Detecting Rootkits Through Analysis of Network and Disk Data Flows in Home Computers

Tuesday Oct. 19, 2010
Location: Hamerschlag Hall D-210
Time: 4:00PM

Peter Klemperer
Carnegie Mellon University


Home computers with broadband connections have become common household items for their useful and powerful applications integrated with many of our everyday activities. Unfortunately, modern computers' user-friendly graphical interfaces provide only a thin veil over their true complexity, which is at a level unlike any other household items. This is especially true when it comes to computer security, which can be overwhelming for even seasoned computing professionals. Strong security for everyday users must be preconfigured in the computer, ready to perform out of the box, and self-maintaining over time. We propose the Full System Integrity Manager, a user-transparent virtualization platform supporting advanced virus detection and application-specific OS monitoring.

In this talk I will discuss my current implementation of the Full System Integrity Manager. I will focus on two novel mechanisms for rootkit detection and data exfiltration prevention. The Disk Integrity Manager monitors for disk activity at the virtual machine-host and -guest levels. Similarly, the Network Integrity Manager monitors network activity at the VM-host virtual network and the guest OS network stack. Mismatches between reported activity from the guest OS and observed activity at the host indicate the presence of malicious activity on the guest.


Peter F. Klemperer is a third year PhD student at Carnegie Mellon (ECE), advised by James C. Hoe. He completed his Masters Degree in Electrical and Computer Engineering at the University of Illinois at Urbana-Champaign in 2008. His research interests include security and privacy in consumer-targeted computing.

Back to the seminar page