发明授权
- 专利标题: Rootkit monitoring agent built into an operating system kernel
- 专利标题(中): Rootkit监控代理内置于操作系统内核
-
申请号: US13959168申请日: 2013-08-05
-
公开(公告)号: US08856932B2公开(公告)日: 2014-10-07
- 发明人: Jayakrishnan Ramalingam
- 申请人: International Business Machines Corporation
- 申请人地址: US NY Armonk
- 专利权人: International Business Machines Corporation
- 当前专利权人: International Business Machines Corporation
- 当前专利权人地址: US NY Armonk
- 代理机构: Schmeiser, Olsen & Watts
- 代理商 John Pivnichny
- 主分类号: G06F21/56
- IPC分类号: G06F21/56 ; G06F12/14 ; G06F21/52 ; G06F21/55
摘要:
An approach for detecting a kernel-level rootkit is presented. A changed entry in a System Service Descriptor Table (SSDT) or an Interrupt Descriptor Table (IDT) is detected. The changed entry results from an installation of suspect software. The changed entry is determined to be not referenced by a white list. A black list is updated to reference the changed entry to indicate the changed entry results from an installation of the kernel-level rootkit. The suspect software is determined to be the kernel-level rootkit based on the changed entry not being referenced by the white list. The changed entry is restored to an entry included in a first state of an operating system kernel. The first state is based on the SSDT and IDT referencing hooks indicated in the white list, where the hooks are not the result of an installation of any kernel-level rootkit.
公开/授权文献
信息查询
