Hidden processes: the implication for intrusion detection

James Butler; Jeffrey Undercoffer; John Pinkston

IEEE Systems, Man and Cybernetics Society Information Assurance Workshop

Hidden processes: the implication for intrusion detection

James Butler, Jeffrey Undercoffer, and John Pinkston

June 18, 2003

We introduce a novel class of intrusion: the hidden process, a type of intrusion that will not be detected by an intrusion detection system operating under the assumption that the underlying computing architecture is functioning as specified. A hidden process executes in a manner that is unobservable by many of the operating system's accounting and reporting functions. We present a mechanism to hide processes. Additionally, we show how a hidden process may communicate with an external entity by piggybacking onto a legitimate network connection. We have implemented a mechanism that detects hidden processes and make recommendations calling for the separation of critical operating system functions from more general operating system functions.

654240 bytes

BibTeX OWL Tweet Scholar

Type: InProceedings

Publisher: IEEE

Organization: IEEE

Note: DOI: 10.1109/SMCSIA.2003.1232409

Downloads: 60 downloads