dc.description.abstract | Rootkit is most often used by attacker to hide their behavior, the
Rootkit detection mechanisms mostly focus on static characteristics or the
integrity of the system, but the attacker can confuse the system eigenvalues
through various ways , and the integrity of the rapid real-time confirmation
would not be easy to reach. This paper presents an accurate, rapid real-time
Rootkit detection mechanisms-Discoverer-to enhance the ability of the
system to detect Rootkit. Since the attacker’’s network connection and the
running process is the main hidden object of Rootkit, Discoverer by locating
the hidden network connections and process to detect Rootkits. In order
to manage network connections and process, the operating system contains
a variety of data structures to record the relevant message, the attacker
can be added or even modify the code to allow users to not know the attacker’’s
network connection, or are under implementation process of the attacker,
but if by tampering with the network connection or process-related data
structures, such as the run queue, to achieve the above purpose, they are
likely to undermine the normal functioning of the system, so the information
in these data structures can be a true reflection of system status
information, this paper list and send all the user mode process information
(such as ps, the netstat) into the Kernel by adding the new system call,
and compare one by one with kernel data .Then find out the hidden process
PID, socket connections, and the access file name and path. The experimental
results show that Discoverer can accurately detect all kinds of Rootkits
which we collected.
| en_US |