CHEN Liyue,SUN Xin,CHENG Tiansheng,WU Chunming,CHEN Shuangxi

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020142

2020-01-01

Abstract:Rootkit is a set of persistent and undetectable attack technologies,which can hide their attack behavior and backdoor trace by modifying software or kernel in operating system and changing execution path of instruction.Firstly,the basic definition and evolution of Rootkit were introduced,then the operating principle,current mainstream technology and detection methods of Rootkit were discussed.Then,through comparative experiments on performance and security,the application of mimic defense system was described for Web based on dynamic,heterogeneous,redundant structure under Trojan Horse attack.Experiments show that mimic defense system can effectively defend against Trojan Horse in tests in the premise of low overhead.At last,the opportunities and challenges of the DHR system were summarized.

Chien-Ming Chen,Mu-En Wu,Bing-Zhe He,Xinying Zheng,Chieh Hsing,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-319-06320-1_10

2014-01-01

Abstract:It is easy to discover if there are hooks in the System Service Dispatch Table (SSDT). However, it is difficult to tell whether theses hooks are malicious or not after finding out the hooks in the SSDT. In this paper, we propose a scheme that evaluates the hooks by comparing the returned results before hooking and after hooking. If a malicious hook which hides itself by the way of modifying the parameters passed to the Native API, we can easily detect the difference. Furthermore, we use a runtime detour patching technique so that it will not perturb the normal operation of user-mode programs. Finally, we focus on the existing approaches of rootkits detection in both user-mode and kernel-mode. Our method effectively monitors the behavior of hooks and brings an accurate view point for users to examine their computers.

杨彦,黄皓

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.12.053

2008-01-01

Abstract:Rootkit is a program set which malicious software uses to conceal itself and other specific resources and actions.This paper analyzes and researches on the concealment technologies which representative rootkits on Windows platform commonly use,and classifies them into two categories: modifying kernel object data structures and changing execution paths.The technical principles are described and compared in detail.The future development directions are discussed.

JIANG Hui,YANG Feng,DUAN Hai-xin

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.05.016

2012-01-01

Abstract:In recent years,the purpose of malicious code is changing to economic benefit instead of making damage and gain fame and glory.The malicious authors put more efforts to hide their malware.Rootkit has the characteristics of strong hidden ability and high privilege.So it is a serious threat of host security.As Hardware Virtualization Technology comes out,Rootkit extends to the outside of operating system and presents new challenges to detection technology.This paper,makes a summary of Rootkit hiding and detection technology these years,analysis the problem them facing and discusses the trends of Rootkit detection technology.

Xueluan Gong,Yanjiao Chen,Huayang Huang,Weihan Kong,Ziyao Wang,Chao Shen,Qian Wang

DOI: https://doi.org/10.1109/tdsc.2023.3286842

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Deep neural networks are vulnerable to backdoor attacks, where a specially-designed trigger will lead to misclassification of any benign samples. However, existing backdoor attacks usually impose conspicuous patch triggers on images, which are easily detected by humans and defense algorithms. Existing works on invisible triggers, however, either have reduced attack success rate or yield detectable patterns to visual inspections. In this article, we propose KerbNet, a kernel-based backdoor attack framework, which applies kernel operations to clean samples as the trigger to incur misclassification. The kernel-processed samples achieve a high attack success rate while appearing natural with high Quality-of-Experience (QoE). We carefully design the kernel trigger generation algorithm by exploiting the neural network structure to propagate the influence of the trigger to the target misclassification label under the QoE constraint. We conduct extensive experiments on five datasets, i.e., MNIST, GTSRB, CIFAR-10, CelebA, and ImageNette to evaluate the effectiveness and practicality of KerbNet under the impact of various factors, including neuron-residing layer, kernel size, base image, loss function, model structure, and so on. We also show that our proposed attacks can evade state-of-the-art defense strategies and visual inspections. Code will be available after publication.

Yongqiang Zhang,Hai Bi

DOI: https://doi.org/10.1109/ncis.2011.62

2011-01-01

Abstract:Aiming at the principles how root kit malicious action by hooking System Service Dispatch Table and utilizing inline function patching, this paper presents a method of integrity detection and restoration based on kernel file, which is proved to ensure correct implementation of the kernel function.

Mohammad Nadim,Wonjun Lee,David Akopian

2023-04-02

Abstract:One of the most elusive types of malware in recent times that pose significant challenges in the computer security system is the kernel-level rootkits. The kernel-level rootkits can hide its presence and malicious activities by modifying the kernel control flow, by hooking in the kernel space, or by manipulating the kernel objects. As kernel-level rootkits change the kernel, it is difficult for user-level security tools to detect the kernel-level rootkits. In the past few years, many approaches have been proposed to detect kernel-level rootkits. It is not much difficult for an attacker to evade the signature-based kernel-level rootkit detection system by slightly modifying the existing signature. To detect the evolving kernel-level rootkits, researchers have proposed and experimented with many detection systems. In this paper, we survey traditional kernel-level rootkit detection mechanisms in literature and propose a structured kernel-level rootkit detection taxonomy. We have discussed the strength and weaknesses or challenges of each detection approach. The prevention techniques and profiling kernel-level rootkit behavior affiliated literature are also included in this survey. The paper ends with future research directions for kernel-level rootkit detection.

Cryptography and Security

HE Jin,FAN Ming-yu,WANG Guang-wei

DOI: https://doi.org/10.3969/j.issn.1001-0548.2014.04.020

2014-01-01

Abstract:Kernel-level rootkits pose a fatal threat to kernel integrity, so kernel-level rootkits detection and protection has become a hot topic. However, there are some drawbacks in these existing efforts:either focusing on rootkits protection, or focusing on rootkits detection, without the combination of both to ensure kernel integrity. In view of this situation, this paper designs a complete automatic interactive mechanism based on the detection and protection of kernel-level rootkits, thus forming an integrated detection and protection system (ADPos) to guarantee kernel integrity. The experiments show that the ADPos system can not only automatically detect and protect kernel integrity, but also does not sacrifice the system performance for the price. Moreover, the system is compatible with a variety of OS systems and against zero-day attacks.

Yan Qin,Weiping Wang,Shigeng Zhang,Kai Chen

DOI: https://doi.org/10.1109/tifs.2021.3080082

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The exploit kits (EKs) are used by attackers to distribute malware automatically and silently. Existing approaches to EKs detection usually need to perform dynamic analysis on the content contained in the network traffic, which requires dumping all the network traffic and thus causes high detection overhead. Although some approaches detect EKs based on static analysis, they usually fail to restore the complete attack path because of the obstruction set by the attackers. In this paper, we propose an approach that can detect EKs based on only information extracted by static analysis. Our method builds a graph for web sessions and extracts features from the graph to perform EKs detection. The built graph catches important structural characteristics of the interaction during EK attacks that were not revealed in existing methods, with which EKs can be detected with high accuracy. The experiments show that our method works well in both the ground-truth datasets and the latest practical cases. Our method can also identify the malicious websites concealed in EKs, which can further improve the efficiency of analysis.

computer science, theory & methods,engineering, electrical & electronic

Christoph Dorner,Lukas Daniel Klausner

DOI: https://doi.org/10.1145/3664476.3670433

2024-08-01

Abstract:Addressing a critical aspect of cybersecurity in online gaming, this paper systematically evaluates the extent to which kernel-level anti-cheat systems mirror the properties of rootkits, highlighting the importance of distinguishing between protective and potentially invasive software. After establishing a definition for rootkits (making distinctions between rootkits and simple kernel-level applications) and defining metrics to evaluate such software, we introduce four widespread kernel-level anti-cheat solutions. We lay out the inner workings of these types of software, assess them according to our previously established definitions, and discuss ethical considerations and the possible privacy infringements introduced by such programs. Our analysis shows two of the four anti-cheat solutions exhibiting rootkit-like behaviour, threatening the privacy and the integrity of the system. This paper thus provides crucial insights for researchers and developers in the field of gaming security and software engineering, highlighting the need for informed development practices that carefully consider the intersection of effective anti-cheat mechanisms and user privacy.

Cryptography and Security,Computers and Society

Tao ZHANG,Ying-nan JIAO,Li-jie LU,Wei-ping WEN

DOI: https://doi.org/10.3969/j.issn.1671-1122.2014.02.008

2014-01-01

Abstract:The study of suspicious sample collection system with the rule-based scanning and procedures behavior analysis based on Windows kernel driver will greatly enhance the comprehensiveness and accuracy of sample collection, and it has important signiifcance to accelerate the discovery of the virus and the virus database updates. Firstly, this paper analyzes the architecture of Windows operating system and then gives the overall system architecture of the suspicious sample collection system based on Windows kernel drivers. Finally, according to the system architecture, the paper detailed designs and implements of each module, and gives examples and the results of a test. The experiment shows that the system is capable of accurately and efifciently collect samples of suspicious information.

Yang Zhao,Zeng Qingkai

DOI: https://doi.org/10.3969/j.issn.1000-386x.2013.04.001

2013-01-01

Abstract:This paper proposes a method to automatically detect anti-analysis malware.This approach records the traces of system calls and instructions executed by malware across four different analysis platform based on two monitoring and recording technologies.At first,the system call traces are compared.If a deviation exists,further comparison on instruction traces is needed to determine whether the root cause is anti-analysis or not.Experimental results have demonstrated that the approach can detect varies of analysis evasion technology.

Mohammad Sina Karvandi,Soroush Meghdadizanjani,Sima Arasteh,Saleh Khalaj Monfared,Mohammad K. Fallah,Saeid Gorgin,Jeong-A Lee,Erik van der Kouwe

2024-05-01

Abstract:Existing anti-malware software and reverse engineering toolkits struggle with stealthy sub-OS rootkits due to limitations of run-time kernel-level monitoring. A malicious kernel-level driver can bypass OS-level anti-virus mechanisms easily. Although static analysis of such malware is possible, obfuscation and packing techniques complicate offline analysis. Moreover, current dynamic analyzers suffer from virtualization performance overhead and create detectable traces that allow modern malware to evade them.

Cryptography and Security

周瑞丽,潘剑锋,谭小彬,奚宏生

DOI: https://doi.org/10.3969/j.issn.1009-8054.2009.09.037

2009-01-01

Abstract:Traditional signature-based malware detection method is not able to detect zero-day attacks and some malwares adopting circumvention techniques such as packer. In order to overcome this drawback, this paper proposes a heuristic detection technique based on expert systems. The technique could detect malwares using known techniques, even bottom-level techniques, for example, the rootkit technique. It also can detect those malwares even after they are packed or crypto-protected by any packer or protector. And its detection rate is much higher than some well-known anti-virus tools.

YIN Liang,WEN Wei-Ping

DOI: https://doi.org/10.3969/j.issn.1671-1122.2011.07.009

2011-01-01

Abstract:Windows records some information in memory,for the purpose of managing objects like process,thread,driver,and reporting the status to user.Because the information is in memory,we can modify it.This paper will show some structs and lists that Windows 7 SP1 created,and introduce some methods to protect and hide processes and drivers.

HE Jin,FAN Ming-yu,WANG Guang-wei

DOI: https://doi.org/10.3969/j.issn.1001-0548.2015.06.017

2015-01-01

Abstract:Kernel-level rootkits attacks pose a deadly threat to kernel integrity, and kernel rootkits is currently a research focus, primarily focused on kernel-level rootkits detection and rootkits protection. However, these studies are always flawed: the rootkits protection presents a single protected mode; kernel-level rootkits detection can only do the detection use, even if the kernel has been found to be attacked, there is no method to solve. Give this situation, we design a two-mode protection operation system (TWPos), this is, a kernel-level integrity protection method along with detection and protection capability, even if the kernel is already under attack, TWPos also recoveries kernel integrity. The experiments show that TWPos is a comprehensive and effective protection system without sacrificing system performance for the price, and is compatible with a variety of OS systems.

Yan Chen,Zhichun Li

2009-01-01

Abstract:In this thesis, I propose and develop a network-based attack defense system, RAIDM. I focus on network based defense because of the following reasons: (i) network gateways/routers are the vantage points for detecting large scale attacks; (ii) only host based detection/prevention is not enough for modern networks. RAIDM has four components: sketch-based monitoring and detection, polymorphic worm signature generation, signature matching engines and network situational awareness.The first module is sketch-based monitoring and detection. In this thesis, leveraging data streaming techniques such as reversible sketch, we design HiFIND [1], a High-speed Flow-level Intrusion Detection system. We also propose a two-dimensional sketch for attack differentiation. HiFIND (i) is scalable to flow-level detection on high-speed networks; (ii) is DoS resilient; (iii) can distinguish SYN flooding and various port scans (mostly for worm propagation) for effective mitigation; (iv) enables aggregate detection over multiple routers/gateways; and (v) separates anomalies to limit false positives in detection. Both theoretical analysis and evaluation with several router traces show that HiFIND achieves these properties. To the best of our knowledge, HiFIND is the first online DoS resilient flow-level intrusion detection system for high-speed networks (e.g. OC192), even for the worst case traffic of 40-byte-packet streams with each packet forming a flow.The second module is polymorphic worm signature generation. Recently, worms and remote exploits sent by botnets have become the major tools for launching Internet attacks. It is critical to quickly generate signatures in response to those fast propagating threats. To this end, I have developed two types of automated worm signature generation approaches (token-based signature generator and length based signature generator) with different information availability requirement and underlying assumptions. Beside token based signature generator, we design a network-based Length-based Signature Generator (LESG) for worms exploiting buffer overflow vulnerabilities. We further prove the attack resilience bounds even under the worst case attacks with deliberate noise injection. Moreover, LESG is fast and noise-tolerant and has efficient signature matching.The third module is signature matching engines. In this thesis, we design NetShield, a vulnerability signature based NIDS/NIPS which achieves high throughput comparable to that of the state-of-the-art regex-based systems while offering much better accuracy. This is accomplished because of the following contributions: (i) we propose a candidate selection algorithm that efficiently matches thousands of vulnerability signatures simultaneously using a small amount of memory; (ii) we propose a parsing transition state machine that achieves fast protocol parsing; (iii) we implement the NetShield prototype, including rewriting the ruleset of Snort to vulnerability signatures. Experimental results show that the core engine of NetShield achieves 1.9Gbps signature matching throughput for 794 HTTP vulnerability signatures on a 3.8GHz PC.Finally, the fourth module is network situational awareness for botnet probings. Botnets dominate today's attack landscape. In this thesis, we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale "botnet probes". In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer—using purely local observation—information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties such as trend, uniformity, coordination and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. (Abstract shortened by UMI.)

Xiao Wang,Jian Biao Zhang,Ai Zhang,Jin Chang Ren

DOI: https://doi.org/10.3934/mbe.2019132

2019-03-26

Abstract:The promotion of cloud computing makes the virtual machine (VM) increasingly a target of malware attacks in cybersecurity such as those by kernel rootkits. Memory forensic, which observes the malicious tracks from the memory aspect, is a useful way for malware detection. In this paper, we propose a novel TKRD method to automatically detect kernel rootkits in VMs from private cloud, by combining VM memory forensic analysis with bio-inspired machine learning technology. Malicious features are extracted from the memory dumps of the VM through memory forensic analysis method. Based on these features, various machine learning classifiers are trained including Decision tree, Rule based classifiers, Bayesian and Support vector machines (SVM). The experiment results show that the Random Forest classifier has the best performance which can effectively detect unknown kernel rootkits with an Accuracy of 0.986 and an AUC value (the area under the receiver operating characteristic curve) of 0.998.

Hao Huang

2010-01-01

Abstract:An anti-illegal connection system is designed based on analyzing the related anti-illegal connection technologies.The system uses authentication and strategy to ensure the credibility of the communcate object and uses SNMP-based network topology discovery algorithm to guarantee timely detection of intranet connected host which is not installed client, and then combines with the device control and kernel monitoring technology to ensure the implementation of the security.Finally, illegal connections are avoided.

Mordechai Guri,Yuri Poliak,Bracha Shapira,Yuval Elovici

DOI: https://doi.org/10.48550/arXiv.1512.04116

2015-12-13

Cryptography and Security

Abstract:Smartphones and tablets have become prime targets for malware, due to the valuable private and corporate information they hold. While Anti-Virus (AV) program may successfully detect malicious applications (apps), they remain ineffective against low-level rootkits that evade detection mechanisms by masking their own presence. Furthermore, any detection mechanism run on the same physical device as the monitored OS can be compromised via application, kernel or boot-loader vulnerabilities. Consequentially, trusted detection of kernel rootkits in mobile devices is a challenging task in practice. In this paper we present JoKER - a system which aims at detecting rootkits in the Android kernel by utilizing the hardware's Joint Test Action Group (JTAG) interface for trusted memory forensics. Our framework consists of components that extract areas of a kernel's memory and reconstruct it for further analysis. We present the overall architecture along with its implementation, and demonstrate that the system can successfully detect the presence of stealthy rootkits in the kernel. The results show that although JTAG's main purpose is system testing, it can also be used for malware detection where traditional methods fail.