Skip to main content
Article thumbnail
Location of Repository


By Doug Wampler and James Graham


There are a variety of methods available to detect modern Linux kernel module rootkits. However, most existing methods rely on system specific a priori knowledge for full detection functionality. Either (a) some application must be installed when the system is deployed, as is typical with host based intrusion detection, or (b) system metrics must be saved to a secure location when the system is deployed, or (c) both of these actions must be performed. It is noted, however, that some of these methods do offer partial functionality when installed on an already infected system. This paper proposes a technique to detect Linux Kernel Module (LKM) rootkits that does not require system specific a priori knowledge, but rather just knowledge about the Linux operating system in general. This technique relies on outlier analysis and statistical techniques, is more formal and rigorous than most existing detection methods, and initial results indicate that Linux Kernel Module rootkit detection is possible with a high degree of confidence

Topics: Intrusion Detection, Operating System Forensics, Outlier Analysis, Real Time Forensic Analysis, Rootkit Detection
Year: 2009
OAI identifier: oai:CiteSeerX.psu:
Provided by: CiteSeerX
Download PDF:
Sorry, we are unable to provide the full text but you may find it at the following location(s):
  • (external link)
  • http://kappa.slug.louisville.e... (external link)
  • Suggested articles

    To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.