Real-Time Detection System Against Malicious Tools by Monitoring DLL on Client Computers

2019 IEEE Conference on Application, Information and Network Security (AINS) Pub Date : 2019-11-01 DOI:10.1109/AINS47559.2019.8968697

Wataru Matsuda, Mariko Fujimoto, Takuho Mitsunaga

{"title":"Real-Time Detection System Against Malicious Tools by Monitoring DLL on Client Computers","authors":"Wataru Matsuda, Mariko Fujimoto, Takuho Mitsunaga","doi":"10.1109/AINS47559.2019.8968697","DOIUrl":null,"url":null,"abstract":"The targeted attacks cause severe damage worldwide. Detecting targeted attacks are challenging because the attack methods are very sophisticated. Network-based solutions such as Firewall, Proxy Server, and Intrusion Detection System (IDS) have been widely used. In addition to this, recently, detection methods for malicious programs by monitoring behavior on the endpoints called Endpoint Detection and Response (EDR) have been proposed. Also, some researchers introduce detection methods using DLLs by analyzing suspicious files on the sandbox, such as Cuckoo. Using Cuckoo is one of the solutions for analyzing files that are already identified as malicious. In this research, we propose a real-time detection method of malicious tools using DLL information collected by System Monitor (Sysmon): a free logging tool provided by Microsoft. The purpose of our method is detecting new malicious processes in the production environment. We focus on DLLs commonly loaded by malicious tools regardless of the environments, then propose “the common DLL lists” for detection. Moreover, we introduce a practical detection method that utilizes Elastic Stack as Security Information and Event Management (SIEM). By using Elastic Stack, DLL information loaded on computers can be uniformly monitored and enables real-time detection by comparing logs with the common DLL lists. We evaluate the effectivity of the proposed method using four free malicious tools introduced by US-CERT: China Chopper, Mimikatz, PowerShell Empire, and HUC Packet Transmitter. As a result, our method detected China Chopper, Mimikatz, PowerShell Empire with 100% accuracy. A few false positive occurred for HUC Packet Transmitter, and false positive rate was 0.55%. We confirmed that the common DLL lists are useful for detecting malicious tools in real-time using Elastic Stack.","PeriodicalId":309381,"journal":{"name":"2019 IEEE Conference on Application, Information and Network Security (AINS)","volume":"60 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE Conference on Application, Information and Network Security (AINS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/AINS47559.2019.8968697","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

The targeted attacks cause severe damage worldwide. Detecting targeted attacks are challenging because the attack methods are very sophisticated. Network-based solutions such as Firewall, Proxy Server, and Intrusion Detection System (IDS) have been widely used. In addition to this, recently, detection methods for malicious programs by monitoring behavior on the endpoints called Endpoint Detection and Response (EDR) have been proposed. Also, some researchers introduce detection methods using DLLs by analyzing suspicious files on the sandbox, such as Cuckoo. Using Cuckoo is one of the solutions for analyzing files that are already identified as malicious. In this research, we propose a real-time detection method of malicious tools using DLL information collected by System Monitor (Sysmon): a free logging tool provided by Microsoft. The purpose of our method is detecting new malicious processes in the production environment. We focus on DLLs commonly loaded by malicious tools regardless of the environments, then propose “the common DLL lists” for detection. Moreover, we introduce a practical detection method that utilizes Elastic Stack as Security Information and Event Management (SIEM). By using Elastic Stack, DLL information loaded on computers can be uniformly monitored and enables real-time detection by comparing logs with the common DLL lists. We evaluate the effectivity of the proposed method using four free malicious tools introduced by US-CERT: China Chopper, Mimikatz, PowerShell Empire, and HUC Packet Transmitter. As a result, our method detected China Chopper, Mimikatz, PowerShell Empire with 100% accuracy. A few false positive occurred for HUC Packet Transmitter, and false positive rate was 0.55%. We confirmed that the common DLL lists are useful for detecting malicious tools in real-time using Elastic Stack.

查看原文本刊更多论文

通过监控客户端计算机上的DLL来实时检测恶意工具

有针对性的攻击在全球范围内造成了严重的破坏。检测目标攻击具有挑战性，因为攻击方法非常复杂。基于网络的解决方案，如防火墙、代理服务器和入侵检测系统(IDS)已经得到了广泛的应用。除此之外，最近还提出了一种通过监视端点上的行为来检测恶意程序的方法，称为端点检测和响应(EDR)。也有研究人员通过分析“Cuckoo”等沙箱上的可疑文件，引入了利用dll进行检测的方法。使用Cuckoo是分析已被识别为恶意文件的解决方案之一。在本研究中，我们提出了一种利用微软提供的免费日志工具System Monitor (Sysmon)收集的DLL信息对恶意工具进行实时检测的方法。我们的方法的目的是在生产环境中检测新的恶意进程。我们将重点关注恶意工具在不同环境下通常加载的DLL，然后提出用于检测的“常见DLL列表”。此外，我们还介绍了一种实用的利用弹性堆栈作为安全信息和事件管理(SIEM)的检测方法。通过使用弹性堆栈，可以对加载在计算机上的DLL信息进行统一监控，并通过将日志与通用DLL列表进行比较来实现实时检测。我们使用US-CERT引入的四个免费恶意工具(China Chopper、Mimikatz、PowerShell Empire和HUC Packet Transmitter)来评估所提出方法的有效性。结果，我们的方法检测到China Chopper, Mimikatz, PowerShell Empire的准确率为100%。HUC报文发送器出现少量假阳性，假阳性率为0.55%。我们证实了常用的DLL列表对于使用Elastic Stack实时检测恶意工具是有用的。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2019 IEEE Conference on Application, Information and Network Security (AINS)

自引率

0.00%

发文量