Title :
Hidden processes: the implication for intrusion detection
Author :
Butler, James ; Undercoffer, Jeffrey L. ; Pinkston, John
Author_Institution :
Dept. of Comput. Sci. & Electr. Eng., Maryland Univ., Baltimore, MD, USA
Abstract :
We introduce a novel class of intrusion: the hidden process, a type of intrusion that will not be detected by an intrusion detection system operating under the assumption that the underlying computing architecture is functioning as specified. A hidden process executes in a manner that is unobservable by many of the operating system´s accounting and reporting functions. We present a mechanism to hide processes. Additionally, we show how a hidden process may communicate with an external entity by piggybacking onto a legitimate network connection. We have implemented a mechanism that detects hidden processes and make recommendations calling for the separation of critical operating system functions from more general operating system functions.
Keywords :
computer crime; message passing; network operating systems; operating system kernels; accounting function; computing architecture; hidden process detection; intrusion detection system; kernel module; legitimate network connection; operating system function; process communication; reporting function; Computer architecture; Computer crime; Internet; Intrusion detection; Kernel; Operating systems; Security; Software engineering; Software systems;
Conference_Titel :
Information Assurance Workshop, 2003. IEEE Systems, Man and Cybernetics Society
Print_ISBN :
0-7803-7808-3
DOI :
10.1109/SMCSIA.2003.1232409
