Abstract
Rootkits are a set of software tools used by an attacker to gain unauthorized access into a system, thereby providing him with privilege to access sensitive data, conceal its own existence and allowing him to install other malicious software. They are difficult to detect due to their elusive nature. Modern rootkit attacks mainly focus on modifying operating system kernel. Existing techniques for detection rely mainly on saving the system state before detection and comparing it with the infected state. Efficient detection is possible by properly differentiating malicious and non malicious activities taking place in a kernel. In this paper we present a novel anomaly detection method for kernel level rootkits based on k-means clustering algorithm.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Gdb documentation (2011), http://www.gnu.org/software/gdb/documentation/
Arthur, C.: More than 50 android apps found infected with rootkit malware. Guardian Technology Blog (2011), http://www.guardian.co.uk/technology/blog/2011/mar/02/android-market-apps-malware
Baliga, A., Ganapathy, V., Iftode, L.: Detecting kernel-level rootkits using data structure invariants. IEEE Transactions on Dependable and Secure Computing 99(PrePrints) (2010)
Bickford, J., O’Hare, R., Baliga, A., Ganapathy, V., Iftode, L.: Rootkits on smart phones: attacks, implications and opportunities. In: Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications, pp. 49–54. ACM, New York (2010)
Bunten, A.: Unix and linux based rootkits techniques and countermeasures (2004)
Clemens, J.: Intrusion Detection FAQ: Knark: Linux Kernel Subversion (2001)
Desnos, A.: Detecting (and creating!) a hvm rootkit (aka bluepill-like). Journal in Computer Virology, 1–27 (2009), http://dx.doi.org/10.1007/s11416-009-0130-8
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proc. Network and Distributed Systems Security Symposium, vol. 1, pp. 253–285. Citeseer (2003)
Kroah-Hartman, G.: Signed kernel modules. Linux Journal (2004)
Levine, J., Grizzard, J., Owen, H.: A methodology to detect and characterize kernel level rootkit exploits involving redirection of the system call table. In: Proceedings Second IEEE International Information Assurance Workshop 2004, pp. 107–125. IEEE, Los Alamitos (2005)
Levine, J.G., Grizzard, J.B., Owen, H.L.: Detecting and categorizing kernel-level rootkits to aid future detection. IEEE Security and Privacy 4, 24 (2006), http://portal.acm.org/citation.cfm?id=1115691.1115761
Lineberry, A.: Malicious Code Injection via/dev/mem. Black Hat Europe (2009), http://www.blackhat.com/presentations/bh-europe-09/Lineberry/BlackHat-Europe-2009-Lineberry-code-injection-via-dev-mem.pdf
Miller, T.: Analysis of the KNARK Rootkit (2004)
Petroni Jr., N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th Conference on USENIX Security Symposium, SSYM 2004, vol. 13, p. 13. USENIX Association, Berkeley (2004), http://portal.acm.org/citation.cfm?id=1251375.1251388
Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 545–554. ACM, New York (2009), http://doi.acm.org/10.1145/1653662.1653728
Yan, Q., Li, Y., Li, T., Deng, R.: Insights into Malware Detection and Prevention on Mobile Phones. Security Technology, 242–249 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Joy, J., John, A. (2011). A Host Based Kernel Level Rootkit Detection Mechanism Using Clustering Technique. In: Nagamalai, D., Renault, E., Dhanuskodi, M. (eds) Trends in Computer Science, Engineering and Information Technology. CCSEIT 2011. Communications in Computer and Information Science, vol 204. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24043-0_57
Download citation
DOI: https://doi.org/10.1007/978-3-642-24043-0_57
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-24042-3
Online ISBN: 978-3-642-24043-0
eBook Packages: Computer ScienceComputer Science (R0)