A Method for Detecting Linux Kernel Module Rootkits

There are a variety of methods available to detect modern Linux kernel module rootkits. However, most existing methods rely on system specific a priori knowledge for full detection functionality. Either (a) some application must be installed when the system is deployed, as is typical with host based intrusion detection, or (b) system metrics must be saved to a secure location when the system is deployed, or (c) both of these actions must be performed. It is noted, however, that some of these methods do offer partial functionality when installed on an already infected system. This paper proposes a technique to detect Linux Kernel Module (LKM) rootkits that does not require system specific a priori knowledge, but rather just knowledge about the Linux operating system in general. This technique relies on outlier analysis and statistical techniques, is more formal and rigorous than most existing detection methods, and initial results indicate that Linux Kernel Module rootkit detection is possible with a high degree of confidence.