Integrity-based kernel malware detection

Kernel-level malware is one of the most dangerous threats to the security of users on the Internet, so there is an urgent need for its detection. The most popular detection approach is misuse-based detection. However, it cannot catch up with today's advanced malware that increasingly apply polymorphism and obfuscation. In this thesis, we present our integrity-based detection for kernel-level malware, which does not rely on the specific features of malware. ^ We have developed an integrity analysis system that can derive and monitor integrity properties for commodity operating systems kernels. In our system, we focus on two classes of integrity properties: data invariants and integrity of Kernel Queue (KQ) requests. ^ We adopt static analysis for data invariant detection and overcome several technical challenges: field-sensitivity, array-sensitivity, and pointer analysis. We identify data invariants that are critical to system runtime integrity from Linux kernel 2.4.32 and Windows Research Kernel (WRK) with very low false positive rate and very low false negative rate. We then develop an Invariant Monitor to guard these data invariants against real-world malware. In our experiment, we are able to use Invariant Monitor to detect ten real-world Linux rootkits and nine real-world Windows malware and one synthetic Windows malware. ^ We leverage static and dynamic analysis of kernel and device drivers to learn the legitimate KQ requests. Based on the learned KQ requests, we build KQguard to protect KQs. At runtime, KQguard rejects all the unknown KQ requests that cannot be validated. We apply KQguard on WRK and Linux kernel, and extensive experimental evaluation shows that KQguard is efficient (up to 5.6% overhead) and effective (capable of achieving zero false positives against representative benign workloads after appropriate training and very low false negatives against 125 real-world malware and nine synthetic attacks). ^ In our system, Invariant Monitor and KQguard cooperate together to protect data invariants and KQs in the target kernel. By monitoring these integrity properties, we can detect malware by its violation of these integrity properties during execution.^

Integrity-Based Kernel Malware Detection

Kernel-level malware is one of the most dangerous threats to the security of users on the Internet, so there is an urgent need for its detection. The most popular detection approach is misuse-based detection. However, it cannot catch up with today's advanced malware that increasingly apply polymorphism and obfuscation. In this thesis, we present our integrity-based detection for kernel-level malware, which does not rely on the specific features of malware. We have developed an integrity analysis system that can derive and monitor integrity properties for commodity operating systems kernels. In our system, we focus on two classes of integrity properties: data invariants and integrity of Kernel Queue (KQ) requests. We adopt static analysis for data invariant detection and overcome several technical challenges: field-sensitivity, array-sensitivity, and pointer analysis. We identify data invariants that are critical to system runtime integrity from Linux kernel 2.4.32 and Windows Research Kernel (WRK) with very low false positive rate and very low false negative rate. We then develop an Invariant Monitor to guard these data invariants against real-world malware. In our experiment, we are able to use Invariant Monitor to detect ten real-world Linux rootkits and nine real-world Windows malware and one synthetic Windows malware. We leverage static and dynamic analysis of kernel and device drivers to learn the legitimate KQ requests. Based on the learned KQ requests, we build KQguard to protect KQs. At runtime, KQguard rejects all the unknown KQ requests that cannot be validated. We apply KQguard on WRK and Linux kernel, and extensive experimental evaluation shows that KQguard is efficient (up to 5.6% overhead) and effective (capable of achieving zero false positives against representative benign workloads after appropriate training and very low false negatives against 125 real-world malware and nine synthetic attacks). In our system, Invariant Monitor and KQguard cooperate together to protect data invariants and KQs in the target kernel. By monitoring these integrity properties, we can detect malware by its violation of these integrity properties during execution.

Synthetic studies of azulenyl and pseudoazulenyl nitrones

Free radicals have been implicated in various pathological conditions such as, stroke, aging and ischemic heart disease (IHD), as well as neurodegenerative diseases like Alzheimer’s, Parkinson’s, and Huntington’s disease. The role of antioxidants in protection from the harmful effects of free radicals has long been recognized. Trapping extremely reactive free radicals and eliminating them from circulation has been shown to be effective in animal models. Nitrone-based free radical traps have been extensively explored in biological systems. Examples include nitrones such as PBN, NXY-059, MDL-101,002, DMPO and EMPO. However, these nitrones have extremely high oxidation potentials as compared to natural antioxidants such as Vitamin E (α-tocopherol), and glutathione. Becker et al. (1995) synthesized novel azulenyl nitrones, which were shown to have oxidation potentials much lower than that of any of the previously reported nitrone based spin traps. Another azulenyl nitrone derivative, stilbazulenyl nitrone (STAZN), was shown to have an even lower oxidation potential within the range of natural antioxidants. STAZN, a second generation free radical trap, was found to be markedly superior than the two most studied nitrones, PBN and NXY-059, in animal models of cerebral ischemia and in an in vitro assay of lipid peroxidation. In this study, a third generation azulenyl nitrone was synthesized with an electron donating group on the previously synthesized STAZN derivative with the aim to lower the oxidation potential even more. Pseudoazulenes, because of the presence of an annular heteroatom, have been reported to possess even lower oxidation potential than that of the azulenyl counterpart. Therefore, pseudoazulenyl nitrones were synthesized for the first time by extracting and elaborating valtrate from the roots of Centranthus ruber (Red valerian or Jupiter’s beard). Several pseudoazulenyl nitrones were synthesized by using a facile experimental protocol. The physical and biological properties of these pseudoazulenyl nitrones can be easily modified by simply changing the substituent on the heteroatom. Cyclic voltammetry experiments have shown that these pseudoazulenyl nitrones do indeed have low oxidation potentials. The oxidation potential of these nitrones was lowered even more by preparing derivatives bearing an electron donating group at the 3-position of the five membered ring of the pseudoazulenyl nitrone.

Synthesis of a PbTx-2 photoaffinity and fluorescent probe and an alternative synthetic route to photoaffinity probes

A natural phenomenon characterized by dense aggregations of unicellular photosynthetic marine organisms has been termed colloquially as red tides because of the vivid discoloration of the water. The dinoflagellate Karenia brevis is the cause of the Florida red tide bloom. K. brevis produces the brevetoxins, a potent suite of neurotoxins responsible for substantial amounts of marine mammal and fish mortalities. When consumed by humans, the toxin causes Neurotoxic Shellfish Poisoning (NSP). The native function of brevetoxin within the organism has remained mysterious since its discovery. There is a need to identify factors which contribute to and regulate toxin production within K. brevis. These toxins are produced and retained within the cell implicating a significant cellular role for their presence. Localization of brevetoxin and identification of a native receptor may provide insight into its native role as well as other polyether ladder type toxins such as the ciguatoxins, maitotoxins, and yessotoxins. In higher organisms these polyether ladder molecules bind to transmembrane proteins with high affinity. We anticipated the native brevetoxin receptor would also be a transmembrane protein. Photoaffinity labeling has become increasingly popular for identifying ligand receptors. By attaching ligands to these photophors, one is able to activate the molecule after the ligand binds to its receptor to obtain a permanent linkage between the two. Subsequent purification provides the protein with the ligand directly attached. A molecule that is capable of fluorescence is a fluorophore, which upon excitation is capable of re-emitting light. Fluorescent labeling uses fluorophores by attaching them covalently to biologically active compounds. The synthesis of a brevetoxin photoaffinity probe and its application in identifying a native brevetoxin receptor will be described. The preparation of a fluorescent derivative of brevetoxin will be described and its use in localizing the toxin to an organelle within K. brevis. In addition, the general utility of a synthesized photoaffinity label with other toxins having similar functionality will be described. An alternative synthetic approach to a general photoaffinity label will also be discussed whose goal was to accelerate the preparation and improve the overall synthetic yields of a multifunctional label.

Synthetic Studies of Azulenyl and Pseudoazulenyl Nitrones

Free radicals have been implicated in various pathological conditions such as, stroke, aging and ischemic heart disease (IHD), as well as neurodegenerative diseases like Alzheimer’s, Parkinson’s, and Huntington’s disease. The role of antioxidants in protection from the harmful effects of free radicals has long been recognized. Trapping extremely reactive free radicals and eliminating them from circulation has been shown to be effective in animal models. Nitrone-based free radical traps have been extensively explored in biological systems. Examples include nitrones such as PBN, NXY-059, MDL-101,002, DMPO and EMPO. However, these nitrones have extremely high oxidation potentials as compared to natural antioxidants such as Vitamin E (á-tocopherol), and glutathione. Becker et al. (1995) synthesized novel azulenyl nitrones, which were shown to have oxidation potentials much lower than that of any of the previously reported nitrone based spin traps. Another azulenyl nitrone derivative, stilbazulenyl nitrone (STAZN), was shown to have an even lower oxidation potential within the range of natural antioxidants. STAZN, a second generation free radical trap, was found to be markedly superior than the two most studied nitrones, PBN and NXY-059, in animal models of cerebral ischemia and in an in vitro assay of lipid peroxidation. In this study, a third generation azulenyl nitrone was synthesized with an electron donating group on the previously synthesized STAZN derivative with the aim to lower the oxidation potential even more. Pseudoazulenes, because of the presence of an annular heteroatom, have been reported to possess even lower oxidation potential than that of the azulenyl counterpart. Therefore, pseudoazulenyl nitrones were synthesized for the first time by extracting and elaborating valtrate from the roots of Centranthus ruber (Red valerian or Jupiter’s beard). Several pseudoazulenyl nitrones were synthesized by using a facile experimental protocol. The physical and biological properties of these pseudoazulenyl nitrones can be easily modified by simply changing the substituent on the heteroatom. Cyclic voltammetry experiments have shown that these pseudoazulenyl nitrones do indeed have low oxidation potentials. The oxidation potential of these nitrones was lowered even more by preparing derivatives bearing an electron donating group at the 3-position of the five membered ring of the pseudoazulenyl nitrone.