Chaoyuan Cui,Yun Wu,Ping Li,Rujing Wang

DOI: https://doi.org/10.2991/ccis-13.2013.59

2013-01-01

Abstract:With the development of the Cloud computing, more and more people are accustomed to resource sharing or online shopping. And malware has become a major threat to the Cloud safety. Process hiding is a powerful technique commonly used by stealthy malware to evade detection by anti-malware. In this paper, we present a novel approach called VMPmonitor-an efficient modularity approach for hidden process detection. With the help of the guest OS register information (mainly the ESP) collected by virtual machine monitor, VMPmonitor can implicitly capture the hidden process information of target guest OS. Compared to other approaches, VMPmonitor obtains guest process information implicitly. Using implicit information reduces its susceptibility to guest evasion attack. Experimental result shows that VMPmonitor has better reliability and accuracy.

CHEN Liyue,SUN Xin,CHENG Tiansheng,WU Chunming,CHEN Shuangxi

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020142

2020-01-01

Abstract:Rootkit is a set of persistent and undetectable attack technologies,which can hide their attack behavior and backdoor trace by modifying software or kernel in operating system and changing execution path of instruction.Firstly,the basic definition and evolution of Rootkit were introduced,then the operating principle,current mainstream technology and detection methods of Rootkit were discussed.Then,through comparative experiments on performance and security,the application of mimic defense system was described for Web based on dynamic,heterogeneous,redundant structure under Trojan Horse attack.Experiments show that mimic defense system can effectively defend against Trojan Horse in tests in the premise of low overhead.At last,the opportunities and challenges of the DHR system were summarized.

Xiao-can ZHAO,Ju REN,Yang XU,Guo-jun WANG

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2017.12.023

2017-01-01

Abstract:In recent years ,the stealth of malware is getting stronger and stronger .In this paper ,a SMM-based Hidden process Detection model (SHPD) is proposed .SHPD can effectively detect the stealthy process in system while ensuring its own transparency .SHPD consists of two parts :the client and the monitor .The client ,which implemented in BIOS ,uses both internal and external semantic information to establish multiple views of processes in OS and sends those process views to the monitor .The monitor identifies the stealthy process by comparing the differences between the views .In the paper ,we build a prototype system under the support of the SHPD theory , and conduct functional testing and analysis .The experimental results verify the feasibility of SHPD .

Cheng JIA,Yuezhi ZHOU

DOI: https://doi.org/10.3969/j.issn.1000-3428.2017.09.032

2017-01-01

Abstract:This paper researches the existing implementation methods and detection techniques of hidden processes,and proposes a method of getting process information by retrieving memory.The relationship between process structure and handle structure can be used as a memory retrieval flag to retrieve memory.This method avoids the problem of existing memory retrieval methods that the destroyed retrieval flag can lead to failure of detecting hidden process.This paper designs and implements a hidden process detection system by using cross-view matching technology.Experimental results show that the detection system can realize functions to detect and distinguish hidden processes.

zhiqiang ge,zhihuan song

DOI: https://doi.org/10.3182/20080706-5-kr-1001.00434

2008-01-01

IFAC Proceedings Volumes

Abstract:Compared to large process faults, the latent and small ones are difficult to be detected. However, the accumulation of these faults may even more harmful to the process. A novel fault detection and diagnosis method is proposed which is based on similarity factor and a variable moving window. The new method is based on the idea that a change of process can be reflected in the distribution of the data, which can be detected more easily by the proposed similarity factor. Meanwhile, it has no Gaussian distribution limitation of the process data, since the mixed similarity factor is introduced. The independent component analysis (ICA) factor and the principal component analysis (PCA) factor are used for similarity comparison for Gaussian and non-Gaussian information, respectively. Besides, in order to determine the dynamic step accurately and cut the computation cost, the conventional dynamic method is modified by using autocorrelation analysis. A case study of Tennessee Eastman (TE) benchmark process shows the efficiency of the new proposed method.

潘剑锋,刘守群,奚宏生,谭小彬

2010-01-01

Abstract:The present study proposes a method for hidden malcode detection based on the analysis of dynamic control-flow. First we recorded the malcode-related control-flow paths of program, and then the control-flow paths were analyzed, by calling tree match algorithm, to detect the hidden malcode in the system. The experiments show that this method can detect hidden malcode efficiently at a high detection rate and with low false positive, and thus it can be applied to malcode detection on operating systems.

Nitin Kanaskar,Remzi Seker,Jiang Bian,Vir V. Phoha

DOI: https://doi.org/10.1109/TSMCC.2012.2208187

2012-01-01

Abstract:Code injection is a common approach which is utilized to exploit applications. We introduce some of the well-established techniques and formalisms of dynamical system theory into analysis of program behavior via system calls to detect code injections into an applications execution space. We accept a program as a blackbox dynamical system whose internals are not known, but whose output we can observe. The blackbox system observable in our model is the system calls the program makes. The collected system calls are treated as signals which are used to reconstruct the system’s phase space. Then, by using the well-established techniques from dynamical system theory, we quantify the amount of complexity of the system’s (program’s) behavior. The change in the behavior of a compromised system is detected as anomalous behavior compared with the baseline established from a clean program. We test the proposed approach against DARPA-98 dataset and a real-world exploit and present code injection experiments to show the applicability of our approach.

YIN Liang,WEN Wei-Ping

DOI: https://doi.org/10.3969/j.issn.1671-1122.2011.07.009

2011-01-01

Abstract:Windows records some information in memory,for the purpose of managing objects like process,thread,driver,and reporting the status to user.Because the information is in memory,we can modify it.This paper will show some structs and lists that Windows 7 SP1 created,and introduce some methods to protect and hide processes and drivers.

Zhenzhou Tian,Qinghua Zheng,Ting Liu,Ming Fan,Xiaodong Zhang,Zijiang Yang

DOI: https://doi.org/10.1145/2597008.2597143

2014-01-01

Abstract: The availability of inexpensive multicore hardware presents a turning point in software development. In order to benefit from the continued exponential throughput advances in new processors, the software applications must be multithreaded programs. As multithreaded programs become increasingly popular, plagiarism of multithreaded programs starts to plague the software industry. Although there has been tremendous progress on software plagiarism detection technology, existing dynamic approaches remain optimized for sequential programs and cannot be applied to multithreaded programs without significant redesign. This paper fills the gap by presenting two dynamic birthmark based approaches. The first approach extracts key instructions while the second approach extracts system calls. Both approaches consider the effect of thread scheduling on computing software birthmarks. We have implemented a prototype based on the Pin instrumentation framework. Our empirical study shows that the proposed approaches can effectively detect plagiarism of multithread programs and exhibit strong resilience to various semantic-preserving code obfuscations.

YongGang Li,ChaoYuan Cui,BingYu Sun,WenBo Li

DOI: https://doi.org/10.3966/160792642018091905011

2018-01-01

Abstract:With the spread of malwares, the security of virtual machine (VM) is suffering severe challenges recent years. Rootkits and their variants can hide themselves and other kernel objects such as processes, files, and modules making malicious activity hard to be detected. The existed solutions are either coarse-grained, monitoring at virtual machine level, or non-universal, only supporting specific operating system with specific modification. In this paper, we propose a fine-grained approach called HODetector based on static semantic information library (SSIL) to detect the hidden objects outside VM. We have deployed HODetector prototype on Xen virtualization platform and used it to detect the processes, files, and modules hidden by rootkits. The experiment results show that HODetector is effective for different rootkits and general for Linux operating system with various kernels.

Yiheng Duan,Xiao Fu,Bin Luo,Ziqi Wang,Jin Shi,Xiaojiang (James) Du

DOI: https://doi.org/10.1109/icc.2015.7249229

2015-01-01

Abstract:Current memory forensic methods mainly focus on evidence collection and data recovery. A little work is about how to automatically identify malwares from many unknown processes and analyze their behaviors in high semantic level so as to collect related evidences. In fact, in real cases, investigators are often faced with large number of processes that they have no knowledge of. Although current malware detection tools could provide some help, they usually can't illustrate the purposes, abilities and behavior details of malwares and are thus often not fit for the forensic requirements. In this paper, we present a framework named Detective to cope with these issues. Given a set of unknown processes, Detective can classify benign and malware processes automatically. This is implemented by HNB classifying algorithm and a Dynamic-Link Libraries-based model. Detective could then explain malware behaviors in high semantic level through clustering and frequent item sets mining techniques. Besides, Detective sheds light on evidence collection by the information obtained from previous steps. Detective is applicable for both online and offline forensic scenarios. Experiments on real-world malware set have proved that the accuracy of Detective is above 90% and the time cost is only several seconds.

Xiaodong Zhang,Zijiang Yang,Qinghua Zheng,Yu Hao,Pei Liu,Ting Liu

DOI: https://doi.org/10.1109/tse.2018.2871666

IF: 7.4

2020-01-01

IEEE Transactions on Software Engineering

Abstract:With the advent of multicore processors, there is a great need to write parallel programs to take advantage of parallel computing resources. However, due to the nondeterminism of parallel execution, the malware behaviors sensitive to thread scheduling are extremely difficult to detect. Dynamic taint analysis is widely used in security problems. By serializing a multithreaded execution and then propagating taint tags along the serialized schedule, existing dynamic taint analysis techniques lead to under-tainting with respect to other possible interleavings under the same input. In this paper, we propose an approach called DSTAM that integrates symbolic analysis and guided execution to systematically detect tainted instances on all possible executions under a given input. Symbolic analysis infers alternative interleavings of an executed trace that cover new tainted instances, and computes thread schedules that guide future executions. Guided execution explores new execution traces that drive future symbolic analysis. We have implemented a prototype as part of an educational tool that teaches secure C programming, where accuracy is more critical than efficiency. To the best of our knowledge, DSTAM is the first algorithm that addresses the challenge of taint analysis for multithreaded program under fixed inputs.

Farrukh Shahzad,M. Shahzad,Muddassar Farooq

DOI: https://doi.org/10.1016/j.ins.2011.09.016

IF: 8.1

2013-05-01

Information Sciences

Abstract:Run-time behavior of processes – running on an end-host – is being actively used to dynamically detect malware. Most of these detection schemes build model of run-time behavior of a process on the basis of its data flow and/or sequence of system calls. These novel techniques have shown promising results but an efficient and effective technique must meet the following performance metrics: (1) high detection accuracy, (2) low false alarm rate, (3) small detection time, and (4) the technique should be resilient to run-time evasion attempts.To meet these challenges, a novel concept of genetic footprint is proposed, by mining the information in the kernel process control blocks (PCB) of a process, that can be used to detect malicious processes at run time. The genetic footprint consists of selected parameters – maintained inside the PCB of a kernel for each running process – that define the semantics and behavior of an executing process. A systematic forensic study of the execution traces of benign and malware processes is performed to identify discriminatory parameters of a PCB (task_struct is PCB in case of Linux OS). As a result, 16 out of 118 task structure parameters are short listed using the time series analysis. A statistical analysis is done to corroborate the features of the genetic footprint and to select suitable machine learning classifiers to detect malware.The scheme has been evaluated on a dataset that consists of 105 benign processes and 114 recently collected malware processes for Linux. The results of experiments show that the presented scheme achieves a detection accuracy of 96% with 0% false alarm rate in less than 100ms of the start of a malicious activity. Last but not least, the presented technique utilizes partial knowledge that is available at a given time while the process is still executing; as a result, the kernel of OS can devise mitigation strategies. It is also shown that the presented technique is robust to well known run-time evasion attempts.

computer science, information systems

JiaJing Li,Tao Wei,Wei Zou,Jian Mao

DOI: https://doi.org/10.1109/isecs.2009.148

2009-01-01

Abstract:Existing techniques based on behavior semantics for information theft malware detection have the main shortcomings of low path coverage and disability of finding hidden malicious behaviors. In this paper we propose a static method for the detection of information theft malware to overcome these shortcomings. It is particularly efficient for inter-procedure taint analysis, and it is suitable for complicated malware detection, such as Trojan and Bot. Its static style makes it able to find hidden malicious behaviors. We also present an implementation of our method that works on x86 executables and a set of experimental studies validate its good efficiency and effectiveness.

Xiao-zhe LI,Mei-jun ZANG,Yi-qi DAI

DOI: https://doi.org/10.3969/j.issn.1672-464X.2008.04.015

2008-01-01

Abstract:Nowadays,Windows operating system is the most prevalent OS,and its security problem is widely concerned by users.System call interception is an efficient way to control accesses to the Windows system resource.This paper introduces and implements an API HOOK method to intercept Windows system calls,and exploits it to control host behaviors.By experiments,we prove that this system call interception method can control host access to system resources,which improves the security level of Windows OS.

潘茂如,曹天杰

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.18.047

2010-01-01

Abstract:The realization mechanism of the Direct Kernel Object Manipulation(DKOM) and call gate are analyzed and proposed.By using call gate,it can promote the program’s privilege to modify the kernel’s process list to hide the process without the driver.A Trojan program is designed and implemented,and the hidden and survival functions are verified in experimental conditions based on the proposal.The experiments have proved that the Trojan can hide the process effectively and escape the detection and killing of the common security software.It also analyzes the Trojan program’s detection method.

李佳静,梁知音,韦韬,邹维,毛剑

DOI: https://doi.org/10.3724/sp.j.1001.2010.03507

2010-01-01

Abstract:In this paper, a novel method is presented to solve these problems.This method processes the X86 executable programs statically, so it has a higher code coverage than dynamic methods.Besides, it employs a data flow analysis method to identify the jump targets for indirect jumps.It also utilizes optimized tainting mark rules based on the operation semantic of branch conditions.Experiments on 103 real malwares and 7 benign softwares show that the proposed method has the following advantages: For Trojan-spy program detection, it can reduce the false negatives caused by the explicit-flow-sensitive method, and it is effective in dealing with information steal behaviors triggered by some particular conditions.For benign program analysis, it can reduce most of the tainted branches that should be tracked in the original implicit-flow-sensitive method without optimization.

Xinmei HOU,Kaikun DONG

DOI: https://doi.org/10.3969/j.issn.2095-2163.2016.05.009

2016-01-01

Abstract:With the advent of the information age, more and more people pay attention to the network security. Safety engineers have treated malicious virus and programs as the protection key, network security offensive and defensive game never stops. This paper proposes a malicious behavior backend monitoring scheme based on Windows Service, detecting and intercepting the abnormal behaviors with DLL injection and API HOOK caused by virus from Multi?Demensions. This method covers the shortage of single detection dimension. It is particularly worth mentioning here that this paper adopts a way of kernel?level injection by analysing kernel?level system calls, and works out the limitation on injection behaviors by mainstream OS, makes the cross?platform general injection possible. Finally, this system runs in backend in a Windows Service way, reduces the energy consumption and improves the operation stability. Meanwhile, the paper proposes the conception of “Selfish Protection Set”, which provides a deeper research direction for malicious behaviors monitoring.

Jianguo Ding,Jian Jin,Pascal Bouvry,Yongtao Hu,Haibing Guan

DOI: https://doi.org/10.1109/ICIMP.2009.20

2009-01-01

Abstract:With the rising popularity of the Internet, the resulting increase in the number of available vulnerable machines, and the elevated sophistication of the malicious code itself, the detection and prevention of unknown malicious codes meet great challenges. Traditional anti-virus scanner employs static features to detect malicious executable codes and is hard to detect the unknown malicious codes effectively. We propose behavior-based dynamic heuristic analysis approach for proactive detection of unknown malicious codes. The behavior of malicious codes is identified by system calling through virtual emulation and the changes in system resources. A statistical detection model and mixture of expert (MoE) model are designed to analyze the behavior of malicious codes. The experiment results demonstrate the behavior-based proactive detection is efficient in detecting unknown malicious executable codes.

林卫亮,王轶骏,薛质

DOI: https://doi.org/10.3969/j.issn.1009-8054.2009.03.025

2009-01-01

Abstract:Rootkit is a system layer hidden mechanism and implementation program and is becoming more and more popular.It is designed to take fundamental control of a computer system,without authorization by the system owners and legitimate managers.Concealing running processes is one of the Win32 Rootkit's standard functions.In this paper,the techniques for detecting this kind of Win32 Rootkit,are studiues and implemented their advantages and disadvantages analyzed and compaired,Finally,some prospects for this technique are proposed.