Poster: CompareView - A Provenance Verification Framework for Detecting Rootkit-Based Malware

Using rootkit mechanisms to hide malware presence is pervasive in today's computer attacks. This paper proposes the CompareView framework, a host-based solution to detect stealthy outbound traffic generated by rootkit-based malware. Using a lightweight cryptographic protocol, the CompareView framework compares the views of outbound network packets at different layers of the host network stack and verifies the provenance information of each packet. CompareView identifies and blocks suspicious network traffic that is not accompanied with proper digital signature stating its origin.