Memory forensics using virtual machine introspection for Malware analysis

Tien, Chin‐Wei; Liao, Jianwei; Chang, Shuenn‐Yih; Kuo, Sy‐Yen

doi:10.1109/desec.2017.8073871

Cited by 25 publications

(12 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…With run time attributes of benign process using string analysis for anomaly detection in Android operating system is found effective [9]. Studying the behavior of malware is becoming popular with memory forensic techniques for malware injection and hidden processes [10]. DLL injection is a process where the malicious DLL gets injected on to an In-memory process and the control of execution gets transferred to that code block [11].…”

Section: Related Workmentioning

confidence: 99%

Detection of Anomalous In-Memory Process based on DLL Sequence

Panda¹,

Tripathy²

2020

IJACSA

View full text Add to dashboard Cite

The use of Computer systems to keep track of day to day activities for single-user systems as well as the implementation of business logic in enterprises is the demand of the hour. As it plays a vital role in making available information on one click as well as impacts improvement in business and influences the profit or loss. There is always a possible threat from unauthorized users as well as untrusted or unknown applications. Trivially a host is intended to run with a list of known or trusted applications based on user's preference. Any application beyond the trusted list can be called as untrusted or unknown application, which is not expected to run on that host. Untrusted applications becomes available to a host from sources like websites, emails, external storage devices etc. Such untrusted programs may be malicious or non-malicious in nature but the presence must be detected, as it is not a trusted program from user's view point. All such programs may target the system either to steal valuable information or to decrease the system performance without the knowledge of the user of the system. Antimalware vendors provide support to defend the system from malicious programs. They do not include users trusted program list in to consideration. It is also true that new instances of attacks are found very frequently. Hence there is a need for a system which can be self-defending from anomalous activities on the system with reference to a trusted program list. In this paper design of an "Anomalous In-Memory Process detector based on the use of the DLL (Dynamic Link Library) sequence" is proposed, which does accountability of trusted programs intended to run on a particular host and create a knowledgebase of classes of processes with TF-IDF (Term Frequency-Inverse Document Frequency) multinomial logistic regression based learning approach. This knowledgebase becomes useful to map a suspected In-memory process to a class of processes using loaded DLL's of it. With a cross-validation approach, the suspected process and processes of its predicted class are used to conclude whether it is a trusted, variant of the trusted or untrusted process for that host. Not necessarily the untrusted program is a malware but it may be a program not listed in the trusted program list for the specific host. Hence this work aims to detect anomaly in concern with list of trusted applications based on user's preference by doing a dynamic analysis on In-memory processes.

show abstract

Section: Related Workmentioning

confidence: 99%

Detection of Anomalous In-Memory Process based on DLL Sequence

Panda¹,

Tripathy²

2020

IJACSA

View full text Add to dashboard Cite

show abstract

“…Table IV, shows the results of surveyed papers that applied memory analysis in their malware detection approaches. In addition, Memory forensic techniques are able to monitor malware behaviors like API hooking, DLL injection and Hidden processes [49]. In the following, we discuss each behavior and malware anti-forensics techniques.…”

Section: ) Memory Analysismentioning

confidence: 99%

A Survey on Malware Analysis Techniques: Static, Dynamic, Hybrid and Memory Analysis

Sihwail

Omar

Ariffin

2018

Int. J. Adv. Sci. Eng. Inf. Technol.

137

View full text Add to dashboard Cite

The threats malware pose to the people around the world are increasing rapidly. A software that sneaks to your computer system without your knowledge with a harmful intent to disrupt your computer operations. Due to the vast number of malware, it is impossible to handle malware by human engineers. Therefore, security researchers are taking great efforts to develop accurate and effective techniques to detect malware. This paper offers an overall view and detailed survey for malware detection methods like signature-based and heuristic-based. The Signature-based is largely used today by anti-virus software to detect malware. It is fast and capable to detect known malware. However, it is not effective in detecting zero-day malware and is easily defeated by malware that use obfuscation techniques. Likewise, a considerable amount of legitimate files that are incorrectly classified as malware (false positive) and long scanning time are the major limitations of heuristic-based. Alternatively, memory-based analysis is a promising technique that gives a comprehensive view of malware and it is expected to become more popular in malware detection. This paper mainly focuses on the following areas: (1) providing an overview of malware types and malware detection methods, (2) discussing current malware analysis techniques, their findings and limitations, (3) studying the malware obfuscation, attacking and anti-analysis techniques, and (4) exploring the structure of memory-based analysis in malware detection. The methods of malware detection are compared with each other according to their techniques, selected features, accuracy rates, and their advantages and disadvantages. This paper aims to help the readers to have a comprehensive view of malware detection and discuss the importance of memory-based analysis in malware detection.

show abstract

“…Hybrid analysis utilizes both static and dynamic analyses [3], [17], [18], [20], [22]- [26]. Memory analysis is a comprehensive analysis method for malware in memory [22], [23]. Once the malware analysis is complete, the detection phase is performed to detect malware in the analyzed content.…”

Section: Introductionmentioning

confidence: 99%

“…Detecting new and variant IoT malware that is evolved intelligently and at a rapidly increasing pace in such devices is difficult. In addition, many constraints are followed to analyze the vast amount of behavior data generated by IoT malware in IoT devices and to detect them after training [2], [7], [11], [16], [23].…”

Section: Introductionmentioning

confidence: 99%

Dynamic Analysis for IoT Malware Detection With Convolution Neural Network Model

2020

View full text Add to dashboard Cite

Internet of Things (IoT) technology provides the basic infrastructure for a hyper connected society where all things are connected and exchange information through the Internet. IoT technology is fused with 5G and artificial intelligence (AI) technologies for use various fields such as the smart city and smart factory. As the demand for IoT technology increases, security threats against IoT infrastructure, applications, and devices have also increased. A variety of studies have been conducted on the detection of IoT malware to avoid the threats posed by malicious code. While existing models may accurately detect malicious IoT code identified through static analysis, detecting the new and variant IoT malware quickly being generated may become challenging. This paper proposes a dynamic analysis for IoT malware detection (DAIMD) to reduce damage to IoT devices by detecting both well-known IoT malware and new and variant IoT malware evolved intelligently. The DAIMD scheme learns IoT malware using the convolution neural network (CNN) model and analyzes IoT malware dynamically in nested cloud environment. DAIMD performs dynamic analysis on IoT malware in a nested cloud environment to extract behaviors related to memory, network, virtual file system, process, and system call. By converting the extracted and analyzed behavior data into images, the behavior images of IoT malware are classified and trained in the Convolution Neural Network (CNN). DAIMD can minimize the infection damage of IoT devices from malware by visualizing and learning the vast amount of behavior data generated through dynamic analysis.INDEX TERMS Cloud-based malware detection, convolution neural network, dynamic analysis, IoT malware, malware detection.

show abstract

Memory forensics using virtual machine introspection for Malware analysis

Cited by 25 publications

References 2 publications

Detection of Anomalous In-Memory Process based on DLL Sequence

Detection of Anomalous In-Memory Process based on DLL Sequence

A Survey on Malware Analysis Techniques: Static, Dynamic, Hybrid and Memory Analysis

Dynamic Analysis for IoT Malware Detection With Convolution Neural Network Model

Contact Info

Product

Resources

About