R/Bootkit detection based on trusted computing and neural network

Abstract

There is no standardized definition to characterize R/Bootkit that threatens kernel security of boot process in operating system. Most existing detection techniques attempt to detect the performance of it in the running stage of operating system, rather than protect kernel modules in the boot process. This paper proposes a new trust chain, where the trust root is TPM, which checks all kernel modules from CPU to the application environment, then security of kernel modules can be ensured out of R/Bootkit. In addition, a neural network is designed to identify known and unknown R/Bootkit. The test results show that we can correctly detect illegal modifications for kernel modules.