[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Finding Rootkits By Monitoring For 'Black Sheep'


Dark Reading
Nov 09, 2012

A distributed system of monitoring groups of computers using the same operating-system configuration can detect the changes wrought by rootkits following infection, a group of security researchers from the University of California at Santa Barbara reported in a recent paper.

Inspired by the homogenous nature of corporate networks, the computer scientists developed a system, dubbed Blacksheep, that can monitor the kernel memory dumps of a large number of systems for changes that may indicate a compromise. The technique, which requires no signatures or foreknowledge of the attacker's code, could help companies detect attacks that other defensive measures fail to identify, says Christopher Kruegel, associate professor in the Department of Computer Science at UCSB and a co-author of the research paper on the system.

"We are not solving the general malware problem, but against the important crop of kernel-level rootkits and kernel-level modifications and exploits, it is a very powerful and very robust and general tool," he says.

The research (PDF), presented at last month's ACM Conference on Computer and Communications Security, demonstrated that in a cloud provider's network of virtual machines, the technique works extremely well, but it has significant challenges to overcome in a real-world network of employee workstations.


Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!