Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Trace of the Times: Rootkit Detection through Temporal Anomalies in Kernel Activity

Max Landauer, Leonhard Alton, Martina Lindorfer, Florian Skopik, Markus Wurzenberger, Wolfgang Hotwagner

TL;DR

The paper tackles kernel rootkit detection by exploiting temporal anomalies in kernel activity. It proposes a semi-supervised framework that injects in-kernel probes (via eBPF) to measure fine-grained delta times between inner system-call functions, detecting shifts with quantile-based Mahalanobis testing. A custom rootkit (CARAXES) and open data sets demonstrate high offline accuracy (up to $F_1$ around $0.987$ for function-grouping) and competitive online performance, with limitations tied to varying system conditions. The work contributes an open-source kernel-tracing toolchain, publicly available rootkit data, and a practical detection approach that complements signatures and cross-view methods for real-time defense. Its significance lies in enabling runtime, low-overhead rootkit detection through detailed internal timing analysis and reproducible evaluation data.

Abstract

Kernel rootkits provide adversaries with permanent high-privileged access to compromised systems and are often a key element of sophisticated attack chains. At the same time, they enable stealthy operation and are thus difficult to detect. Thereby, they inject code into kernel functions to appear invisible to users, for example, by manipulating file enumerations. Existing detection approaches are insufficient, because they rely on signatures that are unable to detect novel rootkits or require domain knowledge about the rootkits to be detected. To overcome this challenge, our approach leverages the fact that runtimes of kernel functions targeted by rootkits increase when additional code is executed. The framework outlined in this paper injects probes into the kernel to measure time stamps of functions within relevant system calls, computes distributions of function execution times, and uses statistical tests to detect time shifts. The evaluation of our open-source implementation on publicly available data sets indicates high detection accuracy with an F1 score of 98.7\% across five scenarios with varying system states.

Trace of the Times: Rootkit Detection through Temporal Anomalies in Kernel Activity

TL;DR

The paper tackles kernel rootkit detection by exploiting temporal anomalies in kernel activity. It proposes a semi-supervised framework that injects in-kernel probes (via eBPF) to measure fine-grained delta times between inner system-call functions, detecting shifts with quantile-based Mahalanobis testing. A custom rootkit (CARAXES) and open data sets demonstrate high offline accuracy (up to around for function-grouping) and competitive online performance, with limitations tied to varying system conditions. The work contributes an open-source kernel-tracing toolchain, publicly available rootkit data, and a practical detection approach that complements signatures and cross-view methods for real-time defense. Its significance lies in enabling runtime, low-overhead rootkit detection through detailed internal timing analysis and reproducible evaluation data.

Abstract

Kernel rootkits provide adversaries with permanent high-privileged access to compromised systems and are often a key element of sophisticated attack chains. At the same time, they enable stealthy operation and are thus difficult to detect. Thereby, they inject code into kernel functions to appear invisible to users, for example, by manipulating file enumerations. Existing detection approaches are insufficient, because they rely on signatures that are unable to detect novel rootkits or require domain knowledge about the rootkits to be detected. To overcome this challenge, our approach leverages the fact that runtimes of kernel functions targeted by rootkits increase when additional code is executed. The framework outlined in this paper injects probes into the kernel to measure time stamps of functions within relevant system calls, computes distributions of function execution times, and uses statistical tests to detect time shifts. The evaluation of our open-source implementation on publicly available data sets indicates high detection accuracy with an F1 score of 98.7\% across five scenarios with varying system states.

Paper Structure

This paper contains 30 sections, 2 equations, 14 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Background & Related Work
  3. Rootkits
  4. Definition
  5. Methods
  6. Open-source rootkits
  7. Rootkit Detection
  8. Methods
  9. Learning-based Detection
  10. Concept
  11. Kernel Tracing
  12. Analysis of Relevant System Call Functions
  13. Injection of eBPF Probes
  14. Detection
  15. Computation of Delta Times
  16. ...and 15 more sections

Figures (14)

  • Figure 1: Overview of our concept that measures system call function timings to detect rootkits through delta time shifts.
  • Figure 2: Excerpt from the getdents call stack and function timings collected with the function tracer (ftrace).
  • Figure 3: Implementation of our eBPF probe.
  • Figure 4: Time measurements at probes iterate_dir-enter:iterate_dir-return (left) and filldir64-return:filldir64-enter (right) depicting longer delta times when the rootkit is active (red) in comparison to normal system behavior (blue).
  • Figure 5: Wrapper for the filldir function.
  • ...and 9 more figures