One of the most elusive types of malware in recent times that pose significant challenges in the computer security system is the kernel-level rootkits. The kernel-level rootkits can hide its presence and malicious activities by modifying the kernel control flow, by hooking in the kernel space, or by manipulating the kernel objects. As kernel-level rootkits change the kernel, it is difficult for user-level security tools to detect the kernel-level rootkits. In the past few years, many approaches have been proposed to detect kernel-level rootkits. It is not much difficult for an attacker to evade the signature-based kernel-level rootkit detection system by slightly modifying the existing signature. To detect the evolving kernel-level rootkits, researchers have proposed and experimented with many detection systems. In this paper, we survey traditional kernel-level rootkit detection mechanisms in literature and propose a structured kernel-level rootkit detection taxonomy. We have discussed the strength and weaknesses or challenges of each detection approach. The prevention techniques and profiling kernel-level rootkit behavior affiliated literature are also included in this survey. The paper ends with future research directions for kernel-level rootkit detection.

翻译：近期最具隐蔽性的恶意软件之一，内核级Rootkit对计算机安全系统构成了重大挑战。内核级Rootkit可通过修改内核控制流、在内核空间挂钩或操控内核对象来隐藏自身存在及恶意活动。由于内核级Rootkit会改变内核本身，用户级安全工具难以对其进行检测。过去数年间，研究者已提出多种检测内核级Rootkit的方法。攻击者可通过对现有签名进行细微修改，轻易绕过基于签名的内核级Rootkit检测系统。为检测不断演进的内核级Rootkit，研究人员已提出并实验验证了多种检测系统。本文综述了文献中已有的传统内核级Rootkit检测机制，并提出了结构化的内核级Rootkit检测分类法。我们讨论了每种检测方法的优势与局限性或挑战，本综述还涵盖了防御技术及与内核级Rootkit行为分析相关的文献。文末展望了内核级Rootkit检测的未来研究方向。