Title :
A rule-based approach for rootkit detection
Author_Institution :
Coll. of Geol. Eng. & Geomatics, Chang´´an Univ., Xi´´an, China
Abstract :
Rootkits have become one of the major threats to computer security, while it is hard to be detected by common malware detection technologies. This paper introduces a rule-based approach for the rootkit detection. It is based on the fact that a rootkit must modify some data structures of a system so as to hide itself. But the modifications of data structure will necessarily lead to some inconsistencies in a system. By finding the inconsistencies in a system, we can detect the rootkit. Our approach has four main steps: (1) elaborately choose data structures in different layers of a system; (2) perform the same information-calculation process by using different layers of data structures respectively, and form a information space according to the result obtained after each calculation; (3) defines rules as invariants based on information spaces formed in step (2); (4) if these rules are held, the system is clean; otherwise the system is probably infected by a rootkit.
Keywords :
invasive software; security of data; computer security; data structure modifications; malware detection technologies; rootkit detection; rule based approach; Control systems; Data structures; Educational institutions; Geology; Hardware; Information security; Kernel; Libraries; Operating systems; Virtual machine monitors; Information Security; Rootkit;
Conference_Titel :
Information Management and Engineering (ICIME), 2010 The 2nd IEEE International Conference on
Conference_Location :
Chengdu
Print_ISBN :
978-1-4244-5263-7
Electronic_ISBN :
978-1-4244-5265-1
DOI :
10.1109/ICIME.2010.5478178
