The Semantic Gap Challenge - PowerPoint PPT Presentation


PPT – The Semantic Gap Challenge PowerPoint presentation | free to download - id: 8610b9-Y2FhN


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

The Semantic Gap Challenge


The Semantic Gap Challenge ... they gain breaking into to at the cost of loosing the internal ... in the box This makes the anti malware system ... – PowerPoint PPT presentation

Number of Views:31
Avg rating:3.0/5.0
Slides: 29
Provided by: KMc125
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: The Semantic Gap Challenge

The Semantic Gap Challenge
  • Stealthy Malware Detection Through VMM-Based
    Out-of-the-Box Semantic View Reconstruction
  • November 2007
  • ACM Association for Computing Machinery
  • Authors Xuxian Jiang-North Carolina State
  • Xinyuan Wang-George Mason Univeristy
  • Dongyan Xu-Purdue University

  • Semantic of, pertaining to, or arising from the
    different meanings
  • of words or other symbols
  • Semantics the study of meanings the language
    used to achieve a desired effect on an audience
    especially through the use of words with novel or
    dual meanings

Essential Data/Main Idea
  • There is a recent trend in malware to equip the
    software with stealthy techniques to detect,
    evade and avoid malware detection attempts The
    fundamental limitation of current host-based anti
    malware systems is they run inside the host they
    are protecting. This is called "in-the-box" which
    makes them vulnerable to counter detection and
    avoidance by certain malwares.
  • To fix this limitation, many solutions are using
    Virtual Machine technologies and placing the
    malware detection facilities outside of the
    protected VM bubble. This is called
    "out-of-the-box". Yet, they gain breaking into to
    at the cost of loosing the internal semantic view
    of the host which is enjoyed by the "in-the-box"
    approach. This causes a technical challenge
    called the "semantic gap".

  • The paper about the design, implementation and
    evaluation of VM Watcher and "out of the box"
    approach that overcomes the semantic gap
  • New technique called "guest view casting"
  • Developed to reconstruct internal semantic views
    (files, ps and kernel modules) of VM from the
    outside, rather than typical inside approach.

  • New technique casts semantic definitions of guest
    OS Data Structures and functions
  • Puts on the Virtual Machine Monitor (VMM) Level
    VM state
  • Semantic view reconstructed from multiple
  • Reconstruct these details for system call events
    (ps, call , parameters, return value) in the
    VM increases the semantic view.

  • With semantic gap bridged we identify two unique
    malware detection capabilities
  • View comparison-based malware detection and it's
    demonstration in rootkit detection
  • Out of the box deployment of host based anti
    malware software with improved detection accuracy
    tamper resistance

  • Internet malware-rootkits and bots are getting
    very sneaky and elusive. They hide their presence
    from detection factilities anti malware
  • Host based anti malwared systems are installed
    and executed inside the hosts they are monitoring
    and protecting in the box
  • This makes the anti malware system visible,
    tangible, and unavoidable to the malware inside
    the host

  • Now with Virtual Machine technologies we can use
    this to our advantage. Use the strong isolation
    and confines ps inside VM so that even if it's
    compromised by malware, it will be hard to
    compromise systems outside the VM
  • semantic gap between the VM view from inside
    the box vs outside the box
  • Inside views ps, files, kernel modules
  • Outside views memory pgs, registers, disk blocks

In the Box vs Out of the Box
VM Watcher
  • Advantages to both views.
  • VM Watcher-a VMM based out of the box approach
    overcomes the semantic gap challenge
  • It starts the Virtual Machine view in a non
    intrusive manner so it can inspect low level VM
    states without influencing the VM's execution
  • guest view casting a new technique

Guest View Casting
  • This new approach reconstructs the VMs internal
    view files, dir, ps, and kernel level modules
    for out of the box malware detection
  • Based on the observation that the guest Operating
    System of a VM provides all the necessary
    definitions of guest data structures functions
    to construct the VM sematic view cast them on
    the VMM level observation
  • Also externally remake the sematic view of the
    target Virtual Machine

Design Goals
  • VM Watcher should not disturb the system state of
    the VM being monitored
  • VM Watcher should narrow the sematic gap so that
    malware detection systems run inside the VM can
    also run outside the VM
  • VM Watcher should be generic and applicable to a
    wide range of existing VMMs.
  • 2 approaches full virtualization (VMWare, QEMU)
    para virtualization (Xen, User Mode Linux)

Enabling Techniques
  • Non Intrusive VM Introspection provide low level
    VM states externally. Non intrusive technique to
    gain full VM state including registers, memory
  • Guest View Casting external reconstruction of
    the sematic level view of VM thus bridging the
    semantic gap

  • VM Watcher w/ 4 existing VM's VMWare, QEMU, Xen
    UML. The implemenation details
  • Open source VMM QEMU, Xen UML. Close source
    VMWare only exposes raw disk blocks raw memory
    pgs. Open source allows full access to low level
    VM states and events

Narrowing Semantic Gap
  • 3 unique detection monitoring capabilities
  • (i) view comparison based malware detection and
    its demonstration in rootkit detection
  • (ii) out-of-the-box deployment of off-the-shelf
    anti malware software with improved detection
    accuracy and tamper-resistance
  • (iii) nonintrusive system call monitoring for
    malware and intrusion behavior observation

  • Evaluation experiments with real-world malware
  • Includes elusive kernel-level rootkits
  • Demonstrates VMwatcher's practicality and
  • 1 Viewed comparison on volatile states
  • 2 Viewed comparison on persistent states
  • 3 Viewed comparison on both volatile
    persistent states
  • 4 Cross platform malware detection

1 View comparison on volatile states
  • Involves Windows kernel FU rootkit. It runs and
    hides in process w/ PID 336. VMWare running w/
    host OS is Scientific Linux 4.4 guest OS is
    Windows XP SP2.
  • Windows cmd shell PID 1080 is c reated and
    invokes the FU rootkit to hide ps 336. The hidden
    ps is running SSH. The Windows Task Mgr does not
    list the SSH client ps indicating that this ps
    has been hidden
  • Exposed by VM Watcher external view.

Experiment 1
  • The small box w/ solid lines indicates the
    SSHClient.exe ps which is not shown by Win Task
  • VM Watcher can be readily adopted by real world
    honey pots to detect in the wild rootkit attacks.
  • Also recent incidents show the same FU rootkit
    has been actively used to hide the presence of
    advanced bots

Experiment 1
Ex 3-Adore-ng Rootkit
  • Advanced Linux kernel rootkit that replaces
    kernel level function pointers to hide files ps
  • Adore-ng infection on a Xen Fedora Core 4 Virtual
  • Four xterm windows
  • 0 inside the VM where adore-ng kernel mod is
    loaded w/ backdoor ps PID 1490
  • 1 external view of VM mounted devices
  • 2 files under the dir /root/demo in the VM
  • 3 current running ps inside VM

Experiment 3- Volatile Persistant States
Out of the box Malware Detection
Anti-Virus Scanning Time
  • VM Watcher is a VMM approach that enables out of
    the box malware detection
  • Addresses the semantic gap challenge
  • VM Watcher has stronger tamper resistance by
    moving anti malware facilities out of the
    monitored VM while maintaining a current semantic
    view of the VM inside the box via external
    semantic view reconstruction

  • VM Watcher prototype on Linux and Windows
    platforms shows it's practical nature and
  • The experiments with real world self hiding
    rootkits demonstrates the power of new malware
    detection capabilites introducted by VM Watcher

Good/Bad Points
  • Good points very concrete experiments shown
    towards end of the paper that brought it all
  • Used a variety of open source proprietary
    Operating Systems and current anti virus
    softwares in experimentations
  • Bad pointsWas not able to discuss Experiments 2
    and 4 due to time constraints (me)
  • Guest view casting Figures were confusing

Good/Bad Points
  • Vocabulary used was very extensive and advanced
  • With the technical nature of the paper, the
    vocabulary used should have been more basic in
    nature to facilitate better understanding
  • Had to reread the paper a few times to understand
    the jist of the paper

Improvements Future Work
  • Great experiments were done in relation to
    malware/rootkit detection
  • Virtual Machine experimentation was great. Liked
    the use of open source VM's such as Xen, QEMU,
    and UML.
  • Talked about different VM states full vs para
    virtualization. Future work with this would be
  • Further discussion of honey pots and in the
    wild rootkit attacks would improve the paper