Mac-A-Mal: macOS malware analysis framework resistant to anti evasion techniques

Pham, Duy-Phuc; Vu, Duc-Ly; Massacci, Fabio

doi:10.1007/s11416-019-00335-w

Cited by 5 publications

(3 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A behavior-based IPS/IDS or antivirus can detect obfuscated malware by applying a process-tracing technique [35]. However, if a malicious attacker applies a packing or protector technique to malware, it stops the antivirus; thus, a malicious attacker can bypass the behavior-based detection technique.…”

Section: Security Technique Applicationmentioning

confidence: 99%

Kernel-Based Real-Time File Access Monitoring Structure for Detecting Malware Activity

Han

Lee

2022

Electronics

View full text Add to dashboard Cite

Obfuscation and cryptography technologies are applied to malware to make the detection of malware through intrusion prevention systems (IPSs), intrusion detection systems (IDSs), and antiviruses difficult. To address this problem, the security requirements for post-detection and proper response are presented, with emphasis on the real-time file access monitoring function. However, current operating systems provide only file access control techniques, such as SELinux (version 2.6, Red Hat, Raleigh, NC, USA) and AppArmor (version 2.5, Immunix, Portland, OR, USA), to protect system files and do not provide real-time file access monitoring. Thus, the service manager or data owner cannot determine real-time unauthorized modification and leakage of important files by malware. In this paper, a structure to monitor user access to important files in real time is proposed. The proposed structure has five components, with a kernel module interrelated to the application process. With this structural feature, real-time monitoring is possible for all file accesses, and malicious attackers cannot bypass this file access monitoring function. By verifying the positive and negative functions of the proposed structure, it was validated that the structure accurately provides real-time file access monitoring function, the monitoring function resource is sufficiently low, and the file access monitoring performance is high, further confirming the effectiveness of the proposed structure.

show abstract

Section: Security Technique Applicationmentioning

confidence: 99%

Kernel-Based Real-Time File Access Monitoring Structure for Detecting Malware Activity

Han

Lee

2022

Electronics

View full text Add to dashboard Cite

show abstract

“…Finally, if there is kernel-level access, approaches such as Mac-A-Mal [47] may efficiently detect evasion mechanisms. The corresponding system calls can be captured and dealt with appropriately to prevent the malware from identifying the existence of a virtual environment or a debugger.…”

Section: Countermeasuresmentioning

confidence: 99%

Resurrecting anti-virtualization and anti-debugging: Unhooking your hooks

Αποστολόπουλος

Katos

Choo

et al. 2021

Future Generation Computer Systems

View full text Add to dashboard Cite

“…proposed Mac-A-Mal, a framework for analyzing Mac based malware [27]. Pham et al developed a kernel extension to monitor malware behavior and bypass several evasion prevention techniques used in the wild, which uncovered 74 unknown malware programs.…”

Section: Related Workmentioning

confidence: 99%