A Host Based Kernel Level Rootkit Detection Mechanism Using Clustering Technique

Joy, Jestin; John, Anita

doi:10.1007/978-3-642-24043-0_57

Jestin Joy⁴ &
Anita John⁴

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 204))

Included in the following conference series:

International Conference on Computational Science, Engineering and Information Technology

1654 Accesses
1 Citations

Abstract

Rootkits are a set of software tools used by an attacker to gain unauthorized access into a system, thereby providing him with privilege to access sensitive data, conceal its own existence and allowing him to install other malicious software. They are difficult to detect due to their elusive nature. Modern rootkit attacks mainly focus on modifying operating system kernel. Existing techniques for detection rely mainly on saving the system state before detection and comparing it with the infected state. Efficient detection is possible by properly differentiating malicious and non malicious activities taking place in a kernel. In this paper we present a novel anomaly detection method for kernel level rootkits based on k-means clustering algorithm.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 84.99; Price excludes VAT (USA)

Softcover Book: USD 109.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Gdb documentation (2011), http://www.gnu.org/software/gdb/documentation/
Arthur, C.: More than 50 android apps found infected with rootkit malware. Guardian Technology Blog (2011), http://www.guardian.co.uk/technology/blog/2011/mar/02/android-market-apps-malware
Baliga, A., Ganapathy, V., Iftode, L.: Detecting kernel-level rootkits using data structure invariants. IEEE Transactions on Dependable and Secure Computing 99(PrePrints) (2010)
Google Scholar
Bickford, J., O’Hare, R., Baliga, A., Ganapathy, V., Iftode, L.: Rootkits on smart phones: attacks, implications and opportunities. In: Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications, pp. 49–54. ACM, New York (2010)
Chapter Google Scholar
Bunten, A.: Unix and linux based rootkits techniques and countermeasures (2004)
Google Scholar
Clemens, J.: Intrusion Detection FAQ: Knark: Linux Kernel Subversion (2001)
Google Scholar
Desnos, A.: Detecting (and creating!) a hvm rootkit (aka bluepill-like). Journal in Computer Virology, 1–27 (2009), http://dx.doi.org/10.1007/s11416-009-0130-8
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proc. Network and Distributed Systems Security Symposium, vol. 1, pp. 253–285. Citeseer (2003)
Google Scholar
Kroah-Hartman, G.: Signed kernel modules. Linux Journal (2004)
Google Scholar
Levine, J., Grizzard, J., Owen, H.: A methodology to detect and characterize kernel level rootkit exploits involving redirection of the system call table. In: Proceedings Second IEEE International Information Assurance Workshop 2004, pp. 107–125. IEEE, Los Alamitos (2005)
Google Scholar
Levine, J.G., Grizzard, J.B., Owen, H.L.: Detecting and categorizing kernel-level rootkits to aid future detection. IEEE Security and Privacy 4, 24 (2006), http://portal.acm.org/citation.cfm?id=1115691.1115761
Article Google Scholar
Lineberry, A.: Malicious Code Injection via/dev/mem. Black Hat Europe (2009), http://www.blackhat.com/presentations/bh-europe-09/Lineberry/BlackHat-Europe-2009-Lineberry-code-injection-via-dev-mem.pdf
Miller, T.: Analysis of the KNARK Rootkit (2004)
Google Scholar
Petroni Jr., N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th Conference on USENIX Security Symposium, SSYM 2004, vol. 13, p. 13. USENIX Association, Berkeley (2004), http://portal.acm.org/citation.cfm?id=1251375.1251388
Google Scholar
Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 545–554. ACM, New York (2009), http://doi.acm.org/10.1145/1653662.1653728
Google Scholar
Yan, Q., Li, Y., Li, T., Deng, R.: Insights into Malware Detection and Prevention on Mobile Phones. Security Technology, 242–249 (2009)
Google Scholar

Download references

Author information

Authors and Affiliations

Rajagiri School of Engineering & Technology, Kochi, Kerala, India
Jestin Joy & Anita John

Authors

Jestin Joy
View author publications
You can also search for this author in PubMed Google Scholar
Anita John
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Wireilla Net Solutions PTY Ltd, Melbourne, Victoria, Australia
Dhinaharan Nagamalai
Institut Telecom/Telecom SudParis, 91011, 9, rue Charles Fourier, Evry Cedex, France
Eric Renault
Manonmaniam Sundaranar University, Thirunelveli, Tamil Nadu, India
Murugan Dhanuskodi

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Joy, J., John, A. (2011). A Host Based Kernel Level Rootkit Detection Mechanism Using Clustering Technique. In: Nagamalai, D., Renault, E., Dhanuskodi, M. (eds) Trends in Computer Science, Engineering and Information Technology. CCSEIT 2011. Communications in Computer and Information Science, vol 204. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24043-0_57

Download citation

DOI: https://doi.org/10.1007/978-3-642-24043-0_57
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-24042-3
Online ISBN: 978-3-642-24043-0
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics