loading
Papers Papers/2022 Papers Papers/2022

Research.Publish.Connect.

Paper

Authors: Nezer Zaidenberg 1 ; Michael Kiperberg 2 ; Eliav Menachi 3 and Asaf Eitani 3

Affiliations: 1 Department of Computer Science, Ariel University, Ariel, Israel ; 2 Department of Software Engineering, Shamoon College of Engineering, Bear Sheva, Israel ; 3 Faculty of Computer Science, College of Management Academic Studies, Rishon Le Zion, Israel

Keyword(s): eBPF, Rootkit, Virtualization, Forensics.

Abstract: There is a constant increase in the sophistication of cyber threats. Areas considered immune to malicious code, such as eBPF, are shown to be perfectly suitable for malware. Initially, the eBPF mechanism was devised to inject small programs into the kernel, assisting in network routing and filtering. Recently, it was demonstrated that malicious eBPF programs can be used to construct rootkits. The previously proposed countermeasures need to be revised against rootkits that attempt to hide their presence. We propose a novel detection scheme that divides the detection process into two phases. In the first phase, the memory image of the potentially infected system is acquired using a hypervisor. In the second phase, the image is analyzed. The analysis includes extraction and classification of the eBPF programs. The classifier’s decision is based on the set of helper functions used by each eBPF program. Our study revealed a set of helper functions used only by malicious eBPF programs. The proposed scheme achieves optimal precision while suffering only a minor performance penalty for each additional eBPF program. (More)

CC BY-NC-ND 4.0

Sign In Guest: Register as new SciTePress user now for free.

Sign In SciTePress user: please login.

PDF ImageMy Papers

You are not signed in, therefore limits apply to your IP address 3.149.28.185

In the current month:
Recent papers: 100 available of 100 total
2+ years older papers: 200 available of 200 total

Paper citation in several formats:
Zaidenberg, N.; Kiperberg, M.; Menachi, E. and Eitani, A. (2024). Detecting eBPF Rootkits Using Virtualization and Memory Forensics. In Proceedings of the 10th International Conference on Information Systems Security and Privacy - ICISSP; ISBN 978-989-758-683-5; ISSN 2184-4356, SciTePress, pages 254-261. DOI: 10.5220/0012470800003648

@conference{icissp24,
author={Nezer Zaidenberg. and Michael Kiperberg. and Eliav Menachi. and Asaf Eitani.},
title={Detecting eBPF Rootkits Using Virtualization and Memory Forensics},
booktitle={Proceedings of the 10th International Conference on Information Systems Security and Privacy - ICISSP},
year={2024},
pages={254-261},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0012470800003648},
isbn={978-989-758-683-5},
issn={2184-4356},
}

TY - CONF

JO - Proceedings of the 10th International Conference on Information Systems Security and Privacy - ICISSP
TI - Detecting eBPF Rootkits Using Virtualization and Memory Forensics
SN - 978-989-758-683-5
IS - 2184-4356
AU - Zaidenberg, N.
AU - Kiperberg, M.
AU - Menachi, E.
AU - Eitani, A.
PY - 2024
SP - 254
EP - 261
DO - 10.5220/0012470800003648
PB - SciTePress