[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Finding Rootkits By Monitoring For 'Black Sheep'
Nov 09, 2012
A distributed system of monitoring groups of computers using the same
operating-system configuration can detect the changes wrought by
rootkits following infection, a group of security researchers from the
University of California at Santa Barbara reported in a recent paper.
Inspired by the homogenous nature of corporate networks, the computer
scientists developed a system, dubbed Blacksheep, that can monitor the
kernel memory dumps of a large number of systems for changes that may
indicate a compromise. The technique, which requires no signatures or
foreknowledge of the attacker's code, could help companies detect
attacks that other defensive measures fail to identify, says Christopher
Kruegel, associate professor in the Department of Computer Science at
UCSB and a co-author of the research paper on the system.
"We are not solving the general malware problem, but against the
important crop of kernel-level rootkits and kernel-level modifications
and exploits, it is a very powerful and very robust and general tool,"
The research (PDF), presented at last month's ACM Conference on Computer
and Communications Security, demonstrated that in a cloud provider's
network of virtual machines, the technique works extremely well, but it
has significant challenges to overcome in a real-world network of
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!