To address the challenge that kernel-level rootkits—particularly code-injection-based stealthy persistent threats—often evade signature-based detection, this paper proposes a signature-free, knowledge-agnostic temporal anomaly detection method. The core contribution is the first use of runtime function offset—the temporal displacement between consecutive kernel function invocations—as a discriminative indicator of rootkit presence, thereby eliminating reliance on manual feature engineering and predefined signatures. Our method leverages eBPF kernel probes to collect high-precision timestamps, constructs per-function execution duration distribution models, and applies the Kolmogorov–Smirnov test for statistically rigorous anomaly identification. Evaluated under five representative system workloads, the approach achieves an F1-score of 98.7%. An open-source implementation demonstrates strong generalization to previously unseen rootkits and robustness across diverse execution environments.

Kernel rootkits provide adversaries with permanent high-privileged access to compromised systems and are often a key element of sophisticated attack chains. At the same time, they enable stealthy operation and are thus difficult to detect. Thereby, they inject code into kernel functions to appear invisible to users, for example, by manipulating file enumerations. Existing detection approaches are insufficient, because they rely on signatures that are unable to detect novel rootkits or require domain knowledge about the rootkits to be detected. To overcome this challenge, our approach leverages the fact that runtimes of kernel functions targeted by rootkits increase when additional code is executed. The framework outlined in this paper injects probes into the kernel to measure time stamps of functions within relevant system calls, computes distributions of function execution times, and uses statistical tests to detect time shifts. The evaluation of our open-source implementation on publicly available data sets indicates high detection accuracy with an F1 score of 98.7% across five scenarios with varying system states.