Kernel rootkits detection method by monitoring branches using hardware features

Toshihiro Yamauchi, Yohei Akao

Research output: Contribution to journalArticle

1 Citation (Scopus)

Abstract

An operating system is an essential piece of software that manages hardware and software resources. Thus, attacks on an operating system kernel using kernel rootkits pose a particularly serious threat. Detecting an attack is difficult when the operating system kernel is infected with a kernel rootkit. For this reason, handling an attack will be delayed causing an increase in the amount of damage done to a computer system. In this paper, we propose Kernel Rootkits Guard (KRGuard), which is a new method to detect kernel rootkits that monitors branch records in the kernel space. Since many kernel rootkits make branches that differ from the usual branches in the kernel space, KRGuard can detect these differences by using the hardware features of commodity processors. Our evaluation shows that KRGuard can detect kernel rootkits that involve new branches in the system call handler processing with small overhead.

Original languageEnglish
Pages (from-to)2377-2381
Number of pages5
JournalIEICE Transactions on Information and Systems
VolumeE100D
Issue number10
DOIs
Publication statusPublished - Oct 1 2017

Fingerprint

Computer hardware
Monitoring
Computer operating systems
Malware
Computer systems
Processing

Keywords

  • Kernel rootkit detection
  • Last branch record
  • Operating system
  • System security

ASJC Scopus subject areas

  • Software
  • Hardware and Architecture
  • Computer Vision and Pattern Recognition
  • Electrical and Electronic Engineering
  • Artificial Intelligence

Cite this

Kernel rootkits detection method by monitoring branches using hardware features. / Yamauchi, Toshihiro; Akao, Yohei.

In: IEICE Transactions on Information and Systems, Vol. E100D, No. 10, 01.10.2017, p. 2377-2381.

Research output: Contribution to journalArticle

@article{70f80b70ded74794ab20c38237a5185b,
title = "Kernel rootkits detection method by monitoring branches using hardware features",
abstract = "An operating system is an essential piece of software that manages hardware and software resources. Thus, attacks on an operating system kernel using kernel rootkits pose a particularly serious threat. Detecting an attack is difficult when the operating system kernel is infected with a kernel rootkit. For this reason, handling an attack will be delayed causing an increase in the amount of damage done to a computer system. In this paper, we propose Kernel Rootkits Guard (KRGuard), which is a new method to detect kernel rootkits that monitors branch records in the kernel space. Since many kernel rootkits make branches that differ from the usual branches in the kernel space, KRGuard can detect these differences by using the hardware features of commodity processors. Our evaluation shows that KRGuard can detect kernel rootkits that involve new branches in the system call handler processing with small overhead.",
keywords = "Kernel rootkit detection, Last branch record, Operating system, System security",
author = "Toshihiro Yamauchi and Yohei Akao",
year = "2017",
month = "10",
day = "1",
doi = "10.1587/transinf.2016INL0003",
language = "English",
volume = "E100D",
pages = "2377--2381",
journal = "IEICE Transactions on Information and Systems",
issn = "0916-8532",
publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
number = "10",

}

TY - JOUR

T1 - Kernel rootkits detection method by monitoring branches using hardware features

AU - Yamauchi, Toshihiro

AU - Akao, Yohei

PY - 2017/10/1

Y1 - 2017/10/1

N2 - An operating system is an essential piece of software that manages hardware and software resources. Thus, attacks on an operating system kernel using kernel rootkits pose a particularly serious threat. Detecting an attack is difficult when the operating system kernel is infected with a kernel rootkit. For this reason, handling an attack will be delayed causing an increase in the amount of damage done to a computer system. In this paper, we propose Kernel Rootkits Guard (KRGuard), which is a new method to detect kernel rootkits that monitors branch records in the kernel space. Since many kernel rootkits make branches that differ from the usual branches in the kernel space, KRGuard can detect these differences by using the hardware features of commodity processors. Our evaluation shows that KRGuard can detect kernel rootkits that involve new branches in the system call handler processing with small overhead.

AB - An operating system is an essential piece of software that manages hardware and software resources. Thus, attacks on an operating system kernel using kernel rootkits pose a particularly serious threat. Detecting an attack is difficult when the operating system kernel is infected with a kernel rootkit. For this reason, handling an attack will be delayed causing an increase in the amount of damage done to a computer system. In this paper, we propose Kernel Rootkits Guard (KRGuard), which is a new method to detect kernel rootkits that monitors branch records in the kernel space. Since many kernel rootkits make branches that differ from the usual branches in the kernel space, KRGuard can detect these differences by using the hardware features of commodity processors. Our evaluation shows that KRGuard can detect kernel rootkits that involve new branches in the system call handler processing with small overhead.

KW - Kernel rootkit detection

KW - Last branch record

KW - Operating system

KW - System security

UR - http://www.scopus.com/inward/record.url?scp=85030221594&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85030221594&partnerID=8YFLogxK

U2 - 10.1587/transinf.2016INL0003

DO - 10.1587/transinf.2016INL0003

M3 - Article

VL - E100D

SP - 2377

EP - 2381

JO - IEICE Transactions on Information and Systems

JF - IEICE Transactions on Information and Systems

SN - 0916-8532

IS - 10

ER -