|
| | | |
On the Eectiveness of Virtualisation Assisted View Comparison for Rootkit Detection
Richer, T.J., Neale, G. and Osborne, G.
There is growing interest in tools for monitoring virtualisation infrastructure and detecting malware within Virtual Machines (VMs). View comparison, or cross-view validation, is a technique for detecting object hiding by malware. It involves comparing different views of system objects to find discrepancies that might indicate the use of object hiding techniques.
We present Linebacker, a system for performing view comparison on VMware vSphere VMs. Linebacker compares external (i.e. hypervisor level) and internal (i.e. guest operating system level) views of process, file and registry objects within VMs to detect rootkits that cloak such objects from the view of the guest operating system. We use Linebacker to compare the efficacy of the view comparison technique to sandboxing or API call monitoring approaches to rootkit detection. We also present a case study evaluating the performance impacts associated with using Linebacker to monitor VMs in a production environment. We present execution and analysis time metrics for this study and discuss feedback provided by users.
Finally, we analyse our results and make recommendations regarding the implementation of view comparison for real-world virtualisation infrastructure. |
Cite as: Richer, T.J., Neale, G. and Osborne, G. (2015). On the Eectiveness of Virtualisation Assisted View Comparison for Rootkit Detection. In Proc. 13th Australasian Information Security Conference (AISC 2015) Sydney, Australia. CRPIT, 161. Welch, I. and Yi, X. Eds., ACS. 35-44 |
(from crpit.com)
(local if available)
|
|