167 lines
11 KiB
TeX
167 lines
11 KiB
TeX
\documentclass[runningheads]{llncs}
|
|
%
|
|
\usepackage[T1]{fontenc}
|
|
% T1 fonts will be used to generate the final print and online PDFs,
|
|
% so please use T1 fonts in your manuscript whenever possible.
|
|
% Other font encondings may result in incorrect characters.
|
|
%
|
|
\usepackage{graphicx}
|
|
\usepackage{xcolor}
|
|
\usepackage{amsfonts}
|
|
\usepackage{amssymb}
|
|
\usepackage{acro}
|
|
\input{acronyms}
|
|
|
|
% Used for displaying a sample figure. If possible, figure files should
|
|
% be included in EPS format.
|
|
|
|
\newcommand\agd[1]{{\color{red}$\bigstar$}\footnote{agd: #1}}
|
|
|
|
% If you use the hyperref package, please uncomment the following two lines
|
|
% to display URLs in blue roman font according to Springer's eBook style:
|
|
%\usepackage{color}
|
|
%\renewcommand\UrlFont{\color{blue}\rmfamily}
|
|
%\urlstyle{rm}
|
|
%
|
|
\begin{document}
|
|
%
|
|
\title{PowPrint: Big Patounes all over the Power Trace}
|
|
%
|
|
%\titlerunning{Abbreviated paper title}
|
|
% If the paper title is too long for the running head, you can set
|
|
% an abbreviated paper title here
|
|
%
|
|
\author{Arthur Grisel-Davy\inst{1}\orcidID{0000-1111-2222-3333} \and
|
|
Sebastiean Fischmeister\inst{1}\orcidID{1111-2222-3333-4444}}
|
|
%
|
|
\authorrunning{A. Grisel-Davy and Sebastian Fischmeister.}
|
|
% First names are abbreviated in the running head.
|
|
% If there are more than two authors, 'et al.' is used.
|
|
%
|
|
\institute{University of Waterloo, Waterloo, CA
|
|
\email{agriseld@uwaterloo.ca}\\
|
|
}
|
|
%
|
|
\maketitle % typeset the header of the contribution
|
|
%
|
|
\begin{abstract}
|
|
The cat and mouse game has led attackers to use ever-increasingly complex evasion technics to hide their malware.
|
|
|
|
\keywords{Intrusion Detection \and Side-Channel Analysis \and Power Trace.}
|
|
\end{abstract}
|
|
|
|
\section{Introduction}
|
|
%The modern landscape of malware families is diverse.
|
|
%Attackers write malware for a wide range or purposes, each with their goals, target systems, attacks vectors, and constraints.
|
|
%Some malware are purely destructive, designed to destroy data or equipement or harm people.
|
|
%Others have ulterior notive like disrupting target operations, extract sensitive information, or request ransoms.
|
|
%
|
|
%Most malware a complexe pieces of sotware that require expertise and time to developp.
|
|
%Among them, one group sits above all in terms of complexity and capabilities, the Advanced Persistent Threats.
|
|
%APTs are meta-malware that may not be directly intended to cause harm to the target.
|
|
%Instead, they are a framework from which a payloads can operate.
|
|
%The APT are diverse depending on the authors, the capabilities, and the intendent audience.
|
|
%However common capabilities of APTs are deployment, persistence, and stealth.
|
|
%
|
|
%In this sutdy, we are interested in the stealth capabilities of malwares.
|
|
%Malware authors often wish for their program to remain undetected on the infected machine.
|
|
%Hidden on the target, the malware can remain active and either continuously perform its intended actions or wait for commands.
|
|
%Effectively hiding a piece of software is a complex task on two main levels.
|
|
%First, from a filesystem of static analysispoint of view, the executable or code that consitute the malware must be invisible or appear innofensive.
|
|
%Then, when running, the malware must also either hide its activity from HIDS or masquerade a valid process.
|
|
%
|
|
%In this study, we consider the second case when a program is performing actions shile remaining invisible or innofensive from the operating system.
|
|
|
|
Malware developement has always been a field of computer science that rivals in complexity with the most current academic research.
|
|
To remain effective, malware must keep up and even lead the most advanced detection and prevention mechanisms.
|
|
This complexity has kept modern malware capable of infiltrate and iscrupt systems while avoiding detection.
|
|
|
|
While stealth may not be main focus of all malwares --- some are designed with destructive power or speed of deployement and action ---, the ability to remain hidden on the infected system --- called evasion --- is a common feature of many modern malware.
|
|
Thanks to the creativity of malware authors, many evasions technics have been used over time.
|
|
While most were discovered and documented, it is safe to assume that there are and will always be evasions technics that are on step ahead and bypases the current detection methods.
|
|
|
|
Evasions technics is un umbrella terms that englobes \agd{find appropriate word} multiple sub categories, each for a different purpose.
|
|
One aspect of evasion is the ability to conceal the malicious nature of the files that consitute the ;alware.
|
|
For this purpose, alware may employ homomorphic or metamorphic methods to "dejouer" signature analysis or use a fileless design to avoid analsysi altogether.
|
|
Another compleing capability is the ... \agd{find another evasion technic}
|
|
|
|
This study focuses on another specific evasion domain, process hiding.
|
|
The list of running processes is an obvious compeling ressource to start detectin malware.
|
|
To detect running malware, one could simply gather the list of all running software and search for known malware.
|
|
With the list of processes frequently collected, an \ac{hids} \agd{replace acronym} can detect known malware, mine rules, define an activity profile, or detect anomalous situations.
|
|
|
|
Staying off the process list is good first step for any malware aiming for stealth.
|
|
We can categorize the technics achieving this type of evasion between hiding and masquerading.
|
|
For process hiding, the goal is to execute a program and leave no trace of it in the process list.
|
|
For process masquerading, the aim is not so much to avoid the listing but to avoid the malware being listed with its real identity.
|
|
A process masquerading an another will assume its process name and characteristics, with the goal of appearing legitimate on the machine.
|
|
Process hiding and masquerading differ in their ultimate goal but leverage a lot of the same technics.
|
|
The core idea of process list manipulation is tampering with the process listing mechanism provided by the OS to the monitoring software.
|
|
Independently of the \ac{os}, attackers often rely on intercepting system's call to remove or replace information or directly manipulating kernel objects.
|
|
For the purpose of this study, we do not differentiate between Unix-based OSs and Windows systems as process hiding is a common practice for malware in both environments.
|
|
|
|
% there are detection methods but they are all host-based and dommed to be bypassed
|
|
Of course, many methods have been proposed and implemented to detect or counter process list tampering.
|
|
These methods --- although they leverage different mechanisms --- are all host-based.
|
|
This create a circular dependency where the \ac{ids} rely on the host system to provide the very information leveraged to assess its integrity.
|
|
In this situation, an attacker that succesfully compromises a machine can employ evasion technics that manipulate the data used for detection.
|
|
As rootkis providing process hiding remained a threat since their introduction, it is safe to assume that current countermesures --- and future ones based on similar technics --- do not provide complete protection.
|
|
|
|
% is it a bird? is it a plane? No its the good old power consumption!
|
|
One possible alternate method for detecting process list manipulation is using a secondary source of information to corroborate the process list.
|
|
To avoid bypass, the secondary source must be independent from the \ac{os} and not require its cooperation to enable protection.
|
|
However, the source must also provide information correlated with process presence and activity on the machine.
|
|
|
|
\ac{sci} are compeling as the secondary source.
|
|
As involuntary emissions, they are intrisecely independent from the origin system.
|
|
No communication is required with the system to access these information.
|
|
As physical by-product of the computation, they are hard to forge from an attacker point of view.
|
|
A program can somewhat controle its computation intensity but it is difficult to precisely controle the generated emission and impossible to fully supress them.
|
|
If the attacker wish to perform any computation on the compromised machine, it will result in some form of physical emission.
|
|
The most common \ac{sci} leveraged for attack or defense is energy consumption.
|
|
Due to its ease of capture, high reliability, large range of application, and good informative potential about the activity of the system.
|
|
Of course, there are drawbacks to using power consumption as a source of information.
|
|
First, the raw power consumption of a machine is not an actionable piece of information.
|
|
A step of information mining --- for example pattern recognition, anomaly detection, or even a simple thresholding --- is always required to take a decision.
|
|
Then, measuring true independent power consumption data require additional hardware.
|
|
Although software estimations of power consumption are available, they bear the same issue as other host-based source of information.
|
|
Finaly, the power consumption of a mchine only ontains a small subset of all information related to processes activity.
|
|
A \ac{cpu} are capable or hundreds to thousands of millions operations per seconds.
|
|
Each intruction triggers multiple consumptions patterns acrosses multiple components of the system.
|
|
Although --- in theory --- the power consumption is a sum of all these sub-consumptions, the reality of measurement --- in terms of resolution, accuracy, and sampling rate --- make single-instruction measurement unrealistic at a global scale of the \ac{cpu}.
|
|
|
|
Taking all these limitations into account, the power consumption of a machine --- and more specifically the global power consuimption of its \ac{cpu} --- is a valuable complementary source of information.
|
|
The correlation between a list of processes and the power consumption can enable the detection of process list tampering, evidence of malware activity.
|
|
|
|
|
|
% Thank you king of sweden. No it was nothing you are welcome. Ok get home safe now. Byeeee.
|
|
|
|
|
|
|
|
|
|
\subsection{Contribution}
|
|
This paper proposes a novel approach for detecting tampering of process listing using power consumption traces.
|
|
After a period of learning on known-good data, a machine learning model can predict the expected power consumption of a the \ac{cpu} of a system from the list of processes at a point in time.
|
|
This expected consumption may diverge significantly from the real consumption and indicate an error in either source of information.
|
|
Assuming that the power consumption is immune to tampering due to its complete isolation from the monitored system, the source of the deviation can only result from an illegal modification of the process list.
|
|
The nature of the divergence can further inform about the nature of the tampering.
|
|
|
|
|
|
\section{Related Work}
|
|
|
|
\section{Problem Statement}
|
|
|
|
\subsection{Attacker Model}
|
|
|
|
\section{Proposed Approach}
|
|
|
|
\section{Case Studies}
|
|
|
|
\section{Discussion}
|
|
|
|
\section{Conclusion}
|
|
|
|
\bibliography{biblio} % Import the bibliography
|
|
\bibliographystyle{plain} % set the reference style
|
|
|
|
\end{document}
|