Hidden processes: the implication for intrusion detection

Author

Butler, James ; Undercoffer, Jeffrey L. ; Pinkston, John

Author_Institution

Dept. of Comput. Sci. & Electr. Eng., Maryland Univ., Baltimore, MD, USA

fYear

2003

fDate

18-20 June 2003

Firstpage

116

Lastpage

121

Abstract

We introduce a novel class of intrusion: the hidden process, a type of intrusion that will not be detected by an intrusion detection system operating under the assumption that the underlying computing architecture is functioning as specified. A hidden process executes in a manner that is unobservable by many of the operating system´s accounting and reporting functions. We present a mechanism to hide processes. Additionally, we show how a hidden process may communicate with an external entity by piggybacking onto a legitimate network connection. We have implemented a mechanism that detects hidden processes and make recommendations calling for the separation of critical operating system functions from more general operating system functions.

Keywords

computer crime; message passing; network operating systems; operating system kernels; accounting function; computing architecture; hidden process detection; intrusion detection system; kernel module; legitimate network connection; operating system function; process communication; reporting function; Computer architecture; Computer crime; Internet; Intrusion detection; Kernel; Operating systems; Security; Software engineering; Software systems;

fLanguage

English

Publisher

ieee

Conference_Titel

Information Assurance Workshop, 2003. IEEE Systems, Man and Cybernetics Society

Print_ISBN

0-7803-7808-3

Type

conf

DOI

10.1109/SMCSIA.2003.1232409

Filename

1232409