Hidden processes: the implication for intrusion detection

3 February 2004

conference paper
Published by Institute of Electrical and Electronics Engineers (IEEE)

p. 116-121
https://doi.org/10.1109/smcsia.2003.1232409

Abstract

We introduce a novel class of intrusion: the hidden process, a type of intrusion that will not be detected by an intrusion detection system operating under the assumption that the underlying computing architecture is functioning as specified. A hidden process executes in a manner that is unobservable by many of the operating system's accounting and reporting functions. We present a mechanism to hide processes. Additionally, we show how a hidden process may communicate with an external entity by piggybacking onto a legitimate network connection. We have implemented a mechanism that detects hidden processes and make recommendations calling for the separation of critical operating system functions from more general operating system functions.

Keywords

This publication has 2 references indexed in Scilit:

A secure and reliable bootstrap architecture
Published by Institute of Electrical and Electronics Engineers (IEEE) ,2002
The design and implementation of tripwire
Published by Association for Computing Machinery (ACM) ,1994