [11] and denial of service attacks [12]. Hidden Markov models have been shown to be an effective tool for detecting cyber-attacks using system call traces.
The malware detection system described in this paper bears similarity to previous work in that it is a dynamic detection system that monitors features at the operating-system level [9] and the hypervisor-level to infer the execution of malware. The described system is unique in its decentralized application of two-sided sequential detection techniques described page for malware detection and its use of a data fusion center for global decision making. The merits of the described system that set it apart from the previous
P.Banupriya, IJRIT
344
IJRIT International Journal of Research in Information Technology, Volume 2, Issue 3, March 2014, Pg: 343-348
work include the low computational complexity of the detection system, which allows for real-time detection of malware infection on a live host, and the sequential formulation of the malware detection problem that focuses on detecting malware quickly and accurately. An obvious drawback of multivariant execution is the extra processing overhead, since at least two variants of the same program must be executed in lockstep to provide the benefits mentioned above. Our experimental results show that this overhead is in the range afforded by most security sensitive applications where performance is not the first priority, such as government and banking software. Besides, the large amount of parallelism that inherently exists in multivariant execution helps it take advantage of multicore processors. A multivariant execution environment (MVEE) can engage the idle cores in these systems to improve security with little performance overhead. The main objective of the projects is a) Data collection is easy b) Less time is required for data consolidation. c) Time consumption is low. Multivariant code execution is a runtime monitoring technique that prevents system damage resulting from malicious code execution and addresses the above problems with dynamic detection tools. Multivariant execution protects against malicious code execution attacks by running two or more slightly different versions of the same program, called variants, in lockstep. At defined synchronization points, the variants’ behavior is compared against each other. Divergence among the behavior is an indication of an anomaly and raises an alarm. Many techniques have been developed to eliminate vulnerabilities, but none of them provides a complete solution. Modern static analysis tools are capable of finding many varieties of programming errors, but a lack of runtime information limits their abilities. Some also have a relatively high false positive rate, making them expensive to use in practice. Currently, cores are often idle due to the lack of extractable parallelism in many applications or due to the bottlenecks imposed by memory or I/O devices. In addition, the number of cores is increasing rapidly. A multivariant execution environment (MVEE) can engage the idle cores in these systems to improve security with little performance overhead. Unlike many previously proposed techniques to prevent malicious code execution that use random and secret keys in order to prevent attacks, multivariant execution is a secret-less system. Therefore, the choice in what to vary, e.g., stack layout or instruction set, defines which classes of attacks can be stopped and which vulnerabilities still can be exploited. It is important that every variant be fed identical copies of each input from the system simultaneously. This design makes it difficult for an attacker to send individual malicious inputs to different variants and compromise them one at a time. If the variants are chosen properly, a malicious input to one variant causes collateral damage in some of the other variants, causing them to deviate from each other. The deviation is then detected by a monitoring agent. Some of the drawbacks in the existing system are listed below: a) Dynamic and runtime tools are often not effective because they lack a baseline to use for detection. b) Performance overhead of sophisticated algorithms used by such runtime tools is often prohibitively high in some production systems. c) Previously exiting techniques prevent malicious code execution uses random and/or secret keys in order to prevent attacks.
III. SYSTEM DESGIN A. Server Side a) START MONITOR: When this module starts running, the server application is activated and task can be assigned as well as records such as nodes list, task list and attacks list can be viewed. b) ADD CLIENT NODE: In this module, the client node’s ID, IP address and system name are keyed in and stored in the database table. c) START SELF DEFENSE: When this module starts running, the server self defense activity is made such that the files in the server shared folder is not affected by the client nodes. If any of the file is about to changing, then the new file is again replaced by the old file which is located in non-shared folder path. d) ASSIGN CODE EXECUTION TASK TO NODES: In this module, the node is selected, an executable file is copied to the node’s share folder (which is located in root folder of the client application) and a number of parameters are saved in database table. When the client application executes the task, this executable file is invoked and uses the parameter values from the database table.
P.Banupriya, IJRIT
345
IJRIT International Journal of Research in Information Technology, Volume 2, Issue 3, March 2014, Pg: 343-348
e)
VIEW NODES LIST: In this module, the node details are viewed using the data grid view control. The details include node id, IP Address, and system name. Server Application
Process
Server
View
Start Self Defense
Nodes List
Stat Monitor
Assign Code Execution Task to Nodes
Add Client Node
Process Results
Code Modified in Nodes
Self Defense Log
Fig.1 Server Side Process
f)
VIEW PROCESS RESULTS: In this module, the task details executed are viewed using the data grid view control. The details include node id, IP Address, and system name along with executable filename, list of parameters, Size of the executable file, time of starting, ending and write time. g) VIEW CODE MODIFIED LIST IN NODE: In this module, the task details executed are viewed using the data grid view control. The details include node id, IP Address, and system name along with task details for different results produced records only. h) VIEW SELF DEFENSE: In this module, the attack details executed are viewed using the data grid view control. The details include attack time, attack type, file name, old file name details.
P.Banupriya, IJRIT
346
IJRIT International Journal of Research in Information Technology, Volume 2, Issue 3, March 2014, Pg: 343-348
B. Client Side Client Application
Update Node
Execute Service Assigned Task
Create a File in Server Space
Process
Rename a File in Server Space
Display Activity Log
Delete a File in Server Space
Fig.2 Client Side Process a) COLLECT AND EXECUTE TASKS: In this module, the task details are collected from ‘Tasks’ table and are saved in System.Collections. Generics.List class’s object. Then the executable files are executed by using System.Diagnostics.Process class. b) EXECUTE MODIFIED EXECUTABLE: In this module, the task details are collected from ‘Tasks’ table and are saved in System.Collections.Generics. List class’s object. When the executable files are executed, instead of working as mentioned, the code works differently with additional values generated randomly. It seems that instead of server version code, the code is different and so the result produced should be suspicious . c) ATTACK SERVER: In this module, the server’s SelfDefenceResources shared folder is accessed and ten files are created with random names. The details are shown in log list box. Likewise, the folder’s files are collected and any one file is renamed. In addition, any one file is deleted. Note that, the self defense module if activated in server, the renamed file is deleted and file is restored from original backup path. Likewise, if a file is being deleted, the file restored from original backup path. The folder in server is listened by a File System Watcher Component which is running in the server listens and updates the folder content if required.
IV CONCLUSION AND FUTURE WORK A multivariant execution environment runs multiple versions of a program simultaneously and monitors their behavior. Discrepancy in behavior of the variants is an indication of an attack. Using this technique, it prevents exploitation of vulnerabilities at runtime. It is complementary to other methods that remove vulnerabilities, such as static analysis. Instead of finding and removing the vulnerabilities, our method accepts the inevitable existence of vulnerabilities and prevents their exploitations. A major advantage of this approach is that it enables us to detect and prevent a wide range of threats, including “zero-day” attacks. Multivariant execution is effective even against sophisticated polymorphic and metamorphic viruses and worms. Many everyday applications are mostly sequential in nature. At the same time, automatic parallelization techniques are not yet effective enough on such workloads. Even in parallel applications, such as web servers, limited I/O bandwidth prevents us from putting all available processing resources into service. As a result, parallel processors in today’s computers are often partially idle. By running programs in MVEEs on such multicore processors, it put the parallel hardware in good use and makes the programs much more resilient against code injection attacks.
P.Banupriya, IJRIT
347
IJRIT International Journal of Research in Information Technology, Volume 2, Issue 3, March 2014, Pg: 343-348
The new system become useful if the below enhancements are made in future. The statistical analysis of code injection attacks data if prepared can be used for further project development. N number of software can be found out easily where the injections are found out. Once code affected part are send the mail to particular client that intruders came to affect the software. The new system is designed such that those enhancements can be integrated with current modules easily with less integration work. REFERENCES [1] Shan,Z., Wang,X and Chiueh,T.(2011), “Tracer: Enforcing Mandatory Access Control in Commodity OS with the Support of Light- Weight Intrusion Detection and Tracing,” Proc. Sixth ACM Symp. Information, Computer and Comm. Security (ASIACCS), pp. 135-144. [2] Ninghui Li., Ziqing Maoand Hong Chen.(2007),“Usable Mandatory Integrity Protection for Operating Systems”. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, Washington, DC, USA, 164-178. [3] Timothy Fraser.(2000),“LOMAC: Low Water-Mark Integrity Protection for COTS Environments”. In Proceedings of the 2000 IEEE Symposium on Security and Privacy (SP '00). IEEE Computer Society, Washington, DC, USA, 230-245. [4] XiaoFeng Wang., Zhuowei,Li., Jong Youl Choi andNinghui, Li.(2008),“PRECIP: Towards Practical and Retrofittable Confidential Information Protection”. In Proceedings of 15th Network and Distributed System Security Symposium. [5] Shan,Z.,Wang,Xsand Chiueh, T.(2011), “Safe Side Effects Commitment for OS-Level Virtualization,” Proc. Eighth ACM Int’l Conf. Autonomic Computing (ICAC). [6] Soltesz,S.,Pötzl,H.,Fiuczynski,M.E and Bavier,(2007), “APeterson. Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors”. In proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems, Lisbon. [7] Price,D and Tucker,A.(2004),“Solaris Zones: Operating system support for consolidating commercial workloads”. In Proceedings of the 18th Large Installation System Administration Conference (LISA), pages 241–254. [8] Yu,Y.,Guo,F., Nanda,S., Lam,L andChiueh.T.(2006), “A Featherweight Virtual Machine for Windows Applications”. In Proceedings of the 2nd ACM/USENIX Conference on Virtual Execution Environments.Pages 24–34, Ottawa. [9] Zhu, J., Jiang, Z., Xiao, Z and Li.X.(2011),“Optimizing the Performance of Virtual Machine Synchronization for Fault Tolerance”, IEEE Transactions on Computers. [10] Paleari,R.,Martignoni,L.,Passerini,E.,Davidson,D.,Fredrikson,M.,Giffin,Jand Remediation Procedures for Malware,” Proc. USENIX Conf. Security.
S.
Jha,(2010),“Automatic
Generation
of
[11] Passerini,E.,Paleari,R and Martignoni,L.(2009), “Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA)”, Como, Italy. [12] RaymonCanzanese., Moshe Kam and SpirosMancoridis.(2013),“Multi-Channel Change-Point Malware Detection”. Proc.
P.Banupriya, IJRIT
348