A New Procedure to Help System/Network Administrators Identify Multiple Rootkit Infections

Author

Lobo, Desmond ; Watters, Paul ; Wu, Xin-Wen

Author_Institution

Internet Commerce Security Lab., Univ. of Ballarat, Ballarat, VIC, Australia

fYear

2010

fDate

26-28 Feb. 2010

Firstpage

124

Lastpage

128

Abstract

Rootkits refer to software that is used to hide the presence of malware from system/network administrators and permit an attacker to take control of a computer. In our previous work, we designed a system that would categorize rootkits based on the hooks that had been created. Focusing on rootkits that use inline function hooking techniques, we showed that our system could successfully categorize a sample of rootkits using unsupervised EM clustering. In this paper, we extend our previous work by outlining a new procedure to help system/network administrators identify the rootkits that have infected their machines. Using a logistic regression model for profiling families of rootkits, we were able to identify at least one of the rootkits that had infected each of the systems that we tested.

Keywords

computer network security; expectation-maximisation algorithm; invasive software; pattern clustering; regression analysis; inline function hooking technique; logistic regression model; malware; multiple rootkit infection; network administrator; system administrator; unsupervised EM clustering; Business; Communication system security; Communication system software; Computer network management; Computer networks; Computer security; Control systems; IP networks; Laboratories; Logistics; logistic regression; malware; network security; profiling; rootkits;

fLanguage

English

Publisher

ieee

Conference_Titel

Communication Software and Networks, 2010. ICCSN '10. Second International Conference on

Conference_Location

Singapore

Print_ISBN

978-1-4244-5726-7

Electronic_ISBN

978-1-4244-5727-4

Type

conf

DOI

10.1109/ICCSN.2010.14

Filename

5437619