2016 Cybersecurity Symposium

Neural Network Analysis of System Call Timing

for Rootkit Detection
Patrick Luckett
School of Computing
University of South Alabama
150 Jaguar Drive, Suite 2101
Mobile, AL 36688
Email:
J Todd McDonald
School of Computing
University of South Alabama
150 Jaguar Drive, Suite 2101
Mobile, AL 36688
Joel Dawson
School of Computing
University of South Alabama
150 Jaguar Drive, Suite 2101
Mobile, AL 36688

[email protected] Email:[email protected] Email:[email protected]

Abstract—In the realm of cybersecurity, rootkits pose a
credible threat to individuals, corporations, and governments.
Through various techniques, rootkits are not only able to infect
computer systems, but often times are able to remain undetected
in a host for an extended amount of time by manipulating
system software. The purpose of this paper is to describe what a
rootkit is, how they operate, and how they relate to other types
of malware. Historical data and statistics will be presented in
order to show how rootkits have been employed in cyber attacks.
Different types of rootkits, including user, kernel, and hypervisor
rootkits will be described, as well as the various methods used to
defend against rootkits. We will then present a case study where
neural networks were used to analyze the behavior of a system
both not infected and infected with a rootkit, and categorize the
resulting system calls as anomalous or not.
I. I NTRODUCTION
In this paper we focus on the threat rootkits pose from a
cybersecurity perspective. The term rootkit refers to a program
that has root privileges on a computer, along with the tools it
needs to execute. Having root privileges means a program has
access to the root account on a system, and gives the program
the ability to modify files. This is akin to “admin permission”
on a Windows operating system. The negative connotation
associated with rootkits is not on the rootkit itself, but on
cyberattacks that use rootkits to accomplish their goal. Rootkit
technology has been used by US law enforcement, such as the
FBI’s Magic Lantern for legitimate reasons. The complexity
and use of rootkits has increased over time. Between 2001 and
2005, the use of rootkits on Windows based systems increased
by 2300%, and from 2000 to 2005, the complexity of rootkits
grew by 400% [29]. In 2004, of the 15000 trojans reported by
McAfee, 87% were rootkits [29].
In this paper we present a general overview of what rootk-
its are and the various methods used in designing rootkits.
Keywords will be defined, different types of rootkits will be
described, and classification methods will be discussed. A
brief survey of platforms of deployment will be discussed, and
statistical data will be provided in order to show the magnitude
of the risk posed by rootkits. A survey of the current methods
used to defend and detect against rootkits will be provided. We
will then present a novel approach to identifying the presence
of a rootkit in a system, and display its effectiveness in a case
study. Our novel method uses neural networks and behavior
based analysis to classify data as coming from a system that
is either not infected or infected with a rootkit. We conclude
with a discussion of results, limitations, and future work.
II. W HAT A RE ROOTKITS
Rootkits, also known as stealth malware, differ from other
forms of malware because they have the ability to gain root
access to an operating system while remaining undetected [4].
The method by which rootkits are able to remain undetected is
called “hooking”. The Microsoft Developers Network defines
a hook as “a point in the system message-handling mechanism
where an application can install a subroutine to monitor the
message traffic in the system and process certain types of
messages before they reach the target window procedure” [25].
By using a hooking strategy, a rootkit can record, simulate,
or intercept keystrokes or mouse clicks, intercept system
communications, and perform a variety of other actions.
Other methods used to remain concealed include replacing
system binaries, replacing libraries, and subverting kernel data
structures [32]. Here, kernel refers to the main component of
an operating system. The kernel is a program responsible for
managing I/O request, data management, and communication
with other devices.
There are two primary reasons rootkits are deployed in a
cyberattack. The first reason is to establish remote command
and control, and the second is to eavesdrop [13]. Once an
attacker has remote control over a computer they are able
to execute processes and controlling system files. If the goal
is to eavesdrop, the attacker will simply spy on the infected
computer. Rootkits that eavesdrop are able to read emails and
record keystrokes, which the attacker can use to acquire sen-
sitive information. In both scenarios, the attacker is interested
in long term access to the system. Rootkits are considered
post-exploits because they are brought in toward the end of
the attack cycle. An example of this is the use of rootkits in
advanced persistent threats (APT). One of the most recent and
buzz worthy APT style attacks that employed a rootkit was
Stuxnet. Stuxnet used a rootkit to hide itself on a Windows
operating systems, and was the first known rootkit that could
hide injected code located on a PLC [10].

978-1-5090-5771-9/16 $31.00 © 2016 IEEE 1

DOI 10.1109/CYBERSEC.2016.12
 (a) ROC
Fig. 1: Feed Forward Network Analyzing Call ”open”.
A widely used method to classify rootkits was proposed
by Joanna Rutkowska [30]. This taxonomy classifies malware
into 4 categories, 0-III, and is based on the behavior of the
malware in a system. Type 0 rootkits are the least dangerous
because they do not compromise the operating system or any
applications. They can also be easily detected by anti-forensic
technology. Type I and II rootkits take steps to conceal their
presence. Type I affects static resources, such as in-memory
code sections, and type II affects dynamic resources, such as
data sections of running processes [30]. Type III rootkits do
not rely on the host operating system because they run on
virtualized hardware. Because they are not using any of the
host software, everything, including drivers has to be built
in. Various other methods have been used to classify rootkits.
A common method is to classify rootkits as either user or
kernel, while other methods classify rootkits as kernel, library,
or binary [32].
A. User Level Rootkits
User level rootkits only affect processes and applications.
They are able to hide from process viewers by hooking
the viewer process [1]. User level rootkits use a method
called dynamic linked library (DLL) injection to infect a
host system. The host system becomes infected when an
application or process calls the infected DLL. The DLL,
including the infected code, is executed in the process or
applications reserved memory. At that point, the rootkit is able
to infect other applications and processes while using various
2
(b) Confusion Matrix
hooking methods to remain concealed [35]. User level rootkits
have a robust attack vector, and the techniques used are
somewhat dependent on the host operating system. Injection
techniques include injection by application extension, injection
by message filtering, injection by debugging subsystems, and
injection by application vulnerability.
B. Kernel Level Rootkits
Unlike user level rootkits, kernel level rootkits have unre-
stricted access to a system. In order for a kernel level rootkit
to execute, the code must be loaded directly to the kernel.
This is usually achieved by installing a kernel mode device
driver [1]. Once the driver is installed, the rootkit can hook
API calls to remain concealed. Delivery techniques used by
kernel level rootkits include system service descriptor table
modification, direct kernel object modification (DKOM), filter
device drivers, kernel mode system service handler modifica-
tion, runtime detour patching, or I/O request packet function
table modification [1]. In direct kernel object manipulation,
the rootkit hides system resources by manipulating data the
operating system uses to keep track of resources [34]. This
is often times accomplished by unlinking objects from list
that are managed by the operating system. Once the object
is unlinked from the list, it is no longer visible to the API.
In kernel object hooking, rootkits take over the control flow
of the kernel, while direct kernel object manipulation subverts
the kernel by directly modifying dynamic data objects [37].
C. Hypervisor Rootkits
Rootkits have also begun to infect virtual machines. Hard-
ware based virtual machine (HVM) rootkits are able to turn an
operating system into a virtual machine and take full control
of the system [5]. HVM rootkits are hypervisors making use
of the hardware virtualization features of the CPU. They
are not flawed by the shortcomings of software-based virtual
machines [12]. The first known hypervisor rootkit was called
Blue Pill [26]. Blue pill was able to change the state of the
operating system, control timing resources, and monitor inputs
and outputs without using hooking strategies.
D. Rootkits on Smartphones
Smartphones have also become a target for attackers. A
2008 report by McAfee Security stated almost 14% of mobile
users worldwide have been infected or know someone who
has been infected by mobile malware [23]. In a 2012 article
in Network World, researchers stated “One-quarter of more
than 400,000 Android apps examined in the Google Play store
pose security risks to mobile device users” [24]. An interesting
difference between rootkits on smartphones and rootkits on
personal computers is the use and implications of user level
rootkits. They can be more severe on smartphones because
of the nature of the sensitive information commonly found
on user applications on smartphones. The threat of infection
is even greater on smartphones because of the growing trend
of free, open source platforms and third party applications
available for download at little or no cost to the user. Rootkits
on smartphones are able to access interfaces and information
that are unique to smartphones, including GPS, messaging,
and voice [20]. Unfortunately, due to the restrictions on
resources, power, and functionality, many of the traditional
techniques used to defend personal computers against rootkits
are not effective for use on a smartphone. In [20] Polla et
al. classify the methodologies used in smartphone attacks into
6 categories: wireless, break in, infrastructure based, worm
based, botnet, and user based. Of these methodologies, the
one that most pertains to rootkits is wireless. An alternative
classification approach is suggested by Felt et al. [11]. They
classify malware by the behavior it exhibits. They note the
most common behaviors exhibited by malicious software are
collecting user information and sending premium rate mes-
sages.
In [8], Dixon and Mishra state techniques used to defend
smart phones can be categorized into three classes: monitoring
the volume of traffic, provide system level defense, and use of
sophisticated admission control mechanisms. To overcome the
limitations mentioned above, they suggest running detection
and prevention software through a personal computer that is
connected to and synchronized with the smartphone. Dixon et
al. also approached rootkit and malware detection by analyzing
the power consumption of the smartphone [6][9].
III. D EFENDING AGAINST AND D ETECTING ROOTKITS
There are many methods for identifying rootkits, including
behavioral, integrity, and signature based detection [33]. Be-
3
havioral techniques attempt to analyze how a system operates
and try to identify deviations. Integrity detection looks for
changes in files or system components in memory. This
technique also collects data and compares it to a baseline.
Signature detection looks for code in the system that has been
used and recorded in previous attacks. A problem with this
method is it is only able to detect rootkits after they have
been observed and recorded.
Kruegel et al. [18] proposed a method of detecting rootkits
through binary analysis. In there method they statistically
analyze kernel module binaries to determine if the kernel
module interface has been modified. In [36] Wang et al.
suggest detecting hooks in a system and protecting the hooks
from the rootkit. If a rootkit is unable to use a hook it will
be easily detected by system administrators or anti-malware
software. In a similar paper, Wang et al. [37] use a hypervisor
based system that is a able to identify and defend thousands
of kernel hooks in an operating system with a minimal impact
on the performance of the system. This method identifies a
solution to the so called protection granularity gap, which
refers to the fact that kernel hook protection requires byte
level protection, but hardware provides page level protection.
In [27], Riley et al. note that most methods that defend
against rootkits are focused on detection, which requires an
attack to have already occurred on a system. Their paper fo-
cuses on a rootkit prevention system they refer to as NICKLE.
NICKLE is a virtual machine monitor system that prevents
unauthorized code execution for guest operating systems.
Kunk et al. use a similar VMM based detection method
for smart phones [19]. Their method, which they refer to
as a “level-below approach”, uses a virtual machine monitor
to establish a kernel module that executes as an extension
of the Linux operating system, which implements various
security mechanisms used to detect rootkits without the risk of
compromise. This method is able to not only defend against
kernel level rootkits, but also user level rootkits.
Methods have also been proposed for detecting virtual
machine based rootkits. Xie et al. [38] suggest a method
of anomaly detection through cross verification of compo-
nents in a virtual machine. The hypervisor can reconstruct
the virtual machine’s execution states and learn information
such as running processes, active network connections, and
opened files. It then makes cross verification checks to detect
anomalies. Desnos et al. [5] suggest a statistical analysis of
system behavior to detect the presence of a rootkit.
IV. C ASE S TUDY: D ETECTING ROOTKITS WITH N EURAL
N ETWORKS BASED ON S YSTEM C ALL T IMES
Due to the various hooking methods discussed in this paper,
rootkits are able to hide within a host system without detection
from traditional security. However, they must still make system
calls like any other process. In our case study we attempt
to identify the presence of rootkits within a system using
a behavior based analysis of system call times. We initially
attempted to use standard statistical measures on the data sets,
such as threshold based identifiers on values such as mean
 (a) ROC
Fig. 2: Feed Forward Network Analyzing multiple system calls.
and variance, but due to the nonlinear nature of the data, these
methods were unsuccessful. Therefore, we turned to the use of
neural networks, which are capable of approximating nonlinear
data, to classify system calls as infected or not infected.
A. Analysis
The first stage of our case study involved collecting sys-
tem calls. The computing lab at the University of South
Alabama has a hypervisor based system where we are able
to collect system calls and there corresponding execution
times on an operating system. We are then able to infect
the system with a rootkit, and collect system calls from the
infected operating system. For further details on the hypervisor
based call collection environment see [15]. For our analysis,
we used the KBeast rootkit. More information on KBeast
can be found at [14]. A total of six collections were run.
Four of the experiments collected uninfected data, and two
of the experiments collected infected data. All experiments
were performed independent of the other experiments, and
all collections came from the same Ubuntu operating system.
For training purposes, once all calls were collected they were
assigned a value of zero for infected or one for uninfected.
All calls were pooled together and we generated three data
sets. The first set contained infected and uninfected calls and
their corresponding execution times from a single call type.
This data set consisted of approximately 300 uninfected and
200 infected calls. The second data set contained three call
types, which consisted of approximately 600 uninfected and
400 infected calls. The third set contained all forty four call
4
(b) Confusion Matrix
types. This data set contained approximately 2000 calls. Of
the 2000 calls, approximately 33% were infected. All training,
test, and validation sets were randomly separated from the data
sets in the amounts of 70%, 15%, and 15% respectively.
The software used for our analysis was MATLAB release
R2015bSV and the MATLAB Neural Network Toolbox. Our
experiment involved two network architectures. The first was
a static feed forward architecture, and the second was a
recurrent nonlinear auto-regressive architecture. Both networks
used the Levenberg Marquardt algorithm (LMA) for training,
which is traditionally used for solving nonlinear least squares.
The error function used was Mean Squared Error (MSE).
Various amounts of hidden layers and neurons were used in the
analysis. However, due to the computational complexity and
memory requirements of LMA, we were required to limit our
networks to a relatively small size. The best results came from
a combination of radial base and hyperbolic tangent transfer
functions.
B. Results
The first network tested was a feed forward network.
Initially it was tested against only one call (open). Figure one
depicts the results. The network was able to correctly classify
82.8% of the calls. The lowest MSE for validation was .1615,
and was slightly lower for the test case. The algorithm trained
on 70% of the data set, validated on 15%, and tested on 15%.
This network consisted of two hidden layers. The first hidden
layer had five neurons with radial base transfer functions, and
 (a) ROC
Fig. 3: Recurrent Network Analyzing multiple system calls.
the second had three neurons with hyperbolic tangent transfer
functions.
Next, the same network was tested against a data set
containing three different call types. Figure two depicts the
results. The network was able to correctly classify 67.7% of
the calls. There are several possible reasons for the reduction
in accuracy. One reason is the possibility that some system
calls are more affected or used by the rootkit than others. For
example, we consider it reasonable to assume calls such as
open, close, read, and write are commonly used by a rootkit,
while other calls, such as futex or nanosleep might not be used
as often. Another reason is complexity and dimensionality. The
more complex a data set and the more dimensions or features
contained within the data set, the larger the neural network
must be in order to make accurate decisions. For this data
set, we increased the size of the network to two hidden layers
each with ten neurons. It is possible better results could have
been obtained with a larger network. The data set containing
all forty four calls was also tested, however there was further
decline in performance.
The second network tested was the recurrent network. The
same multi-call data set used on the feed forward network
was used to test the performance of the recurrent network.
Far better results were achieved with the recurrent network
versus the feed forward network. The recurrent network was
then tested against the data set containing all forty four calls,
and again showed far better performance as depicted in figure
three. The network had two hidden layers with 5/5 neurons and
5
(b) Confusion Matrix
radial base/hyperbolic tangent transfer function respectively.
The testing accuracy for the recurrent network was 95.9%
and a MSE of .036. The improvement in performance is
possibly due to the fact that this type of network architecture
is historically better at modeling nonlinear dynamical systems
than the static feed forward methods [17][22][39]. This is due
to the fact that the network trains not only on the current data
points, but also the results of previous data points. In essence,
the network considers the previous state when determining the
current state. Maintaining internal states allows the network to
model dynamical temporal behavior more effectively.
V. F UTURE W ORK
Further analysis with neural networks should be conducted.
As mentioned, we were very restricted with the size of the neu-
ral network. The use of parallel computers with large amounts
of memory and processing power such as state funded super
computers should be used to accommodate larger networks and
data sets. Other machine learning techniques, such as decision
trees, support vector machines, and unsupervised methods
such as random forest should be tested. Other behavioral
techniques should also be considered, such as CPU power
consumption.
VI. C ONCLUSION
In this paper we have presented a general overview of what a
rootkit is, and the various methods used in designing rootkits to
achieve the goals of an attacker. A brief survey of the platforms
rootkits can be deployed on was presented. When available,
statistical data was provided in order to show the magnitude
of the risk posed by rootkits. A survey of the current methods
used to defend and detect against rootkits was reviewed, and
results were provided. Further, we present a novel approach
to detecting rootkits within a system. Using neural networks,
we were able to successfully identify the presence of rootkits
within an infected system with a high degree of accuracy. Our
case study proved machine learning techniques, such as neural
networks, provide a reasonable alternative to signature based
detection methods by focusing on the behavior of the system.
R EFERENCES
[1] Aditya Kapoor, Ahmed Sallam, Rootkits Part 2 of 3: A Technical Primer,
McAfee, 2007-04.
[2] Bickford, Jeffrey, et al. “Rootkits on smart phones: attacks, implications
and opportunities.” Proceedings of the eleventh workshop on mobile
computing systems and applications. ACM, 2010.
[3] Blunden, Bill. The Rootkit arsenal: Escape and evasion in the dark corners
of the system. Jones and Bartlett Publishers, 2012.
[4] Bray, Rory, Daniel Cid, and Andrew Hay. OSSEC host-based intrusion
detection guide. Syngress, 2008.
[5] Desnos, Anthony, ric Filiol, and Ivan Lefou. “Detecting (and creating!)
a HVM rootkit (aka BluePill-like).” Journal in Computer Virology 7.1
(2011): 23-49.
[6] Dixon, Bryan, et al. “Location based power analysis to detect malicious
code in smartphones.” Proceedings of the 1st ACM workshop on Security
and privacy in smartphones and mobile devices. ACM, 2011.
[7] Dixon, Bryan, and Shivakant Mishra. “Power based malicious code
detection techniques for smartphones.” Trust, Security and Privacy in
Computing and Communications (TrustCom), 2013 12th IEEE Interna-
tional Conference on. IEEE, 2013.
[8] Dixon, Bryan, and Shivakant Mishra. “On rootkit and malware detection
in smartphones.” Dependable Systems and Networks Workshops (DSN-
W), 2010 International Conference on. IEEE, 2010.
[9] Dixon, Bryan, Shivakant Mishra, and Jeannette Pepin. “Time and location
power based malicious code detection techniques for smartphones.” Net-
work Computing and Applications (NCA), 2014 IEEE 13th International
Symposium on. IEEE, 2014.
[10] Falliere, Nicolas. “Stuxnet introduces the first known rootkit for
industrial control systems.” Published online at http://www. symantec.
com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices.
Last accessed on February 10 (2011).
[11] Felt, Adrienne Porter, et al. “A survey of mobile malware in the wild.”
Proceedings of the 1st ACM workshop on Security and privacy in
smartphones and mobile devices. ACM, 2011.
[12] Fritsch, Hagen. “Analysis and detection of virtualization-based rootkits.”
Munchen: Technische Universitat (2008).
[13] Hoglund, Greg, and James Butler. Rootkits: subverting the Windows
kernel. Addison-Wesley Professional, 2006.
[14] http://core.ipsecs.com/rootkit/kernel-rootkit/kbeast-v1/
[15] Hubbard, Charles. Data Collection for Cyber Anomaly Event Detection.
University of South Alabama, 2015.
[16] Hutchins, Eric M., Michael J. Cloppert, and Rohan M. Amin.
“Intelligence-driven computer network defense informed by analysis
of adversary campaigns and intrusion kill chains.” Leading Issues in
Information Warfare and Security Research 1 (2011): 80.
[17] Kechriotis, George, Evangelos Zervas, and Elias S. Manolakos. “Using
recurrent neural networks for adaptive communication channel equaliza-
tion.” Neural Networks, IEEE Transactions on 5.2 (1994): 267-278.
[18] Kruegel, Christopher, William Robertson, and Giovanni Vigna. “De-
tecting kernel-level rootkits through binary analysis.” Computer Security
Applications Conference, 2004. 20th Annual. IEEE, 2004.
[19] Kunk, Adam, Pete Bohman, and Erik Shaw. “VMM based rootkit de-
tection on Android.” 2011-05-10]. http://cs523 sp2011 bjks. googlecode.
com/files/cs5 23 final report. pdf (2011).
[20] La Polla, Mariantonietta, Fabio Martinelli, and Daniele Sgandurra. “A
survey on security for mobile devices.” Communications surveys and
tutorials, IEEE 15.1 (2013): 446-471.
[21] Levine, John, Julian Grizzard, and Henry Owen. “A methodology to
detect and characterize kernel level rootkit exploits involving redirection
of the system call table.” Information Assurance Workshop, 2004. Pro-
ceedings. Second IEEE International. IEEE, 2004.
[22] Lin, Tsungnam, et al. “Learning long-term dependencies in NARX
recurrent neural networks.” Neural Networks, IEEE Transactions on 7.6
(1996): 1329-1338.
[23] McAfee Security McAfee Mobile Security Report 2008, McAfee,
www.mcafee.com/us/research, 2008.
[24] Messmer Ellen Security research labels more than 290,000
Google Play Android apps as ’high-risk’, Network World,
http://www.networkworld.com/news/2012/110112-google-play-apps-
263805.html, 2012-11-12.
[25] Microsoft Developers Network, Hooks, https://msdn.microsoft.com/en-
us/library/ms63258928VS.8529.aspx
[26] Ou, George. “Blue Pill: The first effective Hypervisor Rootkit”,
http://www.zdnet.com/article/blue-pill-the-first-effective-hypervisor-
rootkit/!
[27] Riley, Ryan, Xuxian Jiang, and Dongyan Xu. “Guest-transparent pre-
vention of kernel rootkits with vmm-based memory shadowing.” Recent
Advances in Intrusion Detection. Springer Berlin Heidelberg, 2008.
[28] Rodionov, DH Eugene, Aleksandr Matrosov, and David Harley. “Bootk-
its: Past, Present and Future.” VB Conference. 2014.
[29] Rootkits Part 1 of 3: The Growing Threat, McAfee, 2006-04.
[30] Rutkowska, Joanna. “Introducing stealth malware taxonomy.” COSEINC
Advanced Malware Labs (2006): 1-9.
[31] Schuster, Andreas. “Searching for processes and threads in Microsoft
Windows memory dumps.” digital investigation 3 (2006): 10-16.
[32] Shah, Alkesh, and J. Giffin. Analysis of rootkits: Attack approaches and
detection mechanisms. Technical report, Georgia Institute of Technology,
2008.
[33] Sparks, Sherri, and Jamie Butler. “Shadow Walker: Raising the bar for
rootkit detection.” Black Hat Japan 11.63 (2005): 504-533.
[34] Tsaur, Woei-Jiunn, Yuh-Chen Chen, and Being-Yu Tsai. “A new win-
dows driver-hidden rootkit based on direct kernel object manipulation.”
Algorithms and Architectures for Parallel Processing. Springer Berlin
Heidelberg, 2009. 202-213.
[35] Vikram Kumar, Rootkit- An Intruder Living in Your Kernel,
http://www.symantec.com/connect/articles/rootkit-intruder-living-your-
kernel, Symantic, 2009-16-08.
[36] Wang, Zhi, et al. “Countering persistent kernel rootkits through system-
atic hook discovery.” Recent Advances in Intrusion Detection. Springer
Berlin Heidelberg, 2008.
[37] Wang, Zhi, et al. “Countering kernel rootkits with lightweight hook
protection.” Proceedings of the 16th ACM conference on Computer and
communications security. ACM, 2009.
[38] Xie, Xiongwei, and Weichao Wang. “Rootkit detection on virtual
machines through deep information extraction at hypervisor-level.” Com-
munications and Network Security (CNS), 2013 IEEE Conference on.
IEEE, 2013.
[39] Yu, Wen. “Nonlinear system identification using discrete-time recurrent
neural networks with stable learning algorithms.” Information sciences
158 (2004): 131-147.