| The rapid development of Internet applications brings the rapid growth of network intrusion. The target of attacks changes from the user-level objects into the operating system kernel; such attacks are more difficult to find and deal with, thus bringing a tremendous destruction. As the representative of the invasion, the rootkits clean up their traces and create back door in been intruded computer system. By tricking the system administrator’s privilege, kernel-level rootkit steals victim’s private data or takes unauthorized actions without user’s permission. But the current development of intrusion detection and system recovery technology has lagged far behind the kernel-level rootkit’s, which makes the operating system in Internet under continuous attacks.The newest kernel-level rootkit affects operating system’s security by tampering with the dynamic running kernel data structures to achieve a variety of malicious goals. The way is more secret and harder to discover it and to recover the system, being a serious challenge for system’s security. A virtual machine based on architecture for system recovery by compositing detection of kernel data structures’ invariant and snapshot recovery technique is proposed, and a prototype tool IDRS(Intrusion Detection and Recovery System) is realized. By real time monitoring the operating system’s status, kernel-level rootkit’s invasion by violating the system’s invariants can be effectively detected and then triggers a corresponding recovery behavious; By compositing copy on write technique, redirect on write technique and incremental snapshot technique, the IDRS maintains a high performance snapshot, and then effectively recover the dirty operating system’s security. In our experiments, we found that IDRS can detect kernel-level rootkits that both polluting control and non-control data structures, and then recovers the system from it. Both the false positive rate and recovering overheads are negligible. |
PDF Full Text Request