Type of Document	Dissertation
Author	Levine, John Glenn
Author's Email Address	levine@ece.gatech.edu
URN	etd-03172004-115855
Title	A Methodology for Detecting and Classifying Rootkit Exploits
Degree	Doctor of Philosophy
Department	Electrical and Computer Engineering
Advisory Committee	Advisor Name Title Henry Owen Committee Chair Copeland Committee Member Douglas Williams Committee Member Randal Abler Committee Member Wenke Lee Committee Member
Keywords	Computer Security Rootkits
Date of Defense	2004-03-17
Availability	unrestricted
Abstract A Methodology for Detecting and Classifying Rootkit Exploits John G. Levine 164 Pages Directed by Dr. Henry L. Owen We propose a methodology to detect and classify rootkit exploits. The goal of this research is to provide system administrators, researchers, and security personnel with the information necessary in order to take the best possible recovery actions concerning systems that are compromised by rootkits. There is no such methodolgoy available at present to perform this function. This may also help to detect and fingerprint additional instances and prevent further security instances involving rootkits. A formal framework was developed in order to define rootkit exploits as an existing rootkit, a modification to an exisiting, or an entirely new rootkit. A methodology was then described in order to apply this framework against rootkits that are to be investigated. We then proposed some new methods to detect and characterize specific types of rootkit exploits. These methods consisted of identifying unique string signatures of binary executable files as well as examining the system call table within the system kernel. We established a Honeynet in order to aid in our research efforts and then applied our methodology to a previously unseen rootkit that was targeted against the Honeynet. By using our methodology we were able to uniquely characterize this rootkit and identify some unique signatures that could be used in the detection of this specific rootkit. We applied our methodolgy against nine additional rootkit exploits and were were able to identify unique characterstics for each of these rootkits. These charactersitics could also be used in the prevention and detection of these rootkits.
Files	Filename       Size       Approximate Download Time (Hours:Minutes:Seconds)     28.8 Modem   56K Modem   ISDN (64 Kb)   ISDN (128 Kb)   Higher-speed Access    john_g_levine_200405_phd.pdf 1.18 Mb 00:05:27 00:02:48 00:02:27 00:01:13 00:00:06