一种检测恶意进程的方法

2014 28th International Conference on Advanced Information Networking and Applications Workshops Pub Date : 2014-05-13 DOI:10.1109/WAINA.2014.164

Takumi Yamamoto, Kiyoto Kawauchi, Shoji Sakurai

{"title":"一种检测恶意进程的方法","authors":"Takumi Yamamoto, Kiyoto Kawauchi, Shoji Sakurai","doi":"10.1109/WAINA.2014.164","DOIUrl":null,"url":null,"abstract":"Malwares' communication detection methods based on communication characteristics have been proposed. However as malwares are getting more sophisticated and legitimate softwares' communication is getting diverse, it becomes harder to correctly tell malwares' communication and legitimate softwares' communication apart. Therefore we propose a method to check whether a process generating suspicious communication is malicious or not. This method focuses on malwares which impersonate a legitimate process by injecting malicious codes into the process. This method extracts two process images. One is obtained from a process to be checked (target process) generating suspicious communication. The other is obtained by executing the same executable as the target process in a clean Virtual Machine. Then the two process images are compared to extract injected codes. Finally the codes are verified whether the codes are malicious or not.","PeriodicalId":424903,"journal":{"name":"2014 28th International Conference on Advanced Information Networking and Applications Workshops","volume":"200 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-05-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Proposal of a Method Detecting Malicious Processes\",\"authors\":\"Takumi Yamamoto, Kiyoto Kawauchi, Shoji Sakurai\",\"doi\":\"10.1109/WAINA.2014.164\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Malwares' communication detection methods based on communication characteristics have been proposed. However as malwares are getting more sophisticated and legitimate softwares' communication is getting diverse, it becomes harder to correctly tell malwares' communication and legitimate softwares' communication apart. Therefore we propose a method to check whether a process generating suspicious communication is malicious or not. This method focuses on malwares which impersonate a legitimate process by injecting malicious codes into the process. This method extracts two process images. One is obtained from a process to be checked (target process) generating suspicious communication. The other is obtained by executing the same executable as the target process in a clean Virtual Machine. Then the two process images are compared to extract injected codes. Finally the codes are verified whether the codes are malicious or not.\",\"PeriodicalId\":424903,\"journal\":{\"name\":\"2014 28th International Conference on Advanced Information Networking and Applications Workshops\",\"volume\":\"200 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2014-05-13\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2014 28th International Conference on Advanced Information Networking and Applications Workshops\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/WAINA.2014.164\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 28th International Conference on Advanced Information Networking and Applications Workshops","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/WAINA.2014.164","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

摘要

提出了基于通信特性的恶意软件通信检测方法。然而，随着恶意软件的日益复杂和正版软件通信的多样化，正确区分恶意软件通信和正版软件通信变得越来越困难。因此，我们提出了一种检测产生可疑通信的进程是否为恶意进程的方法。该方法主要针对通过向进程中注入恶意代码来冒充合法进程的恶意软件。该方法提取两个过程图像。一个是从产生可疑通信的待检查进程(目标进程)中获得的。另一个是通过在干净的虚拟机中执行与目标进程相同的可执行文件获得的。然后对两个过程图像进行比较，提取注入代码。最后验证代码是否为恶意代码。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Proposal of a Method Detecting Malicious Processes

Malwares' communication detection methods based on communication characteristics have been proposed. However as malwares are getting more sophisticated and legitimate softwares' communication is getting diverse, it becomes harder to correctly tell malwares' communication and legitimate softwares' communication apart. Therefore we propose a method to check whether a process generating suspicious communication is malicious or not. This method focuses on malwares which impersonate a legitimate process by injecting malicious codes into the process. This method extracts two process images. One is obtained from a process to be checked (target process) generating suspicious communication. The other is obtained by executing the same executable as the target process in a clean Virtual Machine. Then the two process images are compared to extract injected codes. Finally the codes are verified whether the codes are malicious or not.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2014 28th International Conference on Advanced Information Networking and Applications Workshops

自引率

0.00%

发文量