Volatile Kernel Rootkit hidden process detection in cloud computing

Abstract

The rootkit industry has advanced significantly in the last decade. Attackers want to leave a backdoor for quick reoccurring exploits rather than launching the traditional one-time worm/virus attacks. Meanwhile, as intrusion detection technologies improve, rootkits have grown in popularity. For the attackers to succeed, stealth becomes critical. The primary function of rootkits is to provide stealth. The modifications a rootkit makes conceal the presence of a rootkit. Determining the presence of mutation rootkits was quite challenging. Attackers can silently alter volatile (processes) and non-volatile (files) with the aid of rootkits without being noticed. We suggested the VKRHPDV (Volatile Kernel Rootkit Hidden Process Detection) framework to find the hidden techniques. This system includes process monitors, process comparison analysts, and contaminated process data gathering. Process monitoring is nothing more than clean process collection in the absence of rootkits, whereas pure process collection has been corrupted by rootkit injection. The process analyzer compares clean and tainted processes, some of which were concealed. VKRHPDV can identify process hiding behaviors in all datasets in the shortest period, according to the findings of an extensive performance analysis carried out on 64 rootkit datasets for each UNIX and Windows kernel in a cloud environment.