| 发明名称 |
Rootkit Detection in a Computer Network |
| 摘要 |
Systems and methods are provided for detecting a rootkit by way of a call timing deviation anomaly in a computer. The rootkits may be embedded in the operating system (OS) kernel, an application or other system function. An object call duration baseline is established for durations of object calls (e.g., a system or application call) initiated by the computer, where each object call has an associated call-type and the timing baseline is established on an object call-type basis. Object call durations initiated by the computers are monitored. An object call duration anomaly is detected when the object call duration fails a call duration deviation measurement test, and an indication of the call duration anomaly is generated when detected. |
| 申请公布号 |
US2015074808(A1) |
申请公布日期 |
2015.03.12 |
| 申请号 |
US201414451725 |
申请日期 |
2014.08.05 |
| 申请人 |
Triumfant, Inc. |
发明人 |
QUINN Mitchell N. |
| 分类号 |
H04L29/06 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A method for detecting a rootkit in a computer, comprising:
establishing an object call duration timing baseline for durations of object calls initiated by the computer, wherein each object call has an associated object call-type and the timing baseline is established on a on an object call-type basis; monitoring object call durations initiated by the computer; detecting an object call duration anomaly when the object call duration fails an object call duration deviation measurement test based on the associated object call-type and the timing baseline for a given object call-type; and generating an indication of the object call duration anomaly when detected. |
| 地址 |
Research Triangle Park NC US |
