The rapid proliferation of ARM-based platforms across cloud servers, IoT devices, and embedded systems has created an urgent need to rethink kernel-level security from the ground up. Modern kernel rootkits exploit ARM's exception level hierarchy to embed themselves at EL1 or higher, rendering conventional signature-based and host-resident detection tools fundamentally unreliable. This paper introduces a layered detection framework purpose-built for ARM, fusing eBPF instrumentation, VMI-based memory forensics, and INT8-quantized deep learning into a unified, architectureaware pipeline. eBPF kprobes provide passive kernel timing telemetry, VMI enables trust-isolated memory inspection, and a quantized CNN-Random Forest ensemble delivers real-time behavioral classification without burdening ARM's constrained compute budget. By correlating temporal anomalies in system call execution with structural inconsistencies in kernel data structures, the proposed framework addresses the evasion window exploited by DKOM-based object unlinking and advanced function hooking. These results were validated against 64 diverse rootkit samples on a Raspberry Pi 4 (ARMv8-A), confirming practical applicability beyond simulated environments. The proposed framework establishes a reproducible, ARM-native security baseline applicable to cloud servers, edge gateways, and mobile platforms alike
Srivenkateswaran et al. (Thu,) studied this question.