Publications
Detailed Information
A Fast Data Anomaly Detection Engine for Kernel Integrity Monitoring : 커널 무결성 감시를 위한 고속 이상 징후 탐지
| DC Field | Value | Language |
|---|---|---|
| dc.contributor.advisor | 백윤흥 | - |
| dc.contributor.author | 최원하 | - |
| dc.date.accessioned | 2017-07-14T02:41:36Z | - |
| dc.date.available | 2017-07-14T02:41:36Z | - |
| dc.date.issued | 2016-02 | - |
| dc.identifier.other | 000000132638 | - |
| dc.identifier.uri | https://hdl.handle.net/10371/122792 | - |
| dc.description | 학위논문 (석사)-- 서울대학교 대학원 : 전기·정보공학부, 2016. 2. 백윤흥. | - |
| dc.description.abstract | In computer systems, ensuring the integrity of the kernel assumes importance as attacks against the kernel allow an adversary to obtain the highest privilege within a compromised system. For this task, typically, an external monitor would perform memory introspection and verify whether certain integrity specifications, which were commonly written by hand in the past, hold or not. However, as adversaries turned their eyes to attacking a system through non-control kernel data, the need arose for verifying non-control kernel data | - |
| dc.description.abstract | unfortunately, it is nontrivial to do manually.
Acknowledging this, prior work suggested a framework leveraging machine learning to generate integrity specifications for both control and non-control data across the entire kernel with little human involvement. Unfortunately, there is a problem in the original design of this framework in regards to its practicality for deployment in real-world systems. This thesis proposes a new design that accelerates the overall introspection process by virtually eliminating the booting delay that was needed in prior work and evaluates the effectiveness of the design by means of implementing a prototype engine, DADE. | - |
| dc.description.tableofcontents | I. Introduction 1
II. Motivation 6 2.1 Overview of memory introspection system for kernel data anomaly detection 6 2.2 Object identification & naming 8 2.2.1 Memory traversal 8 2.2.2 Linear scan 11 III. The DADE Approach 14 3.1 Backtrace-Naming 14 3.2 Limitations of backtrace-naming 17 IV. Design and Implementation 20 4.1 Overview 20 4.2 Generating integrity specifications 22 4.3 Extracting backtraces 23 4.3.1 Optimizing backtrace extraction 25 4.4 Verifying object integrity 26 4.5 Deallocations 27 4.5.1 Inference from deallocation information 28 4.5.2 Example integrity specification with deallocation information 28 4.5.3 Enforcing deallocation related integrity specifications at run-time 29 V. Evaluation 31 5.1 Performance 31 5.1.1 Generation time of integrity specifications 31 5.1.2 False positives 32 5.1.3 Induced delay at boot-up 33 5.1.4 Detection performance 33 5.2 Data anomaly detection 35 VI. RelatedWork 41 VII. Conclusion 44 References 45 Abstract 49 | - |
| dc.format | application/pdf | - |
| dc.format.extent | 2790198 bytes | - |
| dc.format.medium | application/pdf | - |
| dc.language.iso | en | - |
| dc.publisher | 서울대학교 대학원 | - |
| dc.subject | Kernel Integrity | - |
| dc.subject | Memory Introspection | - |
| dc.subject | Data anomaly Detection | - |
| dc.subject.ddc | 621 | - |
| dc.title | A Fast Data Anomaly Detection Engine for Kernel Integrity Monitoring | - |
| dc.title.alternative | 커널 무결성 감시를 위한 고속 이상 징후 탐지 | - |
| dc.type | Thesis | - |
| dc.description.degree | Master | - |
| dc.citation.pages | v, 49 | - |
| dc.contributor.affiliation | 공과대학 전기·정보공학부 | - |
| dc.date.awarded | 2016-02 | - |
- Appears in Collections:
- Files in This Item:
Item View & Download Count
Items in S-Space are protected by copyright, with all rights reserved, unless otherwise indicated.