<div class="csl-bib-body">
<div class="csl-entry">Landauer, M., Alton, L., Lindorfer, M., Skopik, F., Wurzenberger, M., & Hotwagner, W. (2025). Trace of the Times: Rootkit Detection through Temporal Anomalies in Kernel Activity. <i>Digital Threats: Research and Practice</i>, <i>6</i>(4), 1–26. https://doi.org/10.1145/3770085</div>
</div>
-
dc.identifier.issn
2692-1626
-
dc.identifier.uri
http://hdl.handle.net/20.500.12708/223677
-
dc.description.abstract
Kernel-space rootkits provide adversaries with permanent high-privileged access to compromised systems and are often a key element of sophisticated attack chains. At the same time, they enable stealthy operation and are thus difficult to detect. Thereby, they inject code into kernel functions to appear invisible to users, for example, by manipulating file enumerations. Existing detection approaches are insufficient because they rely on signatures that are unable to detect novel rootkits or require domain knowledge about the rootkits to be detected. To overcome this challenge, our approach leverages the fact that runtimes of kernel functions targeted by rootkits increase when additional code is executed. The framework outlined in this article injects probes into the kernel to measure timestamps of functions within relevant system calls, computes distributions of function execution times, and uses statistical tests to detect time shifts. The evaluation of our open source implementation on publicly available datasets indicates high detection accuracy with an F1 score of 98.7% across five scenarios with varying system states.
en
dc.language.iso
en
-
dc.publisher
Association of Computing Machinery (ACM)
-
dc.relation.ispartof
Digital Threats: Research and Practice
-
dc.subject
rootkit detection
en
dc.subject
kernel tracing
en
dc.subject
anomaly detection
en
dc.subject
intrusion detection
en
dc.subject
semi-supervised learning
en
dc.title
Trace of the Times: Rootkit Detection through Temporal Anomalies in Kernel Activity
