Conferences in Research and Practice in Information Technology
  

Online Version - Last Updated - 20 Jan 2012

 

 
Home
 

 
Procedures and Resources for Authors

 
Information and Resources for Volume Editors
 

 
Orders and Subscriptions
 

 
Published Articles

 
Upcoming Volumes
 

 
Contact Us
 

 
Useful External Links
 

 
CRPIT Site Search
 
    

On the E ectiveness of Virtualisation Assisted View Comparison for Rootkit Detection

Richer, T.J., Neale, G. and Osborne, G.

    There is growing interest in tools for monitoring virtualisation infrastructure and detecting malware within Virtual Machines (VMs). View comparison, or cross-view validation, is a technique for detecting object hiding by malware. It involves comparing different views of system objects to find discrepancies that might indicate the use of object hiding techniques. We present Linebacker, a system for performing view comparison on VMware vSphere VMs. Linebacker compares external (i.e. hypervisor level) and internal (i.e. guest operating system level) views of process, file and registry objects within VMs to detect rootkits that cloak such objects from the view of the guest operating system. We use Linebacker to compare the efficacy of the view comparison technique to sandboxing or API call monitoring approaches to rootkit detection. We also present a case study evaluating the performance impacts associated with using Linebacker to monitor VMs in a production environment. We present execution and analysis time metrics for this study and discuss feedback provided by users. Finally, we analyse our results and make recommendations regarding the implementation of view comparison for real-world virtualisation infrastructure.
Cite as: Richer, T.J., Neale, G. and Osborne, G. (2015). On the E ectiveness of Virtualisation Assisted View Comparison for Rootkit Detection. In Proc. 13th Australasian Information Security Conference (AISC 2015) Sydney, Australia. CRPIT, 161. Welch, I. and Yi, X. Eds., ACS. 35-44
pdf (from crpit.com) pdf (local if available) BibTeX EndNote GS