Inducing Observables to Detect Hidden Files and Processes on Computer Systems
Jim Jones, (SAIC and Ferris State University), firstname.lastname@example.org
File and process hiding are standard features of rootkit applications which are used to maintain computer systems in a compromised state. Such features have recently appeared in malicious applications like viruses, worms, and spyware, as well as legitimate applications such as digital rights management. File and process hiding methods and implementations continue to evolve in order to evade detection, and current detection approaches are ineffective against these latest methods and implementations. Computer systems which are in a compromised state but believed to be clean due to scans using current methods represent a considerable risk to computer users and owners. We report on an approach to detect hidden files and processes on potentially compromised computer systems. We specifically target detection of files and processes which have been hidden using novel methods against which current approaches are ineffective. Our approach consists of probes to induce observables and a probabilistic model to reason over the induced observables. We discuss the development of the probes and the probabilistic model, and we report on empirical comparisons of our approach to current detection methods.