Rootkit behavior identification method based on multidimensional across view

An identification method and view technology, applied in the direction of platform integrity maintenance, etc., can solve problems such as inability to guarantee reliability and comprehensiveness, inability to identify rootkit behavior characteristics, inability to apply system dynamic data detection, etc., to increase reliability and comprehensiveness Effect

Inactive Publication Date: 2013-06-12
BEIJING INSTITUTE OF TECHNOLOGYGY
View PDF4 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, this method is mainly suitable for static data detection of the system, such as system functions, and cannot be applied to dynamic data detection of the system, such as process linked list
[0008] To sum up, the existing rootkit detection methods cannot guarantee the reliability and comprehensiveness of the detection; they cannot identify the behavioral characteristics of the rootkit, that is, they cannot specify the hidden method used by the rootkit; they can only restore the static data of the contaminated system

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Rootkit behavior identification method based on multidimensional across view

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0020] In order to better illustrate the purpose and advantages of the present invention, the implementation of the method of the present invention will be further described in detail below in conjunction with examples.

[0021] The embodiment of the present invention is described by taking the rootkit hidden process in the windows operating system as a detection item. Let A 1 It is a detection method based on hardware virtualization to obtain hidden processes through the cr3 register, and the obtained cross view is P 1 ; Let A 2 It is a detection method based on intercepting the SwapContext thread scheduling function to obtain hidden processes, and the obtained cross view is P 2 , and the corresponding avoidance method is H 2 ; Let A 3 It is a hidden process detection method based on HSC (intercepting system calls), and the obtained cross view is P 3 , and the corresponding avoidance method is H 3 ; Let A 4 is a hidden process detection method based on memory search, a...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a rootkit behavior identification method based on a multidimensional across view, and belongs to the technical field of computer and information science. According to the method, an operation system is detected by various rootkit detection methods, a detection view of corresponding dimensions is constructed, and each dimensional view represents a corresponding detection result; if detection items do not occur in a view of certain dimensions and detection items occur in other views, a rootkit adopts corresponding evasive measures (that are hiding methods) aiming as the detection methods; whether rootkit pollution data can be recovered according to learned evasive measures, and recovered pollution data and be recovered; and finally, the operation system is detected again, so that the pollution data are recovered successfully. The method can identify specific behaviors and the hiding method of the rootkit, can not only be applied to various operation systems of desktop computers, but also can be applied to mobile computating platform systems of mobile phones, tablet personal computers and the like.

Description

technical field [0001] The invention relates to a rootkit behavior identification method based on a multi-dimensional cross view, and belongs to the technical field of computer and information science. Background technique [0002] A rootkit is a group of malicious codes hidden inside the system for a long time. Because it is often injected into the kernel module or even hardware, it greatly increases the concealment of malicious codes and seriously damages the integrity of the system. Its high authority, high concealment and other characteristics have brought great difficulties to detection and killing. With the promotion and use of rootkit technology in malicious codes in recent years, reliable rootkit detection methods and ideas will provide a strong guarantee for computer security. [0003] Rootkit behavior identification needs to solve three basic problems: detect whether there is a rootkit; identify the method used by the existing rootkit to hide the detected items (t...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F21/56
Inventor 罗森林闫广禄潘丽敏郭亮张驰
Owner BEIJING INSTITUTE OF TECHNOLOGYGY
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap