Show simple item record

dc.contributor.advisorVenkatakrishnan, V.N.en_US
dc.contributor.authorBianchi, Antonioen_US
dc.date.accessioned2012-12-13T21:34:45Z
dc.date.available2012-12-13T21:34:45Z
dc.date.created2012-08en_US
dc.date.issued2012-12-13
dc.date.submitted2012-08en_US
dc.identifier.urihttp://hdl.handle.net/10027/9493
dc.description.abstractDetecting rootkit infestations is a complicated security problem faced by modern organizations. Many possible solutions to this have been proposed in the last decade, but various drawbacks prevent these approaches from being ideal solutions. In this thesis, we present blacksheep a detection tool for utilizing a crowd of similar machines to detect rootkit infestations. In particular we focus on kernel rootkits infecting the Windows operating system. We propose a novel technique to detect kernel rootkits based on the analysis of physical memory dumps acquired from a set of machines. These memory dumps are compared with each others and the results of these comparisons are used to classify them in infected and non-infected. Three different comparisons are performed: code comparison, kernel entry point comparison and data comparison. Their results are used by two different analyses: a trained classification and an untrained classification. The trained classifier relies on a set of memory dumps manually flagged as having been acquired from machines in a non-infected state. The goal of this analysis is to classify a set of memory dumps as having come from infected or non-infected machines. The untrained classifier generates a hierarchy of clusters of memory dumps based on their similarity. The aim of this analysis is to separate the analyzed memory dumps into subsets based on the state of the machines which they have been taken from. As part of our investigation into Windows kernel rootkits, much research was needed to be done in two main areas: the internals of the Windows kernel itself and the methods to acquire and analyze dumps of the physical memory and copies of the swap area. Part of our contribution is the summary of these researches. We have tested blacksheep on two sets of memory dumps acquired from differently configured machines infected with eight different rootkits. Some of the analyses performed by blacksheep achieve a 100% detection rate, with no false positives in both sets. Others are able to give interesting information about the behaviors of the analyzed rootkits.en_US
dc.language.isoenen_US
dc.rightsen_US
dc.rightsCopyright 2012 Antonio Bianchien_US
dc.subjectmemory analysisen_US
dc.subjectintrusion detectionen_US
dc.subjectrootkit detectionen_US
dc.subjectdata comparisonen_US
dc.subjectcode comparisonen_US
dc.titleBlacksheep: a Tool for Kernel Rootkit Detection, based on Physical Memory Crowdsourced Analysisen_US
thesis.degree.departmentComputer Scienceen_US
thesis.degree.disciplineComputer Scienceen_US
thesis.degree.grantorUniversity of Illinois at Chicagoen_US
thesis.degree.levelMastersen_US
thesis.degree.nameMS, Master of Scienceen_US
dc.type.genrethesisen_US
dc.type.materialtexten_US


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record