KRGuard: Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features

Yohei Akao; Toshihiro Yamauchi

doi:10.1109/ICISSEC.2016.7885860

KRGuard: Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features

Yohei Akao, Toshihiro Yamauchi

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

3 Citations (Scopus)

Abstract

Attacks on an operating system kernel using kernel rootkits pose a particularly serious threat. Detecting an attack is difficult when the operating system kernel is infected with a kernel rootkit. For this reason, handling an attack will be delayed causing an increase in the amount of damage done to a computer system. In this paper, we discuss KRGuard (Kernel Rootkits Guard), which is a new method to detect kernel rootkits that monitors branch records in the kernel space. Since many kernel rootkits make branches that differ from the usual branches in the kernel space, KRGuard can detect these differences by using hardware features of commodity processors. Our evaluation shows that KRGuard can detect kernel rootkits with small overhead.

Original language	English
Title of host publication	ICISS 2016 - 2016 International Conference on Information Science and Security
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	9781509054930
DOIs	https://doi.org/10.1109/ICISSEC.2016.7885860
Publication status	Published - Mar 23 2017
Event	3rd International Conference on Information Science and Security, ICISS 2016 - Pattaya, Thailand Duration: Dec 19 2016 → Dec 22 2016

Publication series

Name	ICISS 2016 - 2016 International Conference on Information Science and Security

Other

Other	3rd International Conference on Information Science and Security, ICISS 2016
Country/Territory	Thailand
City	Pattaya
Period	12/19/16 → 12/22/16

Keywords

Kernel rootkit
Last branch record
Operating system
Security

ASJC Scopus subject areas

Information Systems and Management
Safety, Risk, Reliability and Quality
Computer Networks and Communications

Access to Document

10.1109/ICISSEC.2016.7885860

Cite this

Akao, Y., & Yamauchi, T. (2017). KRGuard: Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features. In ICISS 2016 - 2016 International Conference on Information Science and Security [7885860] (ICISS 2016 - 2016 International Conference on Information Science and Security). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ICISSEC.2016.7885860

KRGuard : Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features. / Akao, Yohei; Yamauchi, Toshihiro.

ICISS 2016 - 2016 International Conference on Information Science and Security. Institute of Electrical and Electronics Engineers Inc., 2017. 7885860 (ICISS 2016 - 2016 International Conference on Information Science and Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Akao, Y & Yamauchi, T 2017, KRGuard: Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features. in ICISS 2016 - 2016 International Conference on Information Science and Security., 7885860, ICISS 2016 - 2016 International Conference on Information Science and Security, Institute of Electrical and Electronics Engineers Inc., 3rd International Conference on Information Science and Security, ICISS 2016, Pattaya, Thailand, 12/19/16. https://doi.org/10.1109/ICISSEC.2016.7885860

Akao Y, Yamauchi T. KRGuard: Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features. In ICISS 2016 - 2016 International Conference on Information Science and Security. Institute of Electrical and Electronics Engineers Inc. 2017. 7885860. (ICISS 2016 - 2016 International Conference on Information Science and Security). https://doi.org/10.1109/ICISSEC.2016.7885860

@inproceedings{7cf098e0546c409fb9425a7863cf4fc9,

title = "KRGuard: Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features",

abstract = "Attacks on an operating system kernel using kernel rootkits pose a particularly serious threat. Detecting an attack is difficult when the operating system kernel is infected with a kernel rootkit. For this reason, handling an attack will be delayed causing an increase in the amount of damage done to a computer system. In this paper, we discuss KRGuard (Kernel Rootkits Guard), which is a new method to detect kernel rootkits that monitors branch records in the kernel space. Since many kernel rootkits make branches that differ from the usual branches in the kernel space, KRGuard can detect these differences by using hardware features of commodity processors. Our evaluation shows that KRGuard can detect kernel rootkits with small overhead.",

keywords = "Kernel rootkit, Last branch record, Operating system, Security",

author = "Yohei Akao and Toshihiro Yamauchi",

note = "Publisher Copyright: {\textcopyright} 2016 IEEE.; 3rd International Conference on Information Science and Security, ICISS 2016 ; Conference date: 19-12-2016 Through 22-12-2016",

year = "2017",

month = mar,

day = "23",

doi = "10.1109/ICISSEC.2016.7885860",

language = "English",

series = "ICISS 2016 - 2016 International Conference on Information Science and Security",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

booktitle = "ICISS 2016 - 2016 International Conference on Information Science and Security",

}

TY - GEN

T1 - KRGuard

T2 - 3rd International Conference on Information Science and Security, ICISS 2016

AU - Akao, Yohei

AU - Yamauchi, Toshihiro

PY - 2017/3/23

Y1 - 2017/3/23

N2 - Attacks on an operating system kernel using kernel rootkits pose a particularly serious threat. Detecting an attack is difficult when the operating system kernel is infected with a kernel rootkit. For this reason, handling an attack will be delayed causing an increase in the amount of damage done to a computer system. In this paper, we discuss KRGuard (Kernel Rootkits Guard), which is a new method to detect kernel rootkits that monitors branch records in the kernel space. Since many kernel rootkits make branches that differ from the usual branches in the kernel space, KRGuard can detect these differences by using hardware features of commodity processors. Our evaluation shows that KRGuard can detect kernel rootkits with small overhead.

AB - Attacks on an operating system kernel using kernel rootkits pose a particularly serious threat. Detecting an attack is difficult when the operating system kernel is infected with a kernel rootkit. For this reason, handling an attack will be delayed causing an increase in the amount of damage done to a computer system. In this paper, we discuss KRGuard (Kernel Rootkits Guard), which is a new method to detect kernel rootkits that monitors branch records in the kernel space. Since many kernel rootkits make branches that differ from the usual branches in the kernel space, KRGuard can detect these differences by using hardware features of commodity processors. Our evaluation shows that KRGuard can detect kernel rootkits with small overhead.

KW - Kernel rootkit

KW - Last branch record

KW - Operating system

KW - Security

UR - http://www.scopus.com/inward/record.url?scp=85018253884&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85018253884&partnerID=8YFLogxK

U2 - 10.1109/ICISSEC.2016.7885860

DO - 10.1109/ICISSEC.2016.7885860

M3 - Conference contribution

AN - SCOPUS:85018253884

T3 - ICISS 2016 - 2016 International Conference on Information Science and Security

BT - ICISS 2016 - 2016 International Conference on Information Science and Security

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 19 December 2016 through 22 December 2016

ER -

KRGuard: Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this