| After intrusion a computer system, RootKits are used by attackers. RootKits can help the attackers maintain root access to the system and conduct malicious activities. RootKits exist in a variety of operating systems (OS), such as Linux, Solaris and Microsoft Windows. Because of the comprehensive application of Microsoft Windows Operating System in our lives, Microsoft Windows OS becomes the aim of RootKits'attacks.RootKits are classified into application-mode RootKits and kernel-mode RootKits according to achieve level of their invasion in operating system. Application-mode RootKits modify system files or binary system data at the user level. Kernel-mode RootKits attack the operating system's kernel, and are more powerful than application-mode ones. It is more difficult to detect kernel-mode RootKits.In this article, we put forward a new security strategy for Windows RootKit, which combines"Multiple Detection","Monitor Defence"with"Self-Protection"together. And we design a Windows RootKit Monitoring System in according to the security strategy. Compared to the conventional Windows RootKit detection technology,"Multiple Detection"solves the problem of single detection, which is general in the conventional Windows RootKit detection technology."Monitor Defence"takes active monitoring defense to replace the passive detection defense. "Self-Protection" ensures the robustness of the entire monitoring system.The research work of this article provides complete basic knowledge for research on Windows RootKit. The novel method—"Multiple Detection"makes up for the deficiency of current detection methods, so it can find out all currently existing Windows RootKit. The strategy, which combines"Multiple Detection","Monitor Defence"with"Self-Protection"together, also has the practical value for Windows OS security. |
PDF Full Text Request