Visible to the public Biblio

Filters: Author is Jia, Xiaoqi  [Clear All Filters]
2020-04-17
Tian, Donghai, Ma, Rui, Jia, Xiaoqi, Hu, Changzhen.  2019.  A Kernel Rootkit Detection Approach Based on Virtualization and Machine Learning. IEEE Access. 7:91657—91666.

OS kernel is the core part of the operating system, and it plays an important role for OS resource management. A popular way to compromise OS kernel is through a kernel rootkit (i.e., malicious kernel module). Once a rootkit is loaded into the kernel space, it can carry out arbitrary malicious operations with high privilege. To defeat kernel rootkits, many approaches have been proposed in the past few years. However, existing methods suffer from some limitations: 1) most methods focus on user-mode rootkit detection; 2) some methods are limited to detect obfuscated kernel modules; and 3) some methods introduce significant performance overhead. To address these problems, we propose VKRD, a kernel rootkit detection system based on the hardware assisted virtualization technology. Compared with previous methods, VKRD can provide a transparent and an efficient execution environment for the target kernel module to reveal its run-time behavior. To select the important run-time features for training our detection models, we utilize the TF-IDF method. By combining the hardware assisted virtualization and machine learning techniques, our kernel rootkit detection solution could be potentially applied in the cloud environment. The experiments show that our system can detect windows kernel rootkits with high accuracy and moderate performance cost.

2019-03-18
Jia, Xiaoqi, He, Yun, Wu, Xiyao, Sun, Huiqi.  2018.  Performing Trusted Computing Actively Using Isolated Security Processor. Proceedings of the 1st Workshop on Security-Oriented Designs of Computer Architectures and Processors. :2–7.
Trusted computing is one of the main development trend in information security. However, there are still two limitations in existing trusted computing model. One is that the measurement process of the existing trusted computing model can be bypassed. Another is it lacks of effective runtime detection methods to protect the system, even the measurement process itself. In this paper, we introduce an active trusted model which can solve those two problems. Our active trusted computing model is comprised of two components: normal computation world and isolated security world. All the security tasks of active trusted computing model are assigned to the isolated security world. In this model, the static trusted measurement measures BIOS and operating system at the start-up of the computer system; and the dynamic trusted measurement measures the code segment, the data segment, and other critical structures actively and periodically at runtime. We have implemented a prototype of the active trusted computing model and done preliminary evaluation. Our experimental results show that this prototype can perform trusted computing on-the-fly effectively with an acceptable performance overhead.