A rule-based approach for rootkit detection

Author

Wang, Jianxiong

Author_Institution

Coll. of Geol. Eng. & Geomatics, Chang´´an Univ., Xi´´an, China

fYear

2010

fDate

16-18 April 2010

Firstpage

405

Lastpage

408

Abstract

Rootkits have become one of the major threats to computer security, while it is hard to be detected by common malware detection technologies. This paper introduces a rule-based approach for the rootkit detection. It is based on the fact that a rootkit must modify some data structures of a system so as to hide itself. But the modifications of data structure will necessarily lead to some inconsistencies in a system. By finding the inconsistencies in a system, we can detect the rootkit. Our approach has four main steps: (1) elaborately choose data structures in different layers of a system; (2) perform the same information-calculation process by using different layers of data structures respectively, and form a information space according to the result obtained after each calculation; (3) defines rules as invariants based on information spaces formed in step (2); (4) if these rules are held, the system is clean; otherwise the system is probably infected by a rootkit.

Keywords

invasive software; security of data; computer security; data structure modifications; malware detection technologies; rootkit detection; rule based approach; Control systems; Data structures; Educational institutions; Geology; Hardware; Information security; Kernel; Libraries; Operating systems; Virtual machine monitors; Information Security; Rootkit;

fLanguage

English

Publisher

ieee

Conference_Titel

Information Management and Engineering (ICIME), 2010 The 2nd IEEE International Conference on

Conference_Location

Chengdu

Print_ISBN

978-1-4244-5263-7

Electronic_ISBN

978-1-4244-5265-1

Type

conf

DOI

10.1109/ICIME.2010.5478178

Filename

5478178