A Fast Data Anomaly Detection Engine for Kernel Integrity Monitoring

Abstract

In computer systems, ensuring the integrity of the kernel assumes importance as attacks against the kernel allow an adversary to obtain the highest privilege within a compromised system. For this task, typically, an external monitor would perform memory introspection and verify whether certain integrity specifications, which were commonly written by hand in the past, hold or not. However, as adversaries turned their eyes to attacking a system through non-control kernel data, the need arose for verifying non-control kernel data

unfortunately, it is nontrivial to do manually. Acknowledging this, prior work suggested a framework leveraging machine learning to generate integrity specifications for both control and non-control data across the entire kernel with little human involvement. Unfortunately, there is a problem in the original design of this framework in regards to its practicality for deployment in real-world systems. This thesis proposes a new design that accelerates the overall introspection process by virtually eliminating the booting delay that was needed in prior work and evaluates the effectiveness of the design by means of implementing a prototype engine, DADE.