| dc.description.abstract | In light of the accelerated growth of the Internet, it has become a prevalent practice among enterprises to outsource their data and services to cloud hosting. Virtualization technology plays a pivotal role in this process, as it enables the abstraction of technology, thereby dividing server resources. This allows a server to simultaneously serve numerous users in disparate environments, enhancing the efficiency and security of server resources. This technology enhances the efficiency and security of server resource utilization. However, the popularity of virtualization technology also introduces new security threats, particularly the potential harm of rootkit malware. A rootkit is a type of malware that has the ability to hide the attacker′s behavior after gaining control of the system. Kernel-level rootkits are particularly threatening and more difficult to detect. In order to defend against rootkit attacks, the extended Berkeley Packet Filter (eBPF) technology is particularly suitable. eBPF allows users to execute custom programs before and after the execution of system-specific functions through kprobe and tracepoint, which are able to access the parameters of the functions, return values, and call stacks. This program is therefore able to access information about function parameters, return values, and call stacks.
In order to prevent kernel-level rootkit attacks, this paper proposes a Hidden Kernel Rootkit Detector (HKRD) for Linux kernel-level rootkit hidden object detection mechanism. The proposed mechanism utilizes the eBPF technique to compare the address of the rootkit with the backed-up address during a system call, thereby enabling the detection of hidden rootkits at the kernel level. The proposed mechanism employs the eBPF technique to ascertain whether the system call has been compromised. This is achieved by comparing the current system call address with a stored backup. In the event of a hijacking, the original system call address is restored and the attacker is removed from the system. It is imperative to ascertain the integrity of the forthcoming process and module prior to a context switch in the system. Furthermore, it is of paramount importance to determine the existence of the socket within the system before it transmits or receives a message, in order to forestall a Direct Kernel Object Manipulation (DKOM) attack. In the event of a DKOM (Direct Kernel Object Manipulation) attack, the system object in question is restored to its original state and removed from the system.
The experimental results indicate that the average CPU utilization of the proposed HKRD architecture is 0.35%, which is 5.34 times less than rkhunter and 23.84 times less than HBRAD. Additionally, the average memory usage is 2. The average memory usage is 66 MB, which is 3.24 times less than rkhunter and 5.5 times less than HBRAD. The average network throughput is 4.62 Gb/s, which is 5.5 times less than rkhunter. However, the average network throughput is 4.62 Gb/s, which is 1.01 times more than rkhunter and 1.25 times more than HBRAD. | en_US |