Noninvasive detection of anti-forensic malware

Guri, Mordehai; Kedma, Gabi; Sela, Tom; Carmeli, Buky; Rosner, Amit; Elovici, Yuval

doi:10.1109/malware.2013.6703679

Cited by 5 publications

(1 citation statement)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Noninvasive Techniques: Authors in [17] propose a noninvasive method to detect the malwares possessing anti-forensic mechanisms. Their method requires tracing flow of instructions (Opcode) and the flow of input-output operations (IO) of a malware under multiple execution environments (forensic vs non-forensic) and comparing the traces for suspected vulnerabilities.…”

Section: Related Workmentioning

confidence: 99%

Anti-forensic = Suspicious: Detection of Stealthy Malware that Hides Its Network Traffic

Agarwal

Puzis

Haj-Yahya

et al. 2018

ICT Systems Security and Privacy Protection

Self Cite

View full text Add to dashboard Cite

Stealthy malware hides its presence from the users of a system by hooking the relevant libraries, drivers, system calls or manipulating the services commonly used to monitor system behaviour. Tampering the network sensors of host-based intrusion detection systems (HIDS) may impair their ability to detect malware and significantly hinders subsequent forensic investigations. Nevertheless, the mere attempt to hide the traffic indicates malicious intentions. In this paper we show how comparison of the data collected by multiple sensors at different levels of resilience may reveal these intentions. At the lowest level of resilience, information from untrusted sensors such as netstat and process lists are used. At the highest resilience level, we analyse mirrored traffic using a secured hardware device. This technique can be considered as fully trusted. The detection of a discrepancy between what is reported by these common tools and what is observed on a trusted system operating at a different level is a good way to force a dilemma on malware writers: either apply hiding techniques, with the risk that the discrepancy is detected, or keep the status of network connections untouched, with a greater ability for the administrator to recognize the presence and to understand the behaviour of malware. The proposed method was implemented on an evaluation testbed and is able to detect stealthy malware that hides its communication from the HIDS. The false positive rate is 0.01% of the total traffic analysed, and barring a few exceptions that can easily be white-listed, there are no legitimate processes which raise false alerts.

show abstract

Section: Related Workmentioning

confidence: 99%