A Review on Learning-based Detection Approaches of the Kernel-level Rootkit

The core part of the computer operating system that plays an important role in managing computer resources is the kernel. One of the most elusive types of malware in recent times that pose significant security threats on the computer operating system kernel is the kernel-level rootkit. The kernel-level rootkit can hide its presence and malicious activities by modifying the kernel control flow, by hooking in the kernel space, or by manipulating the kernel objects. As kernel-level rootkit changes the kernel, it is difficult for user-level security tools to detect the kernel-level rootkit. In the past few years, researchers have proposed and experimented with many detection systems to detect the evolving kernel-level rootkit. A learning-based detection is an excellent approach to automatically detect known and unknown attacks with high accuracy. In this paper, we have reviewed the prior learning-based approaches in the literature that detect the kernel-level rootkit. We have also discussed the strengths and weaknesses of prior learning-based detection approaches against the kernel-level rootkit. The paper ends with open issues, challenges, and future research direction for the kernel-level rootkit detection.

Automated summary

The kernel is the core part of a computer operating system, and kernel-level rootkits present a significant security threat by hiding their presence and malicious activities. Detection systems based on learning are effective in automatically detecting both known and unknown attacks.