| Due to the growing popularity of Linux, Linux malware in the system gradually increase, especially as a desktop operating system. Rootkit is the most intimate computer malicious attack techniques, it constitutes a major security threats to computer.It does this by direct damage to the operating system kernel to hide their presence, but also tamper with operating system functions to launch a variety of attacks. For example, it can be stolen through the open back door system of private personal data, giving greater authority malicious programs, so that protective mechanism ineffective.Kernel-level Rootkit is a extremely dangerous malware to run-time Linux system integrity. they have permission to add, delete, modify the system state of the application which requested by the kernel or user mode. This information includes the run-time process list, loaded modules, activities network connection, files, directory and even file content. Kernel-level Rootkit can monitor user activities, including keyboard input, network packets, and hardware interaction and so on. Kernel-level Rootkit can hijack critical path on kernel function undermining the entire system. In order to detect kernel-level Rootkit, deep into the bottom of the running kernel, including the detection of its code and data structures. And this article is designed to gather information to complete the depth of the underlying kernel system to complete the verification of whether the intrusion detection system is malicious code.The major contributions are as follows:(1) This paper analyzes the principles of the existing rootkit detection technology on linux system,and further proposes a detection technology using kprobe.The detection method collects the information of objects hided by rootkit by inserting probe points into the critical path in low-level kernel, and then compares the underlying information and the results from audit tools with cross-view validation principle to get the hided objects, and finally through the results of the underlying information systems audit tools collected was subjected to cross over to get a view of the hidden process and tampering function execution flow.(2) And make optimized for real-time monitoring of the performance overhead caused that not only detects hidden Rootkit also add malicious process detection module. The alarm mechanism provided by the module, once suspected malicious intrusions, before opening Kprobe control mechanisms to reduce the overhead problem. The module uses machine learning methods through a large number of malicious processes and legal processes task_struct key field running as a feature of the model train, according to the most trained model may determine whether the system has been compromised malicious code.(3) In the pilot phase of several existing popular choice of Rootkit with a combination of malicious code, malicious use of concealment and methods of detection Rootkit paper, experimental results show that the mechanism has good reliability. |
PDF Full Text Request