Full metadata record
DC FieldValueLanguage
dc.contributor.authorWang, Chi-Weien_US
dc.contributor.authorChen, Chong-Kuanen_US
dc.contributor.authorWang, Chia-Weien_US
dc.contributor.authorShieh, Shiuhpyng Winstonen_US
dc.date.accessioned2015-07-21T08:28:39Z-
dc.date.available2015-07-21T08:28:39Z-
dc.date.issued2015-03-01en_US
dc.identifier.issn1016-2364en_US
dc.identifier.urihttp://hdl.handle.net/11536/124547-
dc.description.abstractExisting mechanisms tracing user-level activities such as system calls and APIs can be circumvented by the kernel-level rootkits. In this paper, a novel system, MrKIP, is proposed to recognize rootkits based on their kernel-level activities. Our scheme semiautomatically generates suitable locations for analysts to implement checkpoints, which are used to profile kernel-space activities. Then, collected rootkits are executed in an emulator with these checkpoints for behavior profiling. The collected behaviors are clustered and used for model construction. The constructed model can be used to recognize new variants of rootkit families. Our scheme differs from conventional tracers due to its ability to cover kernel-space malware and the whole-system scope. In addition, monitoring at the kernel level raises high barrier for malware to evade, since all tasks are eventually executed through the basic kernel functions.en_US
dc.language.isoen_USen_US
dc.subjectrootkit recognitionen_US
dc.subjectmalware analysisen_US
dc.subjectvirtual machine introspectionen_US
dc.subjectdata miningen_US
dc.subjectdynamic analysisen_US
dc.titleMrKIP: Rootkit Recognition With Kernel Function Invocation Patternen_US
dc.typeArticleen_US
dc.identifier.journalJOURNAL OF INFORMATION SCIENCE AND ENGINEERINGen_US
dc.citation.volume31en_US
dc.citation.spage455en_US
dc.citation.epage473en_US
dc.contributor.department資訊工程學系zh_TW
dc.contributor.departmentDepartment of Computer Scienceen_US
dc.identifier.wosnumberWOS:000351401300006en_US
dc.citation.woscount0en_US
Appears in Collections:Articles