VMM-based hidden process detection and identification using Lycosid
Citations Over TimeTop 1% of 2008 papers
Abstract
Use of stealth rootkit techniques to hide long-lived malicious processes is a current and alarming security issue. In this paper, we describe, implement, and evaluate a novel VMM-based hidden process detection and identification service called Lycosid that is based on the cross-view validation principle. Like previous VMM-based security services, Lycosid benefits from its protected location. In contrast top revious VMM-based hidden process detectors, Lycosid obtains guest process information implicitly. Using implicit information reduces its susceptibility to guest evasion attacks and decouples it from specific guest operating system versions and patch levels. The implicit information Lycosid depends on, however, can be noisy and unreliable. Statistical inference techniques like hypothesis testing and line arregression allow Lycosid to trade time for accuracy. Despite low quality inputs, Lycosid provides a robust, highly accurate service usable even insecurity environments where the consequences for wrong decisions can behig.
Related Papers
- → A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion(2017)105 cited
- → Rootkit detection on virtual machines through deep information extraction at hypervisor-level(2013)14 cited
- → Implementing rootkits to address operating system vulnerabilities(2011)9 cited
- Preventing Hypervisor-based Rootkit with Trusted Execution Technology(2009)
- → Malicious Software(2020)