利用内存分析检测进程注入攻击的新方法

IF 2.4 4区计算机科学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

International Journal of Information Security Pub Date : 2024-03-16 DOI:10.1007/s10207-024-00836-w

Mohammed Nasereddin, Raad Al-Qassas

{"title":"利用内存分析检测进程注入攻击的新方法","authors":"Mohammed Nasereddin, Raad Al-Qassas","doi":"10.1007/s10207-024-00836-w","DOIUrl":null,"url":null,"abstract":"This paper introduces a new approach for examining and analyzing fileless malware artifacts in computer memory. The proposed approach offers the distinct advantage of conducting a comprehensive live analysis of memory without the need for periodic memory dumping. Once a new process arrives, log files are collected by monitoring the Event Tracing for Windows facility as well as listing the executables of the active process for violation detection. The proposed approach significantly reduces detection time and minimizes resource consumption by adopting parallel computing (programming), where the main software (Master) divides the work, organizes the process of searching for artifacts, and distributes tasks to several agents. A dataset of 17411 malware samples is used in the assessment of the new approach. It provided satisfactory and reliable results in dealing with at least six different process injection techniques including classic DLL injection, reflective DLL injection, process hollowing, hook injection, registry modifications, and .NET DLL injection. The detection accuracy rate has reached \\(99.93\\%\\) with a false-positive rate of \\(0.068\\%\\). Moreover, the accuracy was monitored in the case of launching several malwares using different process injection techniques simultaneously, and the detector was able to detect them efficiently. Also, it achieved a detection time with an average of 0.052 msec per detected malware.","PeriodicalId":50316,"journal":{"name":"International Journal of Information Security","volume":"1 1","pages":""},"PeriodicalIF":2.4000,"publicationDate":"2024-03-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"A new approach for detecting process injection attacks using memory analysis\",\"authors\":\"Mohammed Nasereddin, Raad Al-Qassas\",\"doi\":\"10.1007/s10207-024-00836-w\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"This paper introduces a new approach for examining and analyzing fileless malware artifacts in computer memory. The proposed approach offers the distinct advantage of conducting a comprehensive live analysis of memory without the need for periodic memory dumping. Once a new process arrives, log files are collected by monitoring the Event Tracing for Windows facility as well as listing the executables of the active process for violation detection. The proposed approach significantly reduces detection time and minimizes resource consumption by adopting parallel computing (programming), where the main software (Master) divides the work, organizes the process of searching for artifacts, and distributes tasks to several agents. A dataset of 17411 malware samples is used in the assessment of the new approach. It provided satisfactory and reliable results in dealing with at least six different process injection techniques including classic DLL injection, reflective DLL injection, process hollowing, hook injection, registry modifications, and .NET DLL injection. The detection accuracy rate has reached \\\\(99.93\\\\%\\\\) with a false-positive rate of \\\\(0.068\\\\%\\\\). Moreover, the accuracy was monitored in the case of launching several malwares using different process injection techniques simultaneously, and the detector was able to detect them efficiently. Also, it achieved a detection time with an average of 0.052 msec per detected malware.\",\"PeriodicalId\":50316,\"journal\":{\"name\":\"International Journal of Information Security\",\"volume\":\"1 1\",\"pages\":\"\"},\"PeriodicalIF\":2.4000,\"publicationDate\":\"2024-03-16\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"International Journal of Information Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://doi.org/10.1007/s10207-024-00836-w\",\"RegionNum\":4,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Information Security","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s10207-024-00836-w","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

本文介绍了一种用于检查和分析计算机内存中无文件恶意软件工件的新方法。该方法具有无需定期转储内存即可对内存进行全面实时分析的显著优势。一旦出现新进程，就会通过监控 Windows 的事件跟踪设施收集日志文件，并列出活动进程的可执行文件，以便进行违规检测。所提出的方法通过采用并行计算（编程），由主软件（Master）进行分工，组织搜索人工制品的过程，并将任务分配给多个代理，从而大大缩短了检测时间，并最大限度地减少了资源消耗。新方法的评估使用了一个包含 17411 个恶意软件样本的数据集。在处理至少六种不同的进程注入技术（包括经典 DLL 注入、反射式 DLL 注入、进程空洞化、钩子注入、注册表修改和 .NET DLL 注入）时，它提供了令人满意的可靠结果。检测准确率达到了 99.93%，假阳性率为 0.068%。此外，在使用不同的进程注入技术同时启动多个恶意软件的情况下，检测器也能有效地检测到它们。同时，它的检测时间达到了平均每个被检测恶意软件 0.052 毫秒。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

A new approach for detecting process injection attacks using memory analysis

查看原文本刊更多论文

A new approach for detecting process injection attacks using memory analysis

This paper introduces a new approach for examining and analyzing fileless malware artifacts in computer memory. The proposed approach offers the distinct advantage of conducting a comprehensive live analysis of memory without the need for periodic memory dumping. Once a new process arrives, log files are collected by monitoring the Event Tracing for Windows facility as well as listing the executables of the active process for violation detection. The proposed approach significantly reduces detection time and minimizes resource consumption by adopting parallel computing (programming), where the main software (Master) divides the work, organizes the process of searching for artifacts, and distributes tasks to several agents. A dataset of 17411 malware samples is used in the assessment of the new approach. It provided satisfactory and reliable results in dealing with at least six different process injection techniques including classic DLL injection, reflective DLL injection, process hollowing, hook injection, registry modifications, and .NET DLL injection. The detection accuracy rate has reached \(99.93\%\) with a false-positive rate of \(0.068\%\). Moreover, the accuracy was monitored in the case of launching several malwares using different process injection techniques simultaneously, and the detector was able to detect them efficiently. Also, it achieved a detection time with an average of 0.052 msec per detected malware.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

International Journal of Information Security 工程技术-计算机：理论方法

CiteScore

6.30

自引率

3.10%

发文量

审稿时长

12 months

期刊介绍： The International Journal of Information Security is an English language periodical on research in information security which offers prompt publication of important technical work, whether theoretical, applicable, or related to implementation. Coverage includes system security: intrusion detection, secure end systems, secure operating systems, database security, security infrastructures, security evaluation; network security: Internet security, firewalls, mobile security, security agents, protocols, anti-virus and anti-hacker measures; content protection: watermarking, software protection, tamper resistant software; applications: electronic commerce, government, health, telecommunications, mobility.