Using IRP and local alignment method to detect distributed malware

Abstract

Malware seriously threatens national security and personal privacy, but the evasive behavior of malware is becoming more and more covert and difficult to analyze. Thus, effectively detect malware is of great significance. Distributed malware injection is a new type of evasion technique. By dividing the malware into blocks, and then injecting the blocks into multiple benign processes, each block communicates with each other and can perform complete malicious actions in sequence, making the existing of malware detection fails. Currently, commercial anti-virus software cannot effectively detect distributed malware. At the same time, for this type of malware research, we believe that there is still room for improvement in detection performance. For this evasion technique, this paper proposes a detection method using I/O request package (IRP) sequence features combined with local alignment algorithms in bioinformatics. In the detection process, we filter and extract important IRP requests in operating system, and use the local alignment algorithm to compare with the malware’s IRP sequence, which can effectively identify the distributed malware hidden in the system. This paper uses real malware to split and perform detection experiments. The results prove that our detection method can effectively detect distributed malware, and the detection accuracy is better than similar research.