Malicious Processes Research Articles

USING SUPPORT VECTORS TO BUILD A RULE-BASED SYSTEM FOR DETECTING MALICIOUS PROCESSES IN AN ORGANISATION'S NETWORK TRAFFIC

The growing complexity and sophistication of cyberattacks on organisational information resources and the variety of malware processes in unprotected networks necessitate the development of advanced methods for detecting malicious processes in network traffic. Systems for detecting malicious processes based on machine learning and rule-based methods have their advantages and disadvantages. We have investigated the possibility of using support vectors to create a rule-based system for detecting malicious processes in an organisation's network traffic. We propose a method for building a rule-based system for detecting malicious processes in an organisation's network traffic using the distribution data of the relevant features of support vectors. The application of this method on real CSE-CIC-IDS2018 network traffic data containing characteristics of malicious processes has shown acceptable accuracy, high clarity and computational efficiency in detecting malicious processes in network traffic. In our opinion, the results of this study will be useful in creating automatic systems for detecting malicious processes in the network traffic of organisations and in creating and using synthetic data in such systems.

Obfuscation strategies for industrial control systems

Recently released scan data on Shodan reveals that thousands of Industrial Control Systems (ICSs) worldwide are directly accessible via the Internet and, thus, exposed to cyber-attacks aiming at financial gain, espionage, or disruption and/or sabotage. Executing sophisticated cyber–physical attacks aiming to manipulate industrial functionalities requires a deep understanding of the underlying physical process at the core of the target ICS, for instance, through unauthorized access to memory registers of Programmable Logic Controllers (PLCs). However, to date, countermeasures aiming at hindering the comprehension of physical processes remain largely unexplored.In this work, we investigate the use of obfuscation strategies to complicate process comprehension of ICSs while preserving their runtime evolution. To this end, we propose a framework to design and evaluate obfuscation strategies for PLCs, involving PLC memory registers, PLC code (user program), and the introduction of extra (spurious) physical processes. Our framework categorizes obfuscation strategies based on two dimensions: the type of (spurious) registers employed in the obfuscation strategy and the dependence on the (genuine) physical process. To evaluate the efficacy of proposed obfuscation strategies, we introduce evaluation metrics to assess their potency and resilience, in terms of system invariants the attacker can derive, and their cost in terms of computational overhead due to runtime modifications of spurious PLC registers. We developed a prototype tool to automatize the devised obfuscation strategies and applied them to a non-trivial use case in the field of water tank systems. Our results show that code obfuscation can be effectively used to counter malicious process comprehension of ICSs achieved via scanning of PLC memory registers. To our knowledge, this is the first work using obfuscation as a technique to protect ICSs from such threats. The efficacy of the proposed obfuscation strategies predominantly depends on the intrinsic complexity of the interplay introduced between genuine and spurious registers.

Detection Strategies for COM, WMI, and ALPC-Based Multi-Process Malware.

Behavioral malware detection is based on attributing malicious actions to processes. Malicious processes may try to hide by changing the behavior of other benign processes to achieve their goals. We showcase how Component Object Model (COM) and Windows Management Instrumentation (WMI) can be used to create such spoofing attacks. We discuss the internals of COM and WMI and Asynchronous Local Procedure Call (ALPC). We present multiple functional monitoring techniques to identify the spoofing and discuss the strong and weak points of each technique. We create a robust process monitoring system that can correctly identify the source of malicious actions spoofed via COM, WMI and ALPC with a low performance impact. Finally, we discuss how malicious actors use COM, WMI and ALPC by examining real-world malware detected by our monitoring system.

ProcGCN: detecting malicious process in memory based on DGCNN.

The combination of memory forensics and deep learning for malware detection has achieved certain progress, but most existing methods convert process dump to images for classification, which is still based on process byte feature classification. After the malware is loaded into memory, the original byte features will change. Compared with byte features, function call features can represent the behaviors of malware more robustly. Therefore, this article proposes the ProcGCN model, a deep learning model based on DGCNN (Deep Graph Convolutional Neural Network), to detect malicious processes in memory images. First, the process dump is extracted from the whole system memory image; then, the Function Call Graph (FCG) of the process is extracted, and feature vectors for the function node in the FCG are generated based on the word bag model; finally, the FCG is input to the ProcGCN model for classification and detection. Using a public dataset for experiments, the ProcGCN model achieved an accuracy of 98.44% and an F1 score of 0.9828. It shows a better result than the existing deep learning methods based on static features, and its detection speed is faster, which demonstrates the effectiveness of the method based on function call features and graph representation learning in memory forensics.

A secure and efficient UAV network defense strategy: Convergence of blockchain and deep learning

Unmanned Aerial Vehicles (UAVs) are highly versatile and efficient tools utilized across diverse industries for data collection. However, they are vulnerable to wireless communication and data exchange risks, including unauthorized access, data theft, and network attacks. To address these problems, we introduce a secure and reliable UAV network service architecture that incorporates blockchain and deep learning to provide more secure and efficient network services for UAVs. We propose a UAV cluster identity management module by combining blockchain, encryption algorithms, and digital signatures to enhance the security of UAV communication data transmission. Then, based on machine learning, deep learning, and malicious process detection technology, we propose a real-time secure situational awareness system for UAV cluster terminal devices to enhance the security of the operating environment for UAVs. Finally, we propose a data-trustworthy interconnection platform based on blockchain, smart contracts, and consensus algorithms to realize secure and efficient sharing and transmission of terminal data. The results of the experiments demonstrate the feasibility and effectiveness of our UAV network service architecture.

Topology-Aware Adaptive Inspection for Fraud in I4.0 Supply Chains

Supply chain fraud involving counterfeit or adulterated products presents threats to human health and safety. Quality inspection is a key fraud mitigation tool where inspection planning involves allocating inspection resources across geographically dispersed assets considering both the cost and value of the inspection. I4.0 environments pose further challenges as their heterogeneous and dynamic cyber-physical environment creates a large inspection resource allocation solution space, causing the corresponding analysis to be computationally complex. In this article, we contribute to supporting optimal inspection decisions of dynamic cyber-physical supply chains through the use of structural representations— <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">topologies</i> of the supply chain, physical premises, and their production context. We present an approach for topology modeling of supply chains and illustrate its use within an adaptive inspection approach, showing that structural information can reduce malicious process discovery times by up to 90%.

A Malware Detection Approach Based on Deep Learning and Memory Forensics

As cyber attacks grow more complex and sophisticated, new types of malware become more dangerous and challenging to detect. In particular, fileless malware injects malicious code into the physical memory directly without leaving attack traces on disk files. This type of attack is well concealed, and it is difficult to find the malicious code in the static files. For malicious processes in memory, signature-based detection methods are becoming increasingly ineffective. Facing these challenges, this paper proposes a malware detection approach based on convolutional neural network and memory forensics. As the malware has many symmetric features, the saved training model can detect malicious code with symmetric features. The method includes collecting executable static malicious and benign samples, running the collected samples in a sandbox, and building a dataset of portable executables in memory through memory forensics. When a process is running, not all the program content is loaded into memory, so binary fragments are utilized for malware analysis instead of the entire portable executable (PE) files. PE file fragments are selected with different lengths and locations. We conducted several experiments on the produced dataset to test our model. The PE file with 4096 bytes of header fragment has the highest accuracy. We achieved a prediction accuracy of up to 97.48%. Moreover, an example of fileless attack is illustrated at the end of the paper. The results show that the proposed method can detect malicious codes effectively, especially the fileless attack. Its accuracy is better than that of common machine learning methods.

MDCD: A malware detection approach in cloud using deep learning

AbstractWith the increasing popularity of cloud computing applications, the threat of malware attack against cloud environments is getting worse. To defend against malware attacks in the cloud, some virtualization‐based approaches are proposed. However, the existing methods suffer from limitations in terms of detection accuracy, deployment effort, and performance cost. To address these issues, we propose MDCD, a novel dynamic malware detection solution for cloud environments. This method first utilizes a lightweight agent to collect the run‐time utilization information from the target virtual machine (VM). Then, it leverages the memory forensics analysis technique to extract the memory object information from the target VM's memory. To fully make use of the run‐time utilization and memory object information for malware detection, we propose a multi‐CNN model, which combines multiple convolutional neural networks (CNNs) efficiently. The evaluation shows that our approach can achieve an average detection accuracy, precision, recall, and F1 Score of 98.89%, 97.01%, 98.17%, and 97.89% respectively. Compared with the existing solutions, our method can detect multiple malicious processes effectively with little deployment effort.

HADES-IoT: A Practical and Effective Host-Based Anomaly Detection System for IoT Devices (Extended Version)

Internet of Things (IoT) devices have become ubiquitous, with applications in many domains, including industry, transportation, and healthcare; these devices also have many household applications. The proliferation of IoT devices has raised security and privacy concerns, however many manufacturers neglect these aspects, focusing solely on the core functionality of their products due to the short time to market and the need to reduce product costs. Consequently, vulnerable IoT devices are left unpatched, allowing attackers to exploit them for various purposes, which include compromising the device users’ privacy or recruiting the devices to an IoT botnet. We present a practical and effective host-based anomaly detection system for IoT devices (HADES-IoT) as a novel last line of defense. HADES-IoT has proactive detection capabilities that enable the execution of any malicious process to be stopped before it even starts. HADES-IoT provides tamper-proof protection and can be deployed on a wide range of Linux-based IoT devices. HADES-IoT’s main advantage is its low overhead, making it suitable for Linux-based IoT devices where state-of-the-art security solutions are infeasible due to their high-performance demands. We deployed HADES-IoT on seven IoT devices, where it demonstrated 100% effectiveness in the detection of IoT malware, including VPNFilter, IoT Reaper, and Mirai malware, while requiring only 5.5% (on average) of the available memory and consuming just negligible CPU resources.

Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques

Recent progress in machine learning has led to promising results in behavioral malware detection. Behavioral modeling identifies malicious processes via features derived by their runtime behavior. Behavioral features hold great promise as they are intrinsically related to the functioning of each malware, and are therefore considered difficult to evade. Indeed, while a significant amount of results exists on evasion of static malware features, evasion of dynamic features has seen limited work. This paper examines the robustness of behavioral ransomware detectors to evasion and proposes multiple novel techniques to evade them. Ransomware behavior differs significantly from that of benign processes, making it an ideal best case for behavioral detectors, and a difficult candidate for evasion. We identify and propose a set of novel attacks that distribute the overall malware workload across a small set of independent, cooperating processes in order to avoid the generation of significant behavioral features. Our most effective attack decreases the accuracy of a state-of-the-art classifier from 98.6 to 0% using only 18 cooperating processes. Furthermore, we show our attacks to be effective against commercial ransomware detectors in a black-box setting. Finally, we evaluate a detector designed to identify our most effective attack, as well as discuss potential directions to mitigate our most advanced attack.

Robust deep learning early alarm prediction model based on the behavioural smell for android malware

Due to the widespread expansion of the Android malware industry, malicious Android processes mining became a necessity to understand their behavior. Nevertheless, due to the complexities of size, length, and associations of some essential and distinguishing Android applications’ features such as API calls and system calls, mining malicious Android processes become a prominent obstacle. The malicious process mining obstacle is also coupled with the increasing rate of zero-day attacks, with no prior knowledge about those kinds of behaviors. Hence, malware detection alone is no longer enough; instead, we need new methodologies to predict malicious behaviors early. In this paper, we propose a behavioral Android malware smell predictor model. Our model relies on various static and dynamic features. We overcame the problem of massive feature size and complex associations by encapsulating related features in a few cluster classes. Accordingly, the cluster classes are exchangeably used to represent the features in the original calling sequences. Regarding substantially long sequences, experimental results showed that our model could predict whether a process is behaving maliciously or not based on rapid-sequence-snapshot analysis. The proposed model counted on the LSTM model to classify the reformed API and system call sequences snapshots. Moreover, we used ensemble machine learning classifiers to classify Android permissions. We trained the LSTM model using random snapshots of the newly formed API and system call cluster sequences. We tested our model against common ransomware attacks. We found that our trained LSTM model showed stable performance at a particular snapshot size. The model showed competitive accuracy in predicting new sequences. Accordingly, we proposed an early alarm solution for blocking malicious payloads instead of identifying them after their fulfillment. Hence, we can avoid the cost of future damage.

Deep Learning-based Hybrid Model for Efficient Anomaly Detection

It is common among security organizations to run processes system call trace data to predict its anomalous behavior, and it is still a dynamic study region. Learning-based algorithms can be employed to solve such problems since it is typical pattern recognition problem. With the advanced progress in operating systems, some datasets became outdated and irrelevant. System calls datasets such as Australian Defense Force Academy Linux Dataset (ADFA-LD) are amongst the current cohort containing labeled data of system call traces for normal and malicious processes on various applications. In this paper, we propose a hybrid deep learning-based anomaly detection system. To advance the detection accurateness and competence of anomaly detection systems, Convolution Neural Network (CNN) with Long Short Term Memory (LSTM) is employed. The raw sequence of system call trace is fed to the CNN network first, reducing the traces' dimension. This reduced trace vector is further fed to the LSTM network to learn the sequences of the system calls and produce the concluding detection outcome. Tensorflow-GPU was used to implement and train the hybrid model and evaluated on the ADFA-LD dataset. Experimental results showed that the proposed method had reduced training time with an enhanced anomaly detection rate. Therefore, this method lowers the false alarm rates.

Real-Time Malware Process Detection and Automated Process Killing

Perimeter-based detection is no longer sufficient for mitigating the threat posed by malicious software. This is evident as antivirus (AV) products are replaced by endpoint detection and response (EDR) products, the latter allowing visibility into live machine activity rather than relying on the AV to filter out malicious artefacts. This paper argues that detecting malware in real-time on an endpoint necessitates an automated response due to the rapid and destructive nature of some malware. The proposed model uses statistical filtering on top of a machine learning dynamic behavioural malware detection model in order to detect individual malicious processes on the fly and kill those which are deemed malicious. In an experiment to measure the tangible impact of this system, we find that fast-acting ransomware is prevented from corrupting 92% of files with a false positive rate of 14%. Whilst the false-positive rate currently remains too high to adopt this approach as-is, these initial results demonstrate the need for a detection model that is able to act within seconds of the malware execution beginning; a timescale that has not been addressed by previous work.

RT-Sniper: A Low-Overhead Defense Mechanism Pinpointing Cache Side-Channel Attacks

Since cache side-channel attacks have been serious security threats to multi-tenant systems, there have been several studies to protect systems against the attacks. However, the prior studies have limitations in determining only the existence of the attack and/or occupying too many computing resources in runtime. We propose a low-overhead pinpointing solution, called RT-Sniper, to overcome such limitations. RT-Sniper employs a two-level filtering mechanism to minimize performance overhead. It first monitors hardware events per core and isolates a suspected core to run a malicious process. Then among the processes running on the selected core, RT-Sniper pinpoints a malicious process through a per-process monitoring approach. With the core-level filtering, RT-Sniper has an advantage in overhead compared to the previous works. We evaluate RT-Sniper against Flush+Reload and Prime+Probe attacks running SPEC2017, LMBench, and PARSEC benchmarks on multi-core systems. Our evaluation demonstrates that the performance overhead by RT-Sniper is negligible (0.3% for single-threaded applications and 2.05% for multi-threaded applications). Compared to the previous defense solutions against cache side-channel attacks, RT-Sniper exhibits better detection performance with lower performance overhead.

Process based volatile memory forensics for ransomware detection

AbstractRansomware is an emerging category of malware that locks computer data via powerful cryptographic algorithms. The global propagation of ransomware is a serious threat for individuals and organizations. The banking sector and financial institutions are the prime targets of such ransomware attacks. In case of such an attack, the field of digital forensics helps in estimation of the severity and data loss caused by the attack. Traditional digital forensics investigations make use of static or behavioral analysis to detect malware in infected systems. However, these procedures are challenged by malware obfuscation techniques. Malicious processes can stay inactive and undetected if only a single memory dump is analyzed. Thus, there is a need to collect numerous memory dumps of an individual program that can help with comprehensive and accurate analysis. In this article, we have developed a framework for volatile memory acquisition at regular time intervals to analyze the behavior of individual processes in memory. Through memory forensics, salient features are extracted from the infected memory dumps. These features can be utilized to classify malicious and benign processes efficiently through machine learning as compared to conventional techniques.

Detector[formula omitted]: An approach for detecting, isolating, and preventing timing attacks

In this work, we present a novel approach, called Detector+, to detect, isolate, and prevent timing-based side channel attacks (i.e., timing attacks) at runtime. The proposed approach is based on a simple observation that the time measurements required by the timing attacks differ from those required by the benign applications as these attacks need to measure the execution times of typically quite short-running operations. Detector+, therefore, monitors the time readings made by processes and mark consecutive pairs of readings that are close to each other in time as suspicious. In the presence of suspicious time measurements, Detector+ introduces noise into the measurements to prevent the attacker from extracting information by using these measurements. The sequence of suspicious time measurements are then analyzed by using a sliding window based approach to pinpoint the malicious processes at runtime. We have empirically evaluated the proposed approach by using five well known timing attacks, including Meltdown, together with their variations, representing some of the mechanisms that an attacker can employ to become stealthier. In one evaluation setup, each type of attack was carried out concurrently by multiple processes. In the other setup, multiple types of attacks were carried out concurrently. In all the experiments, Detector+ detected all the malicious time measurements with almost a perfect accuracy, prevented all the attacks, and correctly pinpointed all the malicious processes involved in the attacks without any false positives after they have made a few time measurements with an average runtime overhead of 1.56%.

A Multi-Perspective malware detection approach through behavioral fusion of API call sequence

The widespread development of the malware industry is considered the main threat to our e-society. Therefore, malware analysis should also be enriched with smart heuristic tools that recognize malicious behaviors effectively. Although the generated API calling graph representation for malicious processes encodes worthwhile information about their malicious behavior, it is pragmatically inconvenient to generate a behavior graph for each process. Therefore, we experimented with creating generic behavioral graph models that describe malicious and non-malicious processes. These behavioral models relied on the fusion of statistical, contextual, and graph mining features that capture explicit and implicit relationships between API functions in the calling sequence. Our generated behavioral models proved the behavioral contrast between malicious and non-malicious calling sequences. According to that distinction, we built different relational perspective models that characterize processes’ behaviors. To prove our approach novelty, we experimented with our approach over Windows and Android platforms. Our experimentations demonstrated that our proposed system identified unseen malicious samples with high accuracy with low false-positive. In terms of detection accuracy, our model returns an average accuracy of 0.997 and 0.977 to the unseen Windows and Android malware testing samples, respectively. Moreover, we proposed a new indexing method for APIs based on their contextual similarities. We also suggested a new expressive, a visualized form that renders the API calling sequence. Consequently, we introduced a confidence metric to our model classification decision. Furthermore, we developed a behavioral heuristic that effectively identified malicious API call sequences that were deceptive or mimicry.

A Survey on Security Mechanisms for NoC-based Many-Core SoCs

The adoption of many-cores systems introduces the concern for data protection as a critical design requirement due to the resource sharing and the simultaneous executions of several applications on the platform. A secure application that processes sensitive data may have its security harmed by a malicious process. The literature contains several proposals to protect many-cores against attacks, focusing on the protection of the application execution or the access to shared memories. However, there is a gap to be fulfilled: a solution covering the entire application lifetime, including its admission, execution, and peripheral's access. This survey discusses three security-related issues: the secure admission of applications, the prevention of resource sharing during their execution, and the safe access to external devices. This survey concludes with an evaluation of the studied methods, pointing out directions and research opportunities.

Introduction of the ARDS—Anti-Ransomware Defense System Model—Based on the Systematic Review of Worldwide Ransomware Attacks

We live in a world of digital information communication and digital data storage. Following the development of technology, demands from the user side also pose serious challenges for developers, both in the field of hardware and software development. However, the increasing penetration of the Internet, IoT and digital solutions that have become available in almost every segment of life, carries risks as well as benefits. In this study, the authors present the phenomenon of ransomware attacks that appear on a daily basis, which endangers the operation and security of the digital sphere of both small and large enterprises and individuals. An overview of ransomware attacks, the tendency and characteristics of the attacks, which have caused serious financial loss and other damages to the victims, are presented. This manuscript also provides a brief overview of protection against ransomware attacks and the software and hardware options that enhance general user security and their effectiveness as standalone applications. The authors present the results of the study, which aimed to explore how the available software and hardware devices can implement digital user security. Based on the results of the research, the authors propose a complex system that can be used to increase the efficiency of network protection and OS protection tools already available to improve network security, and to detect ransomware attacks early. As a result, the model of the proposed protection system is presented, and it can be stated that the complex system should be able to detect ransomware attacks from either the Internet or the internal network at an early stage, mitigate malicious processes and maintain data in recoverable state.

SDD: A trusted display of FIDO2 transaction confirmation without trusted execution environment

The FIDO2 protocol allows users to perform online authentication by setting a public key and avoids the shortcomings of the traditional password authentication mechanism in terms of security. During transaction confirmation with the FIDO2 protocol, users must confirm the transaction message and then sign this message using a cryptographic signature scheme. However, it is a challenge to show that transaction messages are correct or trusted in practice. No available authenticator that supports the FIDO2 protocol uses trusted display hardware to guarantee the correctness of transaction messages. This paper proposes a trusted display of transaction messages by developing a lightweight and trusted base on hardware without a trusted execution environment (TEE). The proposed trusted display is easily applied in the FIDO2 protocol and resists four types of well-known attacks, such as malicious process tampering with display and occupying an authenticator. The experimental results indicate that the improved FIDO2 protocol slightly increases the processing overhead compared to the traditional protocol.