• DocumentCode
    2840360
  • Title

    A methodology to detect and characterize Kernel level rootkit exploits involving redirection of the system call table

  • Author

    Levine, John ; Grizzard, Julian ; Owen, Henry

  • Author_Institution
    Sch. of Electr. & Comput. Eng., Georgia Inst. of Technol., Atlanta, GA, USA
  • fYear
    2004
  • fDate
    8-9 April 2004
  • Firstpage
    107
  • Lastpage
    125
  • Abstract
    There is no standardized methodology at present to characterize rootkits that compromise the security of computer systems. The ability to characterize rootkits will provide system administrators with information so that they can take the best possible recovery actions and may also help to detect additional instances and prevent the further installation of the rootkit allowing the security community to react faster to new rootkit exploits. There are limited capabilities at present to detect rootkits, but in most cases these capabilities only indicate that a system is infected without identifying the specific rootkit. We propose a mathematical framework for classifying rootkit exploits as existing, modifications to existing, or entirely new. An indepth analysis of a particular type of kernel rootkit is conducted in order to develop a characterization. As a result of this characterization and analysis, we propose some new methods to detect this particular class of rootkit exploit.
  • Keywords
    Unix; invasive software; operating system kernels; system recovery; Kernel level rootkit exploit detection; computer system security; system administrator; system call table redirection; system recovery; Computer crime; Computer hacking; Computer security; Information security; Internet; Intrusion detection; Joining processes; Kernel; Linux; Web server;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Information Assurance Workshop, 2004. Proceedings. Second IEEE International
  • Print_ISBN
    0-7695-2117-7
  • Type

    conf

  • DOI
    10.1109/IWIA.2004.1288042
  • Filename
    1288042