An Integrated Architecture for Automatic Indication, Avoidance and Profiling of Kernel Rootkit Attacks

Abstract

The objective of this project is to mitigate or eliminate threats of kernel rootkits against production computer systems. The main goal of this research is the development of an integrated, virtualization-based architecture for automatic indication, avoidance and profiling of kernel rootkit attacks while maintaining non-stop production system operation. Under this architecture, a production system (running as a virtual machine or VM) executes at full speed under normal circumstances, while the proposed architecture watches out for the first sign of a kernel rootkit attack and indicates the attack right before it strikes. In response, the production VM "splits" into two copies: one is the same production VM running uninterrupted and without the negative impact of the rootkit; while the other one is a live profiling VM which will generate a multi-aspect profile of the kernel rootkit. Moreover, the profile will guide the generation of a variety of kernel attack defense techniques, which will be applied back to the production system and shield it from future rootkit attacks.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Aug 20, 2014
Accession Number
ADA609410

Entities

People

  • Dongyan Xu
  • Eugene H. Spafford
  • Xuxian Jiang

Organizations

  • Purdue University

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Air Force
  • Air Force Research Laboratories
  • Automatic
  • Computer Science
  • Computers
  • Debugging
  • Detection
  • Detectors
  • Forensic Analysis
  • Instructions
  • Intrusion Detection
  • Intrusion Detectors
  • Kernels (Operating System)
  • North Carolina
  • Operating Systems
  • Virtual Machines
  • Virtualization

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Parallel and Distributed Computing.
  • Sensor Fusion and Tracking Systems.