Rootkits have become one of the major threats to computer security, while it is hard to be detected by common malware detection technologies. This paper introduces a rulebased approach for the rootkit detection. It is based on the fact that a rootkit must modify some data structures of a system so as to hide itself. But the modifications of data structure will necessarily lead to some inconsistencies in a system. By finding the inconsistencies in a system, we can detect the rootkit. Our approach has four main steps: (1) elaborately choose data structures in different layers of a system; (2) perform the same information-calculation process by using different layers of data structures respectively, and form a information space according to the result obtained after each calculation; (3) defines rules as invariants based on information spaces formed in step (2); (4) if these rules are held, the system is clean; otherwise the system is probably infected by a rootkit. © 2010 IEEE.
CITATION STYLE
Wang, J. (2010). A rule-based approach for rootkit detection. In ICIME 2010 - 2010 2nd IEEE International Conference on Information Management and Engineering (Vol. 3, pp. 405–408). https://doi.org/10.1109/ICIME.2010.5478178
Mendeley helps you to discover research relevant for your work.