MrKIP: Rootkit Recognition With Kernel Function Invocation Pattern *
作者: Chi-Wei Wang , Shiuhpyng Winston Shieh , Chong Kuan Chen , Chia-Wei Wang
关键词:
摘要: Existing mechanisms tracing user-level activities such as system calls and APIs can be circumvented by the kernel-level rootkits. In this paper, a novel system, MrKIP, is proposed to recognize rootkits based on their activities. Our scheme semiautomatically generates suitable locations for analysts implement checkpoints, which are used profile kernel-space Then, collected executed in an emulator with these checkpoints behavior profiling. The behaviors clustered model construction. constructed new variants of rootkit families. differs from conventional tracers due its ability cover malware whole-system scope. addition, monitoring at kernel level raises high barrier evade, since all tasks eventually through basic functions.
nctu.edu.tw参考文章(35)
Wenke Lee, Monirul I. Sharif, Andrea Lanzi, K-Tracer: A System for Extracting Kernel Malware Behavior. network and distributed system security symposium. ,(2009)
Ulrich Bayer, Christopher Kruegel, Engin Kirda, TTAnalyze: A Tool for Analyzing Malware Proceedings of the European Institute for Computer Antivirus Research Annual Conference,2006. ,(2006)
Fabrice Bellard, QEMU, a fast and portable dynamic translator usenix annual technical conference. pp. 41- 41 ,(2005)
Zhi Wang, Xuxian Jiang, Weidong Cui, Xinyuan Wang, Countering Persistent Kernel Rootkits through Systematic Hook Discovery recent advances in intrusion detection. pp. 21- 38 ,(2008) , 10.1007/978-3-540-87403-4_2
Christopher Kruegel, Engin Kirda, Darren Mutz, William Robertson, Giovanni Vigna, Polymorphic Worm Detection Using Structural Information of Executables Lecture Notes in Computer Science. pp. 207- 226 ,(2006) , 10.1007/11663812_11
Eric Filiol, Malware Detection using Attribute-Automata to parse Abstract Behavioral Descriptions arXiv: Cryptography and Security. ,(2009)
Chaoting Xuan, John Copeland, Raheem Beyah, Toward Revealing Kernel Malware Behavior in Virtual Execution Environments recent advances in intrusion detection. pp. 304- 325 ,(2009) , 10.1007/978-3-642-04342-0_16
Roberto Perdisci, Guofei Gu, Wenke Lee, Junjie Zhang, BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection usenix security symposium. pp. 139- 154 ,(2008)
Elizabeth Stinson, John C. Mitchell, Characterizing Bots’ Remote Control Behavior Detection of Intrusions and Malware, and Vulnerability Assessment. pp. 89- 108 ,(2007) , 10.1007/978-3-540-73614-1_6
Roberto Perdisci, Nick Feamster, Wenke Lee, Behavioral clustering of HTTP-based malware and signature generation using malicious network traces networked systems design and implementation. pp. 26- 26 ,(2010) , 10.5555/1855711.1855737