Existing mechanisms tracing user-level activities such as system calls and APIs can be circumvented by the kernel-level rootkits. In this paper, a novel system, MrKIP, is proposed to recognize rootkits based on their kernel-level activities. Our scheme semiautomatically generates suitable locations for analysts to implement checkpoints, which are used to profile kernel-space activities. Then, collected rootkits are executed in an emulator with these checkpoints for behavior profiling. The collected behaviors are clustered and used for model construction. The constructed model can be used to recognize new variants of rootkit families. Our scheme differs from conventional tracers due to its ability to cover kernel-space malware and the whole-system scope. In addition, monitoring at the kernel level raises high barrier for malware to evade, since all tasks are eventually executed through the basic kernel functions.
- Data mining
- Dynamic analysis
- Malware analysis
- Rootkit recognition
- Virtual machine introspection