jha-security

Why kernel-level detection? These are my thoughts on why malware detection should performed at the kernel level. In general, the lower in the system hierarchy your detector resides, the harder it is for an attacker to evade your detector. For example, if a detector uses system-call interposition, an attacker can evade this system by directly using kernel calls. For example, system-call interposition can be done on Windows using the following package . In my conversations with a guy from NSA (name withheld for obvious reasons:-)) he confirmed that new malware they are observing in their lab are using kernel calls directly. Also, look at the following article The semantic-gap problem: A natural question that comes to mind is: why not perform detection at even a lower layer in the heirarchy? Say the VM layer or even better at hardware. As you move down in the system hierarchy, you lose some high-level semantics. Let me explain. Lets say you are doing detection at the VM layer. A high-leve