Identifying Rootkit Infections Using Data Mining

Author

Lobo, Desmond ; Watters, Paul ; Wu, Xin-Wen

Author_Institution

Internet Commerce Security Lab., Univ. of Ballarat, Ballarat, VIC, Australia

fYear

2010

fDate

21-23 April 2010

Firstpage

1

Lastpage

7

Abstract

Rootkits refer to software that is used to hide the presence and activity of malware and permit an attacker to take control of a computer system. In our previous work, we focused strictly on identifying rootkits that use inline function hooking techniques to remain hidden. In this paper, we extend our previous work by including rootkits that use other types of hooking techniques, such as those that hook the IATs (Import Address Tables) and SSDTs (System Service Descriptor Tables). Unlike other malware identification techniques, our approach involved conducting dynamic analyses of various rootkits and then determining the family of each rootkit based on the hooks that had been created on the system. We demonstrated the effectiveness of this approach by first using the CLOPE (Clustering with sLOPE) algorithm to cluster a sample of rootkits into several families; next, the ID3 (Iterative Dichotomiser 3) algorithm was utilized to generate a decision tree for identifying the rootkit that had infected a machine.

Keywords

data mining; invasive software; CLOPE algorithm; ID3 algorithm; Rootkit infections; data mining; import address tables; inline function hooking techniques; iterative dichotomiser 3; malware identification techniques; system service descriptor tables; Business; Clustering algorithms; Computer security; Control systems; Data mining; Data security; Information security; Internet; Iterative algorithms; Laboratories;

fLanguage

English

Publisher

ieee

Conference_Titel

Information Science and Applications (ICISA), 2010 International Conference on

Conference_Location

Seoul

Print_ISBN

978-1-4244-5941-4

Electronic_ISBN

978-1-4244-5943-8

Type

conf

DOI

10.1109/ICISA.2010.5480359

Filename

5480359