Paper Info
Title
Rootkit detection on virtual machines through deep information extraction at hypervisor-level
Abstract
As a special type of stealth attacks, a rootkit hides its existence from malware detection and maintains continued privileged access to a computer system. The proliferation of virtualization creates a new technique for the detection of such attacks. In this paper, we propose to design a rootkit detection mechanism for virtual machines through deep information extracting and reconstruction at the hypervisor level. Through accessing the important components of a VM such as the kernel symbol table, the hypervisor can reconstruct the VM's execution states and learn the essential information such as the running processes, active network connections, and opened files. Through cross-verification among the different components of the reconstructed execution states of the VM, we can detect both the hidden information and the anomaly connections among them. We implement our approach in Xen 4.1 with Linux VMs. Our experiments show that the hypervisor can efficiently reconstruct the semantic view of a VM's memory and identify the rootkits. Since the hypervisor accesses only the high level data structures, it has very limited impacts on the performance of VM.
Year
DOI
Venue
2013
10.1109/CNS.2013.6682767
CNS
Keywords
Field
DocType
hypervisor level,rootkit detection,invasive software,virtualization,malware detection,virtual machines,kernel symbol table,vm components,linux,virtualisation,deep information reconstruction,stealth attacks detection,linux vm,deep information extraction,xen 4.1
Virtualization,Virtual machine,Hardware virtualization,Storage hypervisor,Computer security,Computer science,Rootkit,Hypervisor,Malware,Symbol table,Operating system,Embedded system
Conference
ISSN
Citations 
PageRank 
2474-025X
5
0.41
References 
Authors
13
2
Name
Order
Citations
PageRank
Xiongwei Xie151.09
Weichao Wang250033.87