摘要(英) |
Rootkit is most often used by attacker to hide their behavior, the
Rootkit detection mechanisms mostly focus on static characteristics or the
integrity of the system, but the attacker can confuse the system eigenvalues
through various ways , and the integrity of the rapid real-time confirmation
would not be easy to reach. This paper presents an accurate, rapid real-time
Rootkit detection mechanisms-Discoverer-to enhance the ability of the
system to detect Rootkit. Since the attacker’’s network connection and the
running process is the main hidden object of Rootkit, Discoverer by locating
the hidden network connections and process to detect Rootkits. In order
to manage network connections and process, the operating system contains
a variety of data structures to record the relevant message, the attacker
can be added or even modify the code to allow users to not know the attacker’’s
network connection, or are under implementation process of the attacker,
but if by tampering with the network connection or process-related data
structures, such as the run queue, to achieve the above purpose, they are
likely to undermine the normal functioning of the system, so the information
in these data structures can be a true reflection of system status
information, this paper list and send all the user mode process information
(such as ps, the netstat) into the Kernel by adding the new system call,
and compare one by one with kernel data .Then find out the hidden process
PID, socket connections, and the access file name and path. The experimental
results show that Discoverer can accurately detect all kinds of Rootkits
which we collected.
|
參考文獻 |
參考文獻
[1] Rootkit, http://zh.wikipedia.org/wiki/Rootkit.
[2] Anton Chuvakin, ”An Overview of Unix Rootkits”,iDefense, Feburuary 2003.
[3] James Buitler, Jeffrey L. Undercoffer and John Pinkstion, “Hidden Processes: The Implication for Intrusion Detection” ,in Proceeding of the IEEE Conference on Information Assurance Workshop, June 2003.
[4] Nick L. Petroni, Jr. Timothy Fraser Jesus Molina William A. Arbaugh, ”Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor ”in Proceeding of the 13th USENIX Security Symposium , August 2004.
[5] Suckit, http://www.phrack.org/issues.html?id=7&issue=58
[6] “The Linux kernel Module Programming Guide”,http://tldp.org/LDP /lkmpg/2.6/html/
[7] Ashwin Ramaswamy,”Detecting Kernel Rootkits”,September 2008.
[8] Ashwin Ramaswamy, ”Autoscopy: Detecting Pattern-Searching Rootkits via Control Flow Tracing”,May 2009.
[9] Andreas Bierfert,”Advanced Exploitaion Techniques kernel backdooring on i386 and amd64 via /dev/mem”,February 2007.
[10] Anthony Lineberry, ”Malicious Code Injection via /dev/mem”,in BlackHat-Europe, March 27,2009
[11] J.Levine, B.Grizzard,and H.Owen,“Detecting and Categorizing Kernel-Level Rootkits to Aid Future Detection”,IEEE Journal on Security & Privacy, Volume 4,Issue:1, pages 24 - 32, February 2006.
[12] Doug Wampler ,James Graham,”A Method For Detecting Linux Kernel Module Rootkits”, Advances in Digital ForensicsIII IFIP Interna tional Conference on Digital Forensics ,Volume 242,pages 107 - 11 6,January, 2007.
[13] Levine, J.G ,Grizzard, J.B , Hutto, P.W. ,Owen, H.L. ”A Methodology to Characterize Kernel Level Rootkit Exploits that Overwrite the System Call Table”,in Proceedings of the IEEE SoutheastCon, pages 25-31, March 2004.
[14] Jamie Butler,”VICE – Catch the hookers!”, in BlackHat-USA, 2004
[15] Evan Cooke, Farnam Jahanian, Danny McPherson,”The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets”,in Proceedings of USENIX SRUTI’05, 2005.
[16] Decloedt,HE, van Heerden,R ,”Rootkits, Trojans, Backdoors and New Developments”,In CSIR research space, October 2010.
[177] J.Scambray, S. McClure, and G. Kurtz, Hacking Exposed,”Network Security Secrets and Solutions”,2nd edition, McGraw-Hill, 2001.
[188] Nick L. Petroni, Jr.Timothy Fraser Aron Walters William A. Arbaugh,”An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data”, in 15th USENIX Security Symposium, 2006.
[19] Nick L. Petroni, Jr.and Michael Hicks, “Automated Detection of Persistent Kernel Control-Flow Attacks”, Proceedings of the ACM conference on Computer and communications security, pages 103-115, October 2007.
[190] Sebastian’s method, http://www.ouah.org/Rootkitsfaq.txt.
[21] Unhide, http://www.unhide-forensics.info/index.php
[20] Samuel T. King, Z. Morley Mao, Dominic G. Lucchetti, Peter M. Chen “Enriching intrusion alerts through multi-host causality”, InNDSS 05, San Diego, CA, February, 2005.
[21] Daniel P.Bovet and Marco Cesati Understanding The Linux Kernel,3rd edition ,O’Rreilly, 2005.
[22] Sshdoor,http://www.hacker.org/forum/viewtopic.php?p=14350&sid=314d a026f6 f4ebfbd5a39e054d0007d6 .
[23] Nx_back,http://packetstormsecurity.org/UNIX/penetration/Rootkits/n x_back.c
[24] KBeast http://ipsecs.com/web/?p=277
[25] Trixd00r http://packetstormsecurity.org/files/109567/trixd00r-0.0.1.html
[26] Jynx2 http://www.blackhatlibrary.net/Jynx_Rootkit/2.0
|