Paper Info
Title
KVM-based Detection of Rootkit Attacks
Abstract
The kernel-level Root kit brings operating system mortal security risk. The existing detection methods, which are based on host environment, have limitations such as high Root kit privileges, weak isolation capacity. If the detected system, which may includes Root kit, and the detection system are resided on guest and host environment respectively, those limitations can be resolved. The paper proposed a method of Root kit detection based on KVM (Kernel-based Virtual Machine) by using virtualization technology. This method adopts guest memory protection mechanism, which is based on protection of host page tables and trusted code segments, for static kernel code and data. As for dynamically allocated code and data in heap space, this method introduces integrity checking mechanism, which is based on threshold triggering of calling sequences of monitored functions. The experimental results showed that this method can prevent static code or data from Root kit attacking effectively, and also detect attacks to dynamically allocated code or data quickly.
Year
DOI
Venue
2011
10.1109/INCoS.2011.111
INCoS
Keywords
Field
DocType
kvm-based detection,static kernel code,code segment,host environment,existing detection method,root kit,detection system,rootkit attacks,high root kit privilege,root kit detection,static code,kernel-level root kit,semantics,data structures,virtual machine,kernel,virtual machines,virtualization,linux,operating system,data structure,instruction sets
Memory protection,Virtualization,Data structure,Virtual machine,Instruction set,Computer science,Rootkit,Page table,Computer network,Heap (data structure),Operating system,Embedded system
Conference
Citations 
PageRank 
References 
0
0.34
1
Authors
6
Name
Order
Citations
PageRank
Xingjun Zhang18134.06
Endong Wang275.62
Long Xin300.34
Zhongyuan Wu400.34
Weiqing Dong5232.80
Xiaoshe Dong617251.44