Detecting Hidden Computer Processes by Deliberate Resource Exhaustion

dc.contributor.authorJones, James H. Jr.
dc.creatorJones, James H. Jr.
dc.date2008-12-02
dc.date.accessioned2009-01-21T21:16:22Z
dc.date.availableNO_RESTRICTION
dc.date.available2009-01-21T21:16:22Z
dc.date.issued2009-01-21T21:16:22Z
dc.description.abstractComputer attackers often wish to retain control of a successfully compromised computer. Such retention requires evading detection by the computer system's owner and defensive software applications. Retaining control of a compromised computer (and subsequent exploitation of the compromised computer) also requires that the attacker run one or more processes on the computer. To evade detection, the attacker may hide such processes from legitimate system users and defensive software applications. Reliable detection of hidden processes, especially those hidden by novel tools or techniques, remains an unsolved problem. Existing hidden process detection tools require knowledge of the method(s) used to hide the processes or require a known clean version of the computer as a control. In this research, I present an approach for hidden process detection which does not require such prior knowledge or a control system. My approach, called the Method of Induced Observables, is based on the hypothesis that two computer systems, identical except one has an additional (and hidden) process, will produce nondiscriminatory observables under normal conditions, but may produce discriminatory observables when placed under abnormal conditions. I placed systems under the abnormal conditions of memory exhaustion and excessive process creation. I used the resulting induced observables from systems with and without hidden processes to construct classification models, which I then applied to systems employing previously unseen (holdout) process hiding methods. I demonstrated better than 95% hidden process detection accuracy on the holdout test sets.
dc.identifier.urihttps://hdl.handle.net/1920/3385
dc.language.isoen_US
dc.subjectComputer security
dc.subjectComputer compromise
dc.subjectInduced observables
dc.subjectRoot kit
dc.subjectStealth
dc.subjectHidden process
dc.titleDetecting Hidden Computer Processes by Deliberate Resource Exhaustion
dc.typeDissertation
thesis.degree.disciplineComputational Sciences and Informatics
thesis.degree.grantorGeorge Mason University
thesis.degree.levelDoctoral
thesis.degree.nameDoctor of Philosophy in Computational Sciences and Informatics

Files

Original bundle
Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
Jones_James.pdf
Size:
2.63 MB
Format:
Adobe Portable Document Format
Description:
License bundle
Now showing 1 - 1 of 1
No Thumbnail Available
Name:
license.txt
Size:
1.72 KB
Format:
Item-specific license agreed upon to submission
Description: