An emerging threat Fileless malware: a survey and research challenges

Sudhakar,; Kumar, Sushil

doi:10.1186/s42400-019-0043-x

Cited by 91 publications

(29 citation statements)

References 32 publications

(37 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Another possible mechanism to evade detection is the use of a fileless architecture, which is becoming a relevant trend. For instance, the recent survey [22] provided an overview of the fileless malware and related detection techniques. Owing to its nature, this class of threat remains unnoticed by the traditional file-focused detection systems; thus, the authors concluded that the detection of fileless malware may require the use of forensic tools.…”

Section: A Surveys On Malware Analysis and Evasionmentioning

confidence: 99%

“…• limited interest in information hiding: as shown, only one recent work dealt with information hiding (specifically, in the context of mobile devices). As modern mal- [23] x x x x x [16] x x x x x [24] x x [22] x x fileless [31] x adversarial ML [17] x tools [25] x AI [14] x x x evasion, tools [34] x x x evasion [18] x x evasion [21] x x APT [28] x x cybersecurity [19] x evasion [26] x x x x [27] x x cybersecurity [36] x x x visualisation [30] x x [11] x x behavior analysis, visualisation [12] x analysis [37] x x [33] x x x evasion [29] x x x [15] x x x x x [20] x x stealth malware [32] x x x C&C communication [35] x x x OS openness [38] x x [39] x visualisation ware is increasingly exploiting some form of steganography, information hiding and obfuscation to launch attacks or exfiltrate data [42], [43], this consolidated trend should be taken into account. • lack of sufficient coverage of new threats: despite the vivacity of the topic, many works continue to focus on the "legacy" hazards, e.g., phishing.…”

Section: Contributions and Survey Architecturementioning

confidence: 99%

“…When compared to the traditional file-based malware, the fileless malicious software does not download any files or write any content to the disk of the infected machine [22]. Typically, the attacker is using vulnerabilities existing in the common applications to inject malicious code directly into the main memory.…”

Section: Fileless Malwarementioning

confidence: 99%

“…Currently, three classes of fileless malware can be roughly distinguished [22]: memory-resident, Windowsregistry-based, and rootkit malware. Memory-resident malware (e.g., Lurk trojan or Poweliks) injects itself into the main memory of the infected device without modifying the file systems.…”

Section: Fileless Malwarementioning

confidence: 99%

See 3 more Smart Citations

Tight Arms Race: Overview of Current Malware Threats and Trends in Their Detection

Caviglione

Choraś

Corona³

et al. 2021

IEEE Access

View full text Add to dashboard Cite

Section: A Surveys On Malware Analysis and Evasionmentioning

confidence: 99%

Section: Contributions and Survey Architecturementioning

confidence: 99%

Section: Fileless Malwarementioning

confidence: 99%

Section: Fileless Malwarementioning

confidence: 99%

See 2 more Smart Citations

Tight Arms Race: Overview of Current Malware Threats and Trends in Their Detection

Caviglione

Choraś

Corona³

et al. 2021

IEEE Access

View full text Add to dashboard Cite

“…Hence the detection complexity becomes too high for Fileless malware. The possibility of investigating Fileless malware is only limited to analysis of the behavior of the system using the snapshots of In-memory processes, which is considered here as Memory based analysis [16]. Information retrieval theory is applied with a dynamic analysis to extract API calls and system calls to classify malicious programs.…”

Section: Related Workmentioning

confidence: 99%

Detection of Anomalous In-Memory Process based on DLL Sequence

Panda¹,

Tripathy²

2020

IJACSA

View full text Add to dashboard Cite

The use of Computer systems to keep track of day to day activities for single-user systems as well as the implementation of business logic in enterprises is the demand of the hour. As it plays a vital role in making available information on one click as well as impacts improvement in business and influences the profit or loss. There is always a possible threat from unauthorized users as well as untrusted or unknown applications. Trivially a host is intended to run with a list of known or trusted applications based on user's preference. Any application beyond the trusted list can be called as untrusted or unknown application, which is not expected to run on that host. Untrusted applications becomes available to a host from sources like websites, emails, external storage devices etc. Such untrusted programs may be malicious or non-malicious in nature but the presence must be detected, as it is not a trusted program from user's view point. All such programs may target the system either to steal valuable information or to decrease the system performance without the knowledge of the user of the system. Antimalware vendors provide support to defend the system from malicious programs. They do not include users trusted program list in to consideration. It is also true that new instances of attacks are found very frequently. Hence there is a need for a system which can be self-defending from anomalous activities on the system with reference to a trusted program list. In this paper design of an "Anomalous In-Memory Process detector based on the use of the DLL (Dynamic Link Library) sequence" is proposed, which does accountability of trusted programs intended to run on a particular host and create a knowledgebase of classes of processes with TF-IDF (Term Frequency-Inverse Document Frequency) multinomial logistic regression based learning approach. This knowledgebase becomes useful to map a suspected In-memory process to a class of processes using loaded DLL's of it. With a cross-validation approach, the suspected process and processes of its predicted class are used to conclude whether it is a trusted, variant of the trusted or untrusted process for that host. Not necessarily the untrusted program is a malware but it may be a program not listed in the trusted program list for the specific host. Hence this work aims to detect anomaly in concern with list of trusted applications based on user's preference by doing a dynamic analysis on In-memory processes.

show abstract

Data Security Threats

2023

Data Exfiltration Threats and Prevention Techniques

View full text Add to dashboard Cite

An emerging threat Fileless malware: a survey and research challenges

Cited by 91 publications

References 32 publications

Tight Arms Race: Overview of Current Malware Threats and Trends in Their Detection

Tight Arms Race: Overview of Current Malware Threats and Trends in Their Detection

Detection of Anomalous In-Memory Process based on DLL Sequence

Data Security Threats

Contact Info

Product

Resources

About