...
  • 主题
高级搜索  >
历史搜索 清空历史
首页> 外文期刊>Information Forensics and Security, IEEE Transactions on >Back to Static Analysis for Kernel-Level Rootkit Detection
【24h】

Back to Static Analysis for Kernel-Level Rootkit Detection

机译:返回用于内核级Rootkit检测的静态分析

获取原文
获取原文并翻译 | 示例
   

获取外文期刊封面封底 >>

       
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

Rootkit’s main goal is to hide itself and other modules present in the malware. Their stealthy nature has made their detection further difficult, especially in the case of kernel-level rootkits. There have been many dynamic analysis techniques proposed for detecting kernel-level rootkits, while on the other hand, static analysis has not been popular. This is perhaps due to its poor performance in detecting malware in general, which could be attributed to the level of obfuscation employed in binaries which make static analysis difficult if not impossible. In this paper, we make two important observations, first there is usually little obfuscation used in legitimate kernel-level code, as opposed to the malicious kernel-level code. Second, one of the main approaches to penetrate the Windows operating system is through kernel-level drivers. Therefore, by focusing on detecting malicious kernel drivers employed by the rootkit, one could detect the rootkit while avoiding the issues with current detection technique. Given these two observation, we propose a simple static analysis technique with the aim of detecting malicious driver. We first study the current trends in the implementation of kernel-level rookits. Afterward, we proposed a set of features to quantify the malicious behavior in kernel drivers. These features are then evaluated through a set of experiments on 4420 malicious and legitimate drivers, obtaining an accuracy of 98.15% in distinguishing between these drivers.
机译:Rootkit的主要目标是隐藏自身和恶意软件中存在的其他模块。它们的隐秘性质使它们的检测更加困难,尤其是在内核级rootkit的情况下。已经提出了许多用于检测内核级rootkit的动态分析技术,而另一方面,静态分析尚未普及。这可能是由于其通常在检测恶意软件方面的性能较差,这可能归因于二进制文件中采用的混淆程度,这使静态分析变得十分困难,即使不是不可能。在本文中,我们有两个重要发现,首先,与恶意内核级代码相比,合法内核级代码通常很少混淆。其次,渗透Windows操作系统的主要方法之一是通过内核级驱动程序。因此,通过专注于检测rootkit所使用的恶意内核驱动程序,人们可以在检测rootkit的同时避免当前检测技术的问题。鉴于这两个观察,我们提出了一种简单的静态分析技术,旨在检测恶意驱动程序。我们首先研究内核级新手实现的当前趋势。之后,我们提出了一组功能来量化内核驱动程序中的恶意行为。然后,通过对4420个恶意和合法驱动程序进行的一组实验对这些功能进行评估,以区分这些驱动程序的准确性为98.15%。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号