skip to main content
research-article

A normality based method for detecting kernel rootkits

Published:01 April 2008Publication History
Skip Abstract Section

Abstract

Rootkits are stealthy, malicious software that allow an attacker to gain and maintain control of a system, attack other systems, destroy evidence, and decrease the chance of detection. Existing detection methods typically rely on a priori knowledge and operate by either (a) saving the system state before infection and comparing this information post infection, or (b) installing a detection program before infection. This approach focuses on detection using reduced a priori knowledge in the form of general knowledge of the statistical properties of broad classes of operating system/architecture pairs.

A modified normality based approach proved effective in detecting kernel rootkits infecting the kernel via the system call target modification attack. This approach capitalizes on the discovery that system calls are loaded into memory sequentially, with the higher level calls, which are more likely to be infected by kernel rootkits loaded first, and the lower level calls loaded later. In the single case evaluated, the enyelkm rootkit, neither false positives nor false positives were indicated. The enyelkm rootkit was selected for analysis since it infects the Linux kernel via the system call target modification attack, which is the subject of this research.

References

  1. Know Your Enemy: Motives, 9-1-2006, http://www.linuxvoodoo.org/resources/security/motives/Google ScholarGoogle Scholar
  2. Ed Skoudis, Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses Prentice-Hall, 2002, pp. 399--445. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. An Overview of Unix Rootkits, 2003, http://www.megasecurity.org/papers/Rootkits.pdfGoogle ScholarGoogle Scholar
  4. Doug Wampler, "Methods for Detecting Kernel Rootkits." University of Louisville, 2007.Google ScholarGoogle Scholar
  5. Doug Wampler and James Graham, "A Method For Detecting Linux Kernel Module Rootkits,". Philip Craiger and Sujeet Shenoi, Eds. Springer, 2007, pp. 107--116.Google ScholarGoogle Scholar
  6. Linux Kernel Rootkits, 9-1-2006, http://linuxcourse.rutgers.edu/documents/kernel_rootkits/index.htmlGoogle ScholarGoogle Scholar
  7. J. Levine, B. Grizzard, and H. Owen, "Detecting and Categorizing Kernel-Level Rootkits to Aid Future Detection," IEEE Security & Privacy, no. January/February 2006, pp. 24--32, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Lab Exercise 2: Adding a Syscall, 9-1-2006, http://www-static.cc.gatech.edu/classes/AY2001/cs3210_fall/labs/syscalls.htmlGoogle ScholarGoogle Scholar
  9. Detecting Rootkits and Kernel-level Compromises in Linux, 9-1-2006, http://www.securityfocus.com/infocus/1811Google ScholarGoogle Scholar
  10. Vic Barnett and Toby Lewis, Outliers In Statistical Data, 3rd ed John Wiley & Sons Ltd., 1994.Google ScholarGoogle Scholar
  11. Engineering Statistics Handbook, 11-7-2006, http://www.itl.nist.gov/div898/handbook/index.htmGoogle ScholarGoogle Scholar

Recommendations

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Sign in

Full Access

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader
About Cookies On This Site

We use cookies to ensure that we give you the best experience on our website.

Learn more

Got it!