Behavioral analysis of malicious code through network traffic and system call monitoring

Schrittwieser

2019

Elektrotech. Inftech.

With the advent of Advanced Persistent Threats (APTs), it has become increasingly difficult to identify and understand attacks on computer systems. This paper presents a system capable of explaining anomalous behavior within network-enabled user sessions by describing and interpreting kernel event anomalies detected by their deviation from normal behavior.The prototype has been developed at the Josef Ressel Center for Unified Threat Intelligence on Targeted Attacks (TARGET) at St. Pölten University of Applied Sciences. Advanced Threat Intelligence: Erkennung und Klassifizierung von anomalem Verhalten in Systemprozessen. Mit dem Aufkommen von Advanced Persistent Threats (APTs) ist es immer schwieriger geworden, Angriffe aufComputersysteme zu identifizieren und zu verstehen. Diese Arbeit stellt ein System vor, das in der Lage ist, anomales Verhalten innerhalb von Benutzer-Sessions zu erklären, indem es Kernel-Ereignisanomalien beschreibt und klassifiziert, welche durch ihre Abweichung vom Normalverhalten erkannt werden. Der Prototyp wurde am Josef Ressel-Zentrum für konsolidierte Erkennung gezielter Angriffe (TARGET) an der Fachhochschule St. Pölten entwickelt.

Section: Observation: Data Collection and Processingmentioning

confidence: 99%

Advanced threat intelligence: detection and classification of anomalous behavior in system processes

Schrittwieser

2019

Elektrotech. Inftech.

“…One of the first projects using this technique was the NTRegmon by Russinovich and Cogswell [12], which monitors all registry activity on a system. It also shows that SSDT-Hooking can be used with a non-malicious intent, for example many antivirus and malware detection systems [19] depend on this technique too. Detection -This technique is similar to its counterpart in the user-mode, consequently it can also be detected in a similar way.…”

Section: Ssdt-hookingmentioning

confidence: 99%

The Evolution of Process Hiding Techniques in Malware - Current Threats and Possible Countermeasures

Eresheim

Journal of Information Processing

Schrittwieser

2017

Rootkits constitute a significant threat to modern computing and information systems. Since their first appearance in the early 1990's they have steadily evolved, adapting to ever-improving security measures. The main feature rootkits have in common is the ability to hide their malicious presence and activities from the operating system and its legitimate users. In this paper we systematically analyze process hiding techniques routinely used by rootkit malware. We summarize the characteristics of different approaches and discuss their advantages and limitations. Furthermore, we assess detection and prevention techniques introduced in operating systems in response to the threat of hidden malware. The results of our assessments show that defenders still struggle to keep up with rootkit authors. At the same time we see a shift towards powerful VM-based techniques that will continue to evolve over the coming years.

“…Fukushima's system utilizes Procmon [126] as primary data provider. Unlike BehEMOT's postmonitoring abstraction [60], Procmon abstracts system calls in a non-transparent manner prior to analysis. For this reason, many additional calls are not considered.…”

Section: Malware Analysis Solutionsmentioning

confidence: 99%

“…The VM-based dynamic analysis system is built around the TRUMAN sandnet [40] that logs contacted IP addresses, created, changed, and deleted files, as well as registry activity. While some features are taken from CWSandbox [142], others are comparable to the generally more detailed BehEMOT approach [60]. The file output is akin to a list of changes to the original system state.…”

Section: Malware Analysis Solutionsmentioning

confidence: 99%

See 1 more Smart Citation

Semantics-aware detection of targeted attacks: a survey

J Comput Virol Hack Tech

Marschalek

Kaiser

et al. 2016

In today's interconnected digital world, targeted attacks have become a serious threat to conventional computer systems and critical infrastructure alike. Many researchers contribute to the fight against network intrusions or malicious software by proposing novel detection systems or analysis methods. However, few of these solutions have a particular focus on Advanced Persistent Threats or similarly sophisticated multi-stage attacks. This turns finding domainappropriate methodologies or developing new approaches into a major research challenge. To overcome these obstacles, we present a structured review of semantics-aware works that have a high potential for contributing to the analysis or detection of targeted attacks. We introduce a detailed literature evaluation schema in addition to a highly granular model for article categorization. Out of 123 identified papers, 60 were found to be relevant in the context of this study. The selected articles are comprehensively reviewed and assessed in accordance to Kitchenham's guidelines for systematic literature reviews. In conclusion, we combine new insights and the status quo of current research into the concept of an ideal systemic approach capable of semantically processing and evaluating information from different observation points.