Proposal of a Method Detecting Malicious Processes

Abstract

Malwares' communication detection methods based on communication characteristics have been proposed. However as malwares are getting more sophisticated and legitimate softwares' communication is getting diverse, it becomes harder to correctly tell malwares' communication and legitimate softwares' communication apart. Therefore we propose a method to check whether a process generating suspicious communication is malicious or not. This method focuses on malwares which impersonate a legitimate process by injecting malicious codes into the process. This method extracts two process images. One is obtained from a process to be checked (target process) generating suspicious communication. The other is obtained by executing the same executable as the target process in a clean Virtual Machine. Then the two process images are compared to extract injected codes. Finally the codes are verified whether the codes are malicious or not.