Abstract

Rootkits are powerful and dangerous pieces of malware that use stealth and administrative privilege to maintain a persistent, covert foothold on a compromised system. These capabilities make them popular with a wide range of cyber attackers, including the instigators of advanced persistent threat (APT) attacks. With recent examples of APT attacks being used to disrupt critical infrastructure in Ukraine in 2015, the urgency to produce a robust detection framework for rootkits is increased. However, due to sophisticated active and passive defense techniques, rootkits are resistant to traditional detection and remediation techniques. An effective detector will sit outside of a rootkit's sphere of influence and use process-indicative data from a side channel that cannot be tampered with or spoofed. In this paper, we present preliminary results of experiments based on Oak Ridge National Laboratory's (ORNL) Beholder Project to detect rootkit execution out-of-band. We utilize power supply voltage measurements collected with a basic multimeter and current clamp, then extract time-serial system dynamics through the application of a novel nonlinear, phase-space algorithm. We examine variance of phase-space graph features between nominal and infected data, and then train our algorithm on threshold values to reach best possible prediction accuracy. Our results indicate that the algorithm can successfully detect a rootkit infection through power measurement analysis, at an accuracy rate that meets or exceeds the performance of other machine learning algorithms in a similar testing context.