A Study on Process-hidden Rootkit Detection Mechanism in Cloud Service Environments

• Main Authors: Cheng-Hua Chi, 杞承樺
• Other Authors: Woei-Jiunn Tsaur
• Format: Others
• Language: zh-TW
• Published: 2013
• Online Access: http://ndltd.ncl.edu.tw/handle/37856256552890637490

碩士 === 大葉大學 === 資訊管理學系碩士班 === 101 === Since cloud service’s development becomes mature, the advantages of cloud service also give hackers easy way to create complicated and exquisite techniques of attacks. Rootkit always be used in these techniques and exquisite one is Trojan-based rootkits. In this rootkit-combined technique, “removing double linked list” and “using system services” are very hard to detect, which is why it always let users download data unconsciously and spread to contiguous systems and networks gradually by opening files. The way of attack is hiding to wait opportunities, and is controlled by a remote server. And pretends to be proper procedures or threads after conveying instructions, and steals important information by network transfer back to the attacker. The above-mentioned trick is called the technique of “APT” (Advanced Persistent Threat) which becomes a big menace to cloud services. Although famous anti-virus software can detect process-hidden rootkits, they still cannot work when confronting to mixed rootkits. Therefore, this research will develop a mechanism for detecting process-hidden rootkits in cloud operating systems to avoid APT attacks on clouds, which can effectively detect mixed rootkits of “removing double linked list” and “using system services”. Moreover, the proposed mechanism can help anti-virus software and cloud systems service provider develop a complete protection mechanism against rootkit attacks.