Cyber attackers have constantly updated their attack techniques to evade antivirus software detection in recent years.One popular evasion method is to execute malicious code and perform malicious actions only in memor...Cyber attackers have constantly updated their attack techniques to evade antivirus software detection in recent years.One popular evasion method is to execute malicious code and perform malicious actions only in memory.Mali-cious programs that use this attack method are called memory-resident malware,with excellent evasion capability,and have posed huge threats to cyber security.Traditional static and dynamic methods are not effective in detect-ing memory-resident malware.In addition,existing memory forensics detection solutions perform unsatisfactorily in detection rate and depend on massive expert knowledge in memory analysis.This paper proposes MRm-DLDet,a state-of-the-art memory-resident malware detection framework,to overcome these drawbacks.MRm-DLDet first builds a virtual machine environment and captures memory dumps,then creatively processes the memory dumps into RGB images using a pre-processing technique that combines deduplication and ultra-high resolution image cropping,followed by our neural network MRmNet in MRm-DLDet to fully extract high-dimensional features from memory dump files and detect them.MRmNet receives the labeled sub-images of the cropped high-resolution RGB images as input of ResNet-18,which extracts the features of the sub-images.Then trains a network of gated recurrent units with an attention mechanism.Finally,it determines whether a program is memory-resident malware based on the detection results of each sub-image through a specially designed voting layer.We created a high-quality dataset consisting of 2,060 benign and memory-resident programs.In other words,the dataset contains 1,287,500 labeled sub-images cut from the MRm-DLDet transformed ultra-high resolution RGB images.We implement MRm-DLDet for Windows 10,and it performs better than the latest methods,with a detection accuracy of up to 98.34%.Moreover,we measured the effects of mimicry and adversarial attacks on MRm-DLDet,and the experimental results demonstrated the robustness of MRm-DLDet.展开更多
Malicious software programs usually bypass the detection of anti-virus software by hiding themselves among apparently legitimate programs.In this work,we propose Windows Virtual Machine Introspection(WVMI)to accurat...Malicious software programs usually bypass the detection of anti-virus software by hiding themselves among apparently legitimate programs.In this work,we propose Windows Virtual Machine Introspection(WVMI)to accurately detect those hidden processes by analyzing memory data.WVMI dumps in-memory data of the target Windows operating systems from hypervisor and retrieves EPROCESS structures’address of process linked list first,and then generates Data Type Confidence Table(DTCT).Next,it traverses the memory and identifies the similarities between the nodes in process linked list and the corresponding segments in the memory by utilizing DTCT.Finally,it locates the segments of Windows’EPROCESS and identifies the hidden processes by further comparison.Through extensive experiments,our experiment shows that the WVMI detects the hidden process with high identification rate,and it is independent of different versions of Windows operating system.展开更多
With the evolution of cybersecurity countermeasures,the threat landscape has also evolved,especially in malware from traditional file-based malware to sophisticated and multifarious fileless malware.Fileless malware d...With the evolution of cybersecurity countermeasures,the threat landscape has also evolved,especially in malware from traditional file-based malware to sophisticated and multifarious fileless malware.Fileless malware does not use traditional executables to carry-out its activities.So,it does not use the file system,thereby evading signature-based detection system.The fileless malware attack is catastrophic for any enterprise because of its persistence,and power to evade any anti-virus solutions.The malware leverages the power of operating systems,trusted tools to accomplish its malicious intent.To analyze such malware,security professionals use forensic tools to trace the attacker,whereas the attacker might use anti-forensics tools to erase their traces.This survey makes a comprehensive analysis of fileless malware and their detection techniques that are available in the literature.We present a process model to handle fileless malware attacks in the incident response process.In the end,the specific research gaps present in the proposed process model are identified,and associated challenges are highlighted.展开更多
Although using machine learning techniques to solve computer security challenges is not a new idea,the rapidly emerging Deep Learning technology has recently triggered a substantial amount of interests in the computer...Although using machine learning techniques to solve computer security challenges is not a new idea,the rapidly emerging Deep Learning technology has recently triggered a substantial amount of interests in the computer security community.This paper seeks to provide a dedicated review of the very recent research works on using Deep Learning techniques to solve computer security challenges.In particular,the review covers eight computer security problems being solved by applications of Deep Learning:security-oriented program analysis,defending return-oriented programming(ROP)attacks,achieving control-flow integrity(CFI),defending network attacks,malware classification,system-event-based anomaly detection,memory forensics,and fuzzing for software security.展开更多
With the evolution of cybersecurity countermeasures,the threat landscape has also evolved,especially in malware from traditional file-based malware to sophisticated and multifarious fileless malware.Fileless malware d...With the evolution of cybersecurity countermeasures,the threat landscape has also evolved,especially in malware from traditional file-based malware to sophisticated and multifarious fileless malware.Fileless malware does not use traditional executables to carry-out its activities.So,it does not use the file system,thereby evading signature-based detection system.The fileless malware attack is catastrophic for any enterprise because of its persistence,and power to evade any anti-virus solutions.The malware leverages the power of operating systems,trusted tools to accomplish its malicious intent.To analyze such malware,security professionals use forensic tools to trace the attacker,whereas the attacker might use anti-forensics tools to erase their traces.This survey makes a comprehensive analysis of fileless malware and their detection techniques that are available in the literature.We present a process model to handle fileless malware attacks in the incident response process.In the end,the specific research gaps present in the proposed process model are identified,and associated challenges are highlighted.展开更多
Although using machine learning techniques to solve computer security challenges is not a new idea,the rapidly emerging Deep Learning technology has recently triggered a substantial amount of interests in the computer...Although using machine learning techniques to solve computer security challenges is not a new idea,the rapidly emerging Deep Learning technology has recently triggered a substantial amount of interests in the computer security community.This paper seeks to provide a dedicated review of the very recent research works on using Deep Learning techniques to solve computer security challenges.In particular,the review covers eight computer security problems being solved by applications of Deep Learning:security-oriented program analysis,defending return-oriented programming(ROP)attacks,achieving control-flow integrity(CFI),defending network attacks,malware classification,system-event-based anomaly detection,memory forensics,and fuzzing for software security.展开更多
基金supported by the Youth Innovation Promotion Association CAS(No.2019163)the Strategic Priority Research Program of Chinese Academy of Sciences(No.XDC02040100)the Key Laboratory of Network Assessment Technology at Chinese Academy of Sciences and Beijing Key Laboratory of Network security and Protection Technology.
文摘Cyber attackers have constantly updated their attack techniques to evade antivirus software detection in recent years.One popular evasion method is to execute malicious code and perform malicious actions only in memory.Mali-cious programs that use this attack method are called memory-resident malware,with excellent evasion capability,and have posed huge threats to cyber security.Traditional static and dynamic methods are not effective in detect-ing memory-resident malware.In addition,existing memory forensics detection solutions perform unsatisfactorily in detection rate and depend on massive expert knowledge in memory analysis.This paper proposes MRm-DLDet,a state-of-the-art memory-resident malware detection framework,to overcome these drawbacks.MRm-DLDet first builds a virtual machine environment and captures memory dumps,then creatively processes the memory dumps into RGB images using a pre-processing technique that combines deduplication and ultra-high resolution image cropping,followed by our neural network MRmNet in MRm-DLDet to fully extract high-dimensional features from memory dump files and detect them.MRmNet receives the labeled sub-images of the cropped high-resolution RGB images as input of ResNet-18,which extracts the features of the sub-images.Then trains a network of gated recurrent units with an attention mechanism.Finally,it determines whether a program is memory-resident malware based on the detection results of each sub-image through a specially designed voting layer.We created a high-quality dataset consisting of 2,060 benign and memory-resident programs.In other words,the dataset contains 1,287,500 labeled sub-images cut from the MRm-DLDet transformed ultra-high resolution RGB images.We implement MRm-DLDet for Windows 10,and it performs better than the latest methods,with a detection accuracy of up to 98.34%.Moreover,we measured the effects of mimicry and adversarial attacks on MRm-DLDet,and the experimental results demonstrated the robustness of MRm-DLDet.
基金Supported by the National Natural Science Foundation of China(61170026)
文摘Malicious software programs usually bypass the detection of anti-virus software by hiding themselves among apparently legitimate programs.In this work,we propose Windows Virtual Machine Introspection(WVMI)to accurately detect those hidden processes by analyzing memory data.WVMI dumps in-memory data of the target Windows operating systems from hypervisor and retrieves EPROCESS structures’address of process linked list first,and then generates Data Type Confidence Table(DTCT).Next,it traverses the memory and identifies the similarities between the nodes in process linked list and the corresponding segments in the memory by utilizing DTCT.Finally,it locates the segments of Windows’EPROCESS and identifies the hidden processes by further comparison.Through extensive experiments,our experiment shows that the WVMI detects the hidden process with high identification rate,and it is independent of different versions of Windows operating system.
文摘With the evolution of cybersecurity countermeasures,the threat landscape has also evolved,especially in malware from traditional file-based malware to sophisticated and multifarious fileless malware.Fileless malware does not use traditional executables to carry-out its activities.So,it does not use the file system,thereby evading signature-based detection system.The fileless malware attack is catastrophic for any enterprise because of its persistence,and power to evade any anti-virus solutions.The malware leverages the power of operating systems,trusted tools to accomplish its malicious intent.To analyze such malware,security professionals use forensic tools to trace the attacker,whereas the attacker might use anti-forensics tools to erase their traces.This survey makes a comprehensive analysis of fileless malware and their detection techniques that are available in the literature.We present a process model to handle fileless malware attacks in the incident response process.In the end,the specific research gaps present in the proposed process model are identified,and associated challenges are highlighted.
基金This work was supported by ARO W911NF-13-1-0421(MURI),NSF CNS-1814679,and ARO W911NF-15-1-0576.
文摘Although using machine learning techniques to solve computer security challenges is not a new idea,the rapidly emerging Deep Learning technology has recently triggered a substantial amount of interests in the computer security community.This paper seeks to provide a dedicated review of the very recent research works on using Deep Learning techniques to solve computer security challenges.In particular,the review covers eight computer security problems being solved by applications of Deep Learning:security-oriented program analysis,defending return-oriented programming(ROP)attacks,achieving control-flow integrity(CFI),defending network attacks,malware classification,system-event-based anomaly detection,memory forensics,and fuzzing for software security.
文摘With the evolution of cybersecurity countermeasures,the threat landscape has also evolved,especially in malware from traditional file-based malware to sophisticated and multifarious fileless malware.Fileless malware does not use traditional executables to carry-out its activities.So,it does not use the file system,thereby evading signature-based detection system.The fileless malware attack is catastrophic for any enterprise because of its persistence,and power to evade any anti-virus solutions.The malware leverages the power of operating systems,trusted tools to accomplish its malicious intent.To analyze such malware,security professionals use forensic tools to trace the attacker,whereas the attacker might use anti-forensics tools to erase their traces.This survey makes a comprehensive analysis of fileless malware and their detection techniques that are available in the literature.We present a process model to handle fileless malware attacks in the incident response process.In the end,the specific research gaps present in the proposed process model are identified,and associated challenges are highlighted.
基金supported by ARO W911NF-13-1-0421(MURI),NSF CNS-1814679,and ARO W911NF-15-1-0576.
文摘Although using machine learning techniques to solve computer security challenges is not a new idea,the rapidly emerging Deep Learning technology has recently triggered a substantial amount of interests in the computer security community.This paper seeks to provide a dedicated review of the very recent research works on using Deep Learning techniques to solve computer security challenges.In particular,the review covers eight computer security problems being solved by applications of Deep Learning:security-oriented program analysis,defending return-oriented programming(ROP)attacks,achieving control-flow integrity(CFI),defending network attacks,malware classification,system-event-based anomaly detection,memory forensics,and fuzzing for software security.
