ARGUS - Rootkit Monitoring With Module Integrity Verification

Abstract

Argus is a Linux-based rootkit detection framework designed to identify stealth malware by comparing the system’s kernel-level state with the view presented to user-space utilities. Built using a Loadable Kernel Module (LKM) and a Python-based client, Argus establishes a trusted “ground truth” by directly inspecting kernel data structures for running processes, loaded modules, and active network sockets. It then contrasts this data against outputs from standard tools such as ps, lsmod, and ss to uncover discrepancies indicative of process hiding, module hiding, or concealed network ports. The framework also supports configurable UDP alerting for centralized monitoring and provides high-level threat classification based on detected anomalies. While effective against kernel-level stealth techniques, Argus is designed primarily for educational and research purposes, highlighting both the strengths and limitations of runtime kernel integrity verification in modern Linux environments.

Introduction

The Argus framework is a lightweight, modular security system designed to detect stealthy rootkits in Linux operating systems. Rootkits evade conventional detection by hiding processes, modules, and network ports at the user-space level, making kernel-level monitoring essential. Argus addresses this by combining a Loadable Kernel Module (LKM) with a Python-based user-space client:

• The kernel module gathers precise “ground truth” data on active processes, loaded modules, and network sockets directly from the kernel.
• The user-space client collects standard Linux tool outputs (ps, lsmod, ss) and performs a dual-view comparison to identify hidden or unauthorized entities.

Additional features include:

• Cryptographic integrity verification of kernel modules to detect tampering.
• UDP-based alerting for real-time notifications of anomalies.
• Non-intrusive, read-only operation, ensuring system stability and minimal performance impact.

Testing showed Argus effectively detects hidden processes, modules, and unauthorized ports, verifies kernel module integrity, and provides real-time alerts without disrupting normal system operation, making it a robust solution for defending Linux systems against sophisticated rootkits.

Conclusion

The Argus Rootkit Monitoring System offers an effective solution in the detection of malware with stealthy characteristics by employing kernel-level monitoring in conjunction with dual view comparison methodologies. By using kernel-derived “ground truth,” the system can bypass the limitations of conventional detection methodologies to provide better insight into the activities of malicious rootkits. The incorporation of the cryptographic integrity verification process strengthens the framework in the detection of unauthorized modifications to kernel modules. With real-time notification, the non-intrusive design of the Argus Rootkit Monitoring System offers an effective solution in monitoring system integrity in an efficient manner. Although some limitations are associated with the Argus Rootkit Monitoring System due to the use of modern kernel protection, the project effectively demonstrates the significance of low-level security analysis. It can be used as an effective foundation for future research in the development of rootkit detection methodologies, leading to the development of a more secure Linux environment.

References

[1] Tian D, Ying Q, Jia X, Ma R, Hu C, Liu W (2021) MDCHD: a novel malware detection method in cloud using hardware trace and deep learning. Computer Networks 198:108394. https:// doi. org/ 10. 1016/j. comnet. 2021. 108394. (ISSN 1389-1286) [2] MoonLeeHeoKimPaekKang HHIKYBB (2017) Detecting and preventing kernel rootkit attacks with bus snooping. IEEE Transactions on Depend able and Secure Computing 14(2):145–157. https:// doi. org/ 10. 1109/ TDSC. 2015. 24438 03 [3] Zhou H, Fei C, Ni L, Wu B, Li G, Han K (2022) “Detecting Kernel Rootkits in a Virtualized Infrastructure with Low-Level Architectural Features,” 2022 IEEE 5th International Conference on Electronics and Communication Engineering (ICECE), Xi’an, China. pp 244–247. https:// doi. org/ 10. 1109/ ICECE 56287. 2022. 10048 623 4. 5. 6. 7. 8. 9. [4] Krishnamurthy P, Salehghaffari H, Duraisamy S, Karri R, Khorrami F (2019) “Stealthy Rootkits in Smart Grid Controllers,” 2019 IEEE 37th International Conference on Computer Design (ICCD), Abu Dhabi, United Arab Emir ates. pp 20–28. https:// doi. org/ 10. 1109/ ICCD4 6524. 2019. 00012 [5] Xing X, Jin X, Elahi H, Jiang H, Wang G (2022) A malware detection approach using autoencoder in deep learning. IEEE Access 10:25696 25706. https:// doi. org/ 10. 1109/ ACCESS. 2022. 31556 95 [6] I. Kuzminykh and M. Yevdokymenko, \"Analysis of Security of Rootkit Detection Methods,\" 2019 IEEE International Conference on Advanced Trends in Information Theory (ATIT), Kyiv, Ukraine, 2019, pp. 196-199, https:// doi. org/ 10. 1109/ ATIT4 9449. 2019. 90304 28 [7] Mohammadhadi Alaeiyan, Saeed Parsa, Mauro Conti, “Analysis and classification of context-based malware behavior”,Computer Communications,volume 136, February 2019, Pages 76-90, 10.1016/ j.co m c o m . 2019 .01.003. [8] Xiao J, Lu L, Wang H, Zhu X (2016) “HyperLink: Virtual Machine Introspec tion and Memory Forensic Analysis without Kernel Source Code,” 2016 IEEE International Conference on Autonomic Computing (ICAC), Wuerz burg, Germany. pp 127–136. https:// doi. org/ 10. 1109/ ICAC. 2016. 46 [9] S. Kumar Verma, N. Anjum, A. Sharma and A. Mishra, \"iSIMP with Integrity Validation using MD5 Hash,\" 2021 International Conference on Computational Performance 38 Department of Computer Science and Engineering (Cyber Security) ARGUS - ROOTKIT MONITORING WITH MODULE INTEGRITY VERIFICATION Evaluation (ComPE), Shillong, India, 2021, pp. 094-097, https:// doi. org/ 10. 1109/ ComPE 53109. 2021. 97524 33. 10. [10] Alshamrani SS. Analysis of MachineLearning Based Technique for Mal ware Identification and Classification of Portable Document FormatFiles, Hindawi Security and Communication Networks Volume 2022, Article ID 7611741, 10 pages https:// doi. org/ 10. 1155/ 2022/ 76117 41 [11] Donghai Tian, Rui Ma , Xiaoqi Jia, and Changzhen Hu, “A Kernel Rootkit Detection Approach based on Virtualization and Machine Learning” IEEE Access PP (99):1-1 july, 2019. 12. [12] Chin-Ling Chen, Supaporn Punya, “An enhanced WPA2/PSK for prevent ing authentication cracking”, The International Journal of Informatics and Communication Technology (IJ ICT), Vol.10, No.2, August 2021, pp. 85-92,DOI: https:// doi. org/ 10. 11591/ ijict. v10i2. pp85- 92. [13] Sanjay Sharma, C. Ramakrishna and Sanjay K. Sahay, “Detection of Advanced Malware by Machine Learning Techniques” Access AISC, Volume 742, 2019. [14] Panker T, Nissim N (2021) Leveraging malicious behavior traces from volatile memory using machine learning methods for trusted unknown malware detection in Linux cloud environments. Knowl. Based Syst. 226:107095 [15] Ullah A, Laassar I, ?ahin CB, Dinle OB, Aznaoui H, “Cloud and internet-of things secure integration along with security concerns”, International Journal of Informatics and Communication Technology, Vol. 12, No. 1, https:// doi. org/ 10. 11591/ ijict. v12i1. pp62- 71Agus Reza A. Nurwa, Muhammad Hasbi, Dimas F. Priambodo, Wawan L. Y. Saptomo, Daffa A. P. Yusa, and Setiyowati Z. Zaini, “Portable

Copyright

Copyright © 2026 Ananthankrishnan R, Devikrishna S, Jayesh J, Sivani S, Binoy D L. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.