Motivation
Cyberattacks pose a significant and steadily growing threat to businesses and government organizations. To address this challenge, proactive and preventive security mechanisms continue to be a crucial pillar in the architecture of secure IT systems. The aim is to conceptually prevent attacks. However, the practical implementation of proactive mechanisms is incomplete and does not provide comprehensive security, as evidenced by daily cyberattacks on businesses and government agencies. To address this issue, effective IT security architecture also includes reactive methods to detect attacks as they happen. Endpoint Detection and Response (EDR) software serves as a practical implementation of a reactive security solution used in many organizations. EDR software is installed on client computers (endpoints) and monitors behavior for anomalies that may indicate an attack, attempting to thwart such attacks. The behavioral information from endpoints is aggregated at a higher level to enhance detection within the organization. The sensors in today’s EDR systems are primarily located in the kernel of the operating systems (security drivers). If attackers manage to gain system privileges and execute malicious code in kernel context, the functionality of these EDR systems can be significantly compromised or even completely shut down. As a result, further cyberattacks could go unnoticed. Our analyses have shown that modern malware and advanced attackers are increasingly attempting to infiltrate the operating system kernel and disrupt existing EDR software.
Goals and Approach
In the project “Hypervisor-Based Intrusion Detection, Reaction, and Prevention for Endpoint Systems (HypErSIS),” the project team focuses on securing virtualized endpoints using hypervisor-based detection methods. Virtualized endpoints are client computers where a hypervisor runs, hosting one or more virtual machines (VMs) that are the actual user systems (mostly Windows-based) users work with. In the approach pursued in HypErSIS, the sensors are anchored outside the user VMs in the trusted host environment. Virtualization serves as a secure isolation layer in this context. Attacks occurring within the VMs are no longer capable of disabling the detection mechanisms implemented outside. Even the infiltration of malware into the operating system kernels of virtualized systems can be reliably detected and prevented. Since users interact with the VMs and only these have access to untrusted external resources (e.g., internet access), only the systems within the VMs are at risk.
To create sensors capable of monitoring activities within the VMs and detecting malicious behavior, the system state within the VMs must be interpreted from the main memory contents observable from the outside. This aspect poses a significant challenge in the project. The problem is referred to as the Semantic Gap, and solutions fall within the research domain of Virtual Machine Introspection. Solutions to partial problems are known from digital main memory forensics, which also has to deal with the Semantic Gap problem. Therefore, the project will investigate how existing methods can be mapped to the basic functions of a virtualization platform. Furthermore, the virtualization technology itself will be explored for its ability to provide more meaningful sensor data.
Innovations and Perspectives
As hypervisor-based technology is increasingly employed, expanding the know-how to protect IT systems using it becomes crucial. The project’s results will initially contribute to significantly enhancing security in Windows-based virtualized endpoints. In the future, it is conceivable to transfer the gained knowledge to other platforms and architectures. Hypervisor-based technology forms the basis for ubiquitous virtualization in data centers and the cloud. Even in these growth areas, there is a need for hypervisor-based security solutions. The results of this project can potentially enhance security in cloud computing as well.
Furthermore, the project aims to facilitate knowledge transfer of fundamental insights regarding the use of virtualization technology and the security solutions it provides to industry and research. In this way, the HypErSIS project contributes to the security of corporate and government networks and strengthens the high-tech sector in Germany.
The 3-year joint project HypErSIS is a cooperation of the working group around Prof. Dietrich of the Institute for Internet Security at the Westphalian University of Applied Sciences and Cyberus Technology GmbH. It is funded by the German Federal Ministry of Education and Research (BMBF) with a total of 1.66 million EUR under the funding code 16KIS1745K.
Alexander Schmitz
My research interests include computer security, malware analysis and detection systems. I am particularly interested in low-level topics such as operating systems, microprocessors and virtual machine introspection.
Artur Leinweber
My research interests include machine learning, computer security and threat hunting. Especially I use machine learning methods for virtual machine introspection based detection systems.
Anas Karazon
My research interests focus on cyber threat intelligence, reverse engineering, and malware analysis. Specifically, I utilize reverse engineering techniques to enhance detection systems through Virtual Machine Introspection (VMI).
Prof. Dr. Christian Dietrich
My research interests include machine learning, computer security and threat hunting. Especially I use machine learning methods for virtual machine introspection based detection systems.