VMM-based Detection of Rootkits that Modify File Metadata

概要

論文の詳細を見る
Kernel-level rootkits are posing an immense threat to any computer systems. They operate inside operating system kernels and manipulate crucial kernel data structures to bypass and evade anti-malware security tools. Combined with kernel-level rootkits, other malware such as bots, viruses and spyware becomes stealthy and difficult to detect. The focus of this paper is on typical kernel-level rootkits that falsify the contents of file systems to hide the presence of malware. In this paper, we propose a software based system that leverages virtual machine technology. Unlike traditional approaches, our system does not rely on signatures. Instead, it relies on the rootkit behavior that file system contents are falsified; it detects a mismatch between the file system view from user-level processes and that from the virtual machine monitor running under the operating system. The experimental results demonstrate that our system successfully detects real world kernel-level rootkits and the overhead of the system is reasonable.
一般社団法人情報処理学会の論文
2009-04-15