MrKIP: Rootkit recognition with kernel function invocation pattern

Chi We Wang; Chong Kua Chen; Chia We Wang; Shiuh-Pyng Shieh

doi:10.6688/JISE.2015.31.2.6

MrKIP: Rootkit recognition with kernel function invocation pattern

Chi We Wang, Chong Kua Chen, Chia We Wang, Shiuh-Pyng Shieh

Institute of Computer Science and Engineering

Research output: Contribution to journal › Article › peer-review

4 Scopus citations

Abstract

Existing mechanisms tracing user-level activities such as system calls and APIs can be circumvented by the kernel-level rootkits. In this paper, a novel system, MrKIP, is proposed to recognize rootkits based on their kernel-level activities. Our scheme semiautomatically generates suitable locations for analysts to implement checkpoints, which are used to profile kernel-space activities. Then, collected rootkits are executed in an emulator with these checkpoints for behavior profiling. The collected behaviors are clustered and used for model construction. The constructed model can be used to recognize new variants of rootkit families. Our scheme differs from conventional tracers due to its ability to cover kernel-space malware and the whole-system scope. In addition, monitoring at the kernel level raises high barrier for malware to evade, since all tasks are eventually executed through the basic kernel functions.

Original language	English
Pages (from-to)	455-473
Number of pages	19
Journal	Journal of Information Science and Engineering
Volume	31
Issue number	2
DOIs	https://doi.org/10.6688/JISE.2015.31.2.6
State	Published - 1 Mar 2015

Keywords

Data mining
Dynamic analysis
Malware analysis
Rootkit recognition
Virtual machine introspection

Access to Document

10.6688/JISE.2015.31.2.6

Cite this

@article{a1d1727bbaba47acac12ef761caace75,

title = "MrKIP: Rootkit recognition with kernel function invocation pattern",

abstract = "Existing mechanisms tracing user-level activities such as system calls and APIs can be circumvented by the kernel-level rootkits. In this paper, a novel system, MrKIP, is proposed to recognize rootkits based on their kernel-level activities. Our scheme semiautomatically generates suitable locations for analysts to implement checkpoints, which are used to profile kernel-space activities. Then, collected rootkits are executed in an emulator with these checkpoints for behavior profiling. The collected behaviors are clustered and used for model construction. The constructed model can be used to recognize new variants of rootkit families. Our scheme differs from conventional tracers due to its ability to cover kernel-space malware and the whole-system scope. In addition, monitoring at the kernel level raises high barrier for malware to evade, since all tasks are eventually executed through the basic kernel functions.",

keywords = "Data mining, Dynamic analysis, Malware analysis, Rootkit recognition, Virtual machine introspection",

author = "Wang, {Chi We} and Chen, {Chong Kua} and Wang, {Chia We} and Shiuh-Pyng Shieh",

year = "2015",

month = mar,

day = "1",

doi = "10.6688/JISE.2015.31.2.6",

language = "English",

volume = "31",

pages = "455--473",

journal = "Journal of Information Science and Engineering",

issn = "1016-2364",

publisher = "Institute of Information Science",

number = "2",

}

TY - JOUR

T1 - MrKIP

T2 - Rootkit recognition with kernel function invocation pattern

AU - Wang, Chi We

AU - Chen, Chong Kua

AU - Wang, Chia We

AU - Shieh, Shiuh-Pyng

PY - 2015/3/1

Y1 - 2015/3/1

N2 - Existing mechanisms tracing user-level activities such as system calls and APIs can be circumvented by the kernel-level rootkits. In this paper, a novel system, MrKIP, is proposed to recognize rootkits based on their kernel-level activities. Our scheme semiautomatically generates suitable locations for analysts to implement checkpoints, which are used to profile kernel-space activities. Then, collected rootkits are executed in an emulator with these checkpoints for behavior profiling. The collected behaviors are clustered and used for model construction. The constructed model can be used to recognize new variants of rootkit families. Our scheme differs from conventional tracers due to its ability to cover kernel-space malware and the whole-system scope. In addition, monitoring at the kernel level raises high barrier for malware to evade, since all tasks are eventually executed through the basic kernel functions.

AB - Existing mechanisms tracing user-level activities such as system calls and APIs can be circumvented by the kernel-level rootkits. In this paper, a novel system, MrKIP, is proposed to recognize rootkits based on their kernel-level activities. Our scheme semiautomatically generates suitable locations for analysts to implement checkpoints, which are used to profile kernel-space activities. Then, collected rootkits are executed in an emulator with these checkpoints for behavior profiling. The collected behaviors are clustered and used for model construction. The constructed model can be used to recognize new variants of rootkit families. Our scheme differs from conventional tracers due to its ability to cover kernel-space malware and the whole-system scope. In addition, monitoring at the kernel level raises high barrier for malware to evade, since all tasks are eventually executed through the basic kernel functions.

KW - Data mining

KW - Dynamic analysis

KW - Malware analysis

KW - Rootkit recognition

KW - Virtual machine introspection

UR - http://www.scopus.com/inward/record.url?scp=84928946628&partnerID=8YFLogxK

U2 - 10.6688/JISE.2015.31.2.6

DO - 10.6688/JISE.2015.31.2.6

M3 - Article

AN - SCOPUS:84928946628

SN - 1016-2364

VL - 31

SP - 455

EP - 473

JO - Journal of Information Science and Engineering

JF - Journal of Information Science and Engineering

IS - 2

ER -

MrKIP: Rootkit recognition with kernel function invocation pattern

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this