Abstract
Rootkits are stealthy, malicious software that allow an attacker to gain and maintain control of a system, attack other systems, destroy evidence, and decrease the chance of detection. Existing detection methods typically rely on a priori knowledge and operate by either (a) saving the system state before infection and comparing this information post infection, or (b) installing a detection program before infection. This approach focuses on detection using reduced a priori knowledge in the form of general knowledge of the statistical properties of broad classes of operating system/architecture pairs.
A modified normality based approach proved effective in detecting kernel rootkits infecting the kernel via the system call target modification attack. This approach capitalizes on the discovery that system calls are loaded into memory sequentially, with the higher level calls, which are more likely to be infected by kernel rootkits loaded first, and the lower level calls loaded later. In the single case evaluated, the enyelkm rootkit, neither false positives nor false positives were indicated. The enyelkm rootkit was selected for analysis since it infects the Linux kernel via the system call target modification attack, which is the subject of this research.
- Know Your Enemy: Motives, 9-1-2006, http://www.linuxvoodoo.org/resources/security/motives/Google Scholar
- Ed Skoudis, Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses Prentice-Hall, 2002, pp. 399--445. Google Scholar
Digital Library
- An Overview of Unix Rootkits, 2003, http://www.megasecurity.org/papers/Rootkits.pdfGoogle Scholar
- Doug Wampler, "Methods for Detecting Kernel Rootkits." University of Louisville, 2007.Google Scholar
- Doug Wampler and James Graham, "A Method For Detecting Linux Kernel Module Rootkits,". Philip Craiger and Sujeet Shenoi, Eds. Springer, 2007, pp. 107--116.Google Scholar
- Linux Kernel Rootkits, 9-1-2006, http://linuxcourse.rutgers.edu/documents/kernel_rootkits/index.htmlGoogle Scholar
- J. Levine, B. Grizzard, and H. Owen, "Detecting and Categorizing Kernel-Level Rootkits to Aid Future Detection," IEEE Security & Privacy, no. January/February 2006, pp. 24--32, 2006. Google Scholar
Digital Library
- Lab Exercise 2: Adding a Syscall, 9-1-2006, http://www-static.cc.gatech.edu/classes/AY2001/cs3210_fall/labs/syscalls.htmlGoogle Scholar
- Detecting Rootkits and Kernel-level Compromises in Linux, 9-1-2006, http://www.securityfocus.com/infocus/1811Google Scholar
- Vic Barnett and Toby Lewis, Outliers In Statistical Data, 3rd ed John Wiley & Sons Ltd., 1994.Google Scholar
- Engineering Statistics Handbook, 11-7-2006, http://www.itl.nist.gov/div898/handbook/index.htmGoogle Scholar
Recommendations
On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityRecent work has investigated the use of hardware performance counters (HPCs) for the detection of malware running on a system. These works gather traces of HPCs for a variety of applications (both malicious and non-malicious) and then apply machine ...
Monitoring Network Traffic to Detect Stepping-Stone Intrusion
AINAW '08: Proceedings of the 22nd International Conference on Advanced Information Networking and Applications - WorkshopsMost network intruders tend to use stepping-stones to attack or to invade other hosts to reduce the risks of being discovered. There have been many approaches that were proposed to detect stepping-stone since 1995. One of those approaches proposed by A. ...






Comments