摘要 |
Systems and methods are provided for detecting a rootkit by way of a call timing deviation anomaly in a computer. The rootkits may be embedded in the operating system (OS) kernel, an application or other system function. An object call duration baseline is established for durations of object calls (e.g., a system or application call) initiated by the computer, where each object call has an associated call-type and the timing baseline is established on an object call-type basis. Object call durations initiated by the computers are monitored. An object call duration anomaly is detected when the object call duration fails a call duration deviation measurement test, and an indication of the call duration anomaly is generated when detected. |