A Kernel Rootkit Detection Approach Based on Virtualization and Machine Learning

Donghai Tian*, Rui Ma, Xiaoqi Jia, Changzhen Hu

*此作品的通讯作者

科研成果: 期刊稿件文章同行评审

21 引用 (Scopus)

摘要

OS kernel is the core part of the operating system, and it plays an important role for OS resource management. A popular way to compromise OS kernel is through a kernel rootkit (i.e., malicious kernel module). Once a rootkit is loaded into the kernel space, it can carry out arbitrary malicious operations with high privilege. To defeat kernel rootkits, many approaches have been proposed in the past few years. However, existing methods suffer from some limitations: 1) most methods focus on user-mode rootkit detection; 2) some methods are limited to detect obfuscated kernel modules; and 3) some methods introduce significant performance overhead. To address these problems, we propose VKRD, a kernel rootkit detection system based on the hardware assisted virtualization technology. Compared with previous methods, VKRD can provide a transparent and an efficient execution environment for the target kernel module to reveal its run-time behavior. To select the important run-time features for training our detection models, we utilize the TF-IDF method. By combining the hardware assisted virtualization and machine learning techniques, our kernel rootkit detection solution could be potentially applied in the cloud environment. The experiments show that our system can detect windows kernel rootkits with high accuracy and moderate performance cost.

源语言英语
文章编号8759003
页(从-至)91657-91666
页数10
期刊IEEE Access
7
DOI
出版状态已出版 - 2019

指纹

探究 'A Kernel Rootkit Detection Approach Based on Virtualization and Machine Learning' 的科研主题。它们共同构成独一无二的指纹。

引用此