| Linux operating system is favored by everyone because of its open-source and free characteristics, the same reasons it suffered endless attacks, one of them is Trojan which threats more, after Trojans invade computer do not do destructive operation, but monitor the operation in the internal computer, in order to achieve the purpose of theft of user information, they transmit information through the back door leaving before. Most difficult Trojans detected by the user is the Trojan horse which penetrates more deeply into the operating system kernel, the kernel level of Trojan is a Trojan horse combined with Kernel Rootkit technology. Rootkit is in the underlying system, has the highest authority of the system and be able to easily modify the kernel data structure, a lot of software, even if the killing can only be for one or several Rootkit, not all Rootkit killing kernel Rootkit because of its special nature has become a key research topics in the field of computer security.Kernel Rootkits loaded into the system kernel mainly in the form of the kernel modules (I.KM), in order to hide their own malicious purposes and themselves they will modify key data changes such as kernel system call table etc. Recent studies have found Rootkits have not only modify the kernel critical data, and modify non-control-lype data can reach the same malicious purposes, such as polluting entropy pool so that the system is unable to obtain a valid random number, adding malicious binary code attacks etc. Many Rootkit detection technology before can’t detect such attacks, on the one hand, because they only focus on the control of the detection of data modification, on the other hand because of the need to a deep understanding of kernel data structures semantic expert gives a detailed technical specification of kernel integrity to detect a non-modification of the structure of a control type data.In view of the above analysis, this paper proposes a new kernel Rootkit detection technology RKdetect. captures system-kernel memory pages in the training phase system, extracts the data structure and infers variables and then stores them in the file system. In the enforcement phase, after we insert Rootkit into system then capture kernel memory and infer invariants periodically, at last we compare the invariants to infer whether they change the invariants we got in the training phase, and if we find the change it means the presence of a Rootkit. In our paper we use the model of observation machine and target machine, the observation machine’s main accomplish these functions such as data structure extraction, invariants inference, monitoring the target machine and construct I ladoop cluster, the when we infer the invariants we use MapReduce programming model. The target machine main accomplish taking the kernel memory page and then return to the observation machine. The method can be widely Lised in the virus, Trojan, Rootkit detection: it has orcat signilicancc on computer security research.Finally, in order to prove RKdetect can detect the common Rootkit,01-11-Irihci-rcaliics the technology, and experiment with different kinds of Rootkit. Our results prove the effectiveness and the general applicability of the RKdctect. it can achicvc good results... |
PDF Full Text Request