One of the most elusive types of malware in recent times that pose significant challenges in the computer security system is the kernel-level rootkits. The kernel-level rootkits can hide its presence and malicious activities by modifying the kernel control flow, by hooking in the kernel space, or by manipulating the kernel objects. As kernel-level rootkits change the kernel, it is difficult for user-level security tools to detect the kernel-level rootkits. In the past few years, many approaches have been proposed to detect kernel-level rootkits. It is not much difficult for an attacker to evade the signature-based kernel-level rootkit detection system by slightly modifying the existing signature. To detect the evolving kernel-level rootkits, researchers have proposed and experimented with many detection systems. In this paper, we survey traditional kernel-level rootkit detection mechanisms in literature and propose a structured kernel-level rootkit detection taxonomy. We have discussed the strength and weaknesses or challenges of each detection approach. The prevention techniques and profiling kernel-level rootkit behavior affiliated literature are also included in this survey. The paper ends with future research directions for kernel-level rootkit detection.
翻译:最为隐晦的恶意软件之一是内核级 Rootkit,对计算机安全系统构成了重大挑战。内核级 Rootkit 可以通过修改内核控制流、钩入内核空间或操作内核对象来隐藏其存在和恶意活动。由于内核级 Rootkit 改变了内核,因此用户级安全工具很难检测到内核级 Rootkit。近年来,许多方法已被提出来检测内核级 Rootkit。攻击者通过略微修改现有的加密签名即可逃避基于签名的内核级 Rootkit 检测系统。为了检测不断发展的内核级 Rootkit,研究人员提出并试验了许多检测系统。在本文中,我们调查了传统的内核级 Rootkit 检测机制,并提出了结构化的内核级 Rootkit 检测分类法。我们讨论了每个检测方法的优点、缺点或挑战。本调查还包括防范技术和分析内核级 Rootkit 行为相关文献。本文以内核级 Rootkit 检测的未来研究方向结束。