An Integrated Architecture for Automatic Indication, Avoidance and Profiling of Kernel Rootkit Attacks

Abstract : The objective of this project is to mitigate or eliminate threats of kernel rootkits against production computer systems. The main goal of this research is the development of an integrated, virtualization-based architecture for automatic indication, avoidance and profiling of kernel rootkit attacks while maintaining non-stop production system operation. Under this architecture, a production system (running as a virtual machine or VM) executes at full speed under normal circumstances, while the proposed architecture watches out for the first sign of a kernel rootkit attack and indicates the attack right before it strikes. In response, the production VM splits into two copies: one is the same production VM running uninterrupted and without the negative impact of the rootkit; while the other one is a live profiling VM which will generate a multi-aspect profile of the kernel rootkit. Moreover, the profile will guide the generation of a variety of kernel attack defense techniques, which will be applied back to the production system and shield it from future rootkit attacks.