Abstract
Rootkits refer to software that is used to hide the presence and activity of malware and permit an attacker to take control of a computer system. In our previous work, we focused strictly on identifying rootkits that use inline function hooking techniques to remain hidden. In this paper, we extend our previous work by including rootkits that use other types of hooking techniques, such as those that hook the IATs (Import Address Tables) and SSDTs (System Service Descriptor Tables). Unlike other malware identification techniques, our approach involved conducting dynamic analyses of various rootkits and then determining the family of each rootkit based on the hooks that had been created on the system. We demonstrated the effectiveness of this approach by first using the CLOPE (Clustering with sLOPE) algorithm to cluster a sample of rootkits into several families; next, the ID3 (Iterative Dichotomiser 3) algorithm was utilized to generate a decision tree for identifying the rootkit that had infected a machine.
| Original language | English |
|---|---|
| Title of host publication | 2010 International Conference on Information Science and Applications, ICISA 2010 |
| Place of Publication | Piscataway, USA |
| Publisher | Institute of Electrical and Electronics Engineers (IEEE) |
| Number of pages | 7 |
| ISBN (Print) | 9781424459438 |
| DOIs | |
| Publication status | Published - 2010 |
| Externally published | Yes |
| Event | 2010 International Conference in Information Science and Applications, ICISA 2010 - Seoul, Korea, Republic of Duration: 21 Apr 2010 → 23 Apr 2010 |
Conference
| Conference | 2010 International Conference in Information Science and Applications, ICISA 2010 |
|---|---|
| Country/Territory | Korea, Republic of |
| City | Seoul |
| Period | 21/04/10 → 23/04/10 |
Keywords
- Computer security
- Data mining
- Rootkits