Quincy: Detecting Host-Based Code Injection Attacks in Memory Dumps

Barabosch, Thomas; Bergmann, Niklas; Dombeck, Adrian; Padilla, Elmar

doi:10.1007/978-3-319-60876-1_10

Cited by 17 publications

(5 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…PROVDETECTOR, unlike virtualization based solutions [66], [62], is designed to run on bare metal machines and does not require isolated environments. Similar to previous work [27], [26], [62], to perform a large-scale analysis, we use sandbox environments to automate the execution of malware samples in our evaluation. It is possible that some anti-analysis malware changed their behavior during our evaluation.…”

Section: Mimicry Attacksmentioning

confidence: 99%

“…Bee master [27] prepares honeypot processes in an analysis environment and detects injections into the processes. Membrane [87] and Quincy [26] extract features from memory information such as memory paging information and memory dumps, and use supervised machine learning to detect code injection. Tartarus [66] and API Chaser [62] use taint tracking to identify code injection.…”

Section: Stealthy Malwarementioning

confidence: 99%

See 1 more Smart Citation

You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis

Wang¹,

Hassan²,

Ding³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

123

View full text Add to dashboard Cite

To subvert recent advances in perimeter and host security, the attacker community has developed and employed various attack vectors to make a malware much stealthier than before to penetrate the target system and prolong its presence. Such advanced malware or "stealthy malware" makes use of various techniques to impersonate or abuse benign applications and legitimate system tools to minimize its footprints in the target system. It is thus difficult for traditional detection tools, such as malware scanners, to detect it, as the malware normally does not expose its malicious payload in a file and hides its malicious behaviors among the benign behaviors of the processes. In this paper, we present PROVDETECTOR, a provenancebased approach for detecting stealthy malware. Our insight behind the PROVDETECTOR approach is that although a stealthy malware attempts to blend into benign processes, its malicious behaviors inevitably interact with the underlying operating system (OS), which will be exposed to and captured by provenance monitoring. Based on this intuition, PROVDETECTOR first employs a novel selection algorithm to identify possibly malicious parts in the OS-level provenance data of a process. It then applies a neural embedding and machine learning pipeline to automatically detect any behavior that deviates significantly from normal behaviors. We evaluate our approach on a large provenance dataset from an enterprise network and demonstrate that it achieves very high detection performance of stealthy malware (an average F1 score of 0.974). Further, we conduct thorough interpretability studies to understand the internals of the learned machine learning models.

show abstract

Section: Mimicry Attacksmentioning

confidence: 99%

Section: Stealthy Malwarementioning

confidence: 99%

You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis

Wang¹,

Hassan²,

Ding³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

123

View full text Add to dashboard Cite

show abstract

“…The first category of papers referenced the challenge to either perform an abstract comparison or highlight the importance of machine learning for malware classification in industry, where the size of data is huge [43,19,28,47,18,38,49,44,25,53,46,21,4,57,16,17,39,50]. Papers in the second category performed partial or complete evaluation on the dataset to verify the effectiveness and/or efficiency of their proposed approach for various tasks.…”

Section: Citations Comparisonmentioning

confidence: 99%

Novel Feature Extraction, Selection and Fusion for Effective Malware Family Classification

Ahmadi

Ulyanov

Semenov

et al. 2016

Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

280

198

View full text Add to dashboard Cite

Modern malware is designed with mutation characteristics, namely polymorphism and metamorphism, which causes an enormous growth in the number of variants of malware samples. Categorization of malware samples on the basis of their behaviors is essential for the computer security community, because they receive huge number of malware everyday, and the signature extraction process is usually based on malicious parts characterizing malware families. Microsoft released a malware classification challenge in 2015 with a huge dataset of near 0.5 terabytes of data, containing more than 20K malware samples. The analysis of this dataset inspired the development of a novel paradigm that is effective in categorizing malware variants into their actual family groups. This paradigm is presented and discussed in the present paper, where emphasis has been given to the phases related to the extraction, and selection of a set of novel features for the effective representation of malware samples. Features can be grouped according to different characteristics of malware behavior, and their fusion is performed according to a per-class weighting paradigm. The proposed method achieved a very high accuracy ($\approx$ 0.998) on the Microsoft Malware Challenge dataset

show abstract

“…(1) e address of the instruction is not in the shadow memory and not in the tainted writes (line 10 Algorithm 1); (2) e address of the instruction is not in the shadow memory but in the tainted writes (line 13 Algorithm 1); (3) e address of the instruction is in the shadow memory and in the tainted writes but the content of the shadow memory is not similar to current instruction (line 16 Algorithm 1); (4) e address of the instruction is in the shadow memory and in the tainted writes and the content of the shadow memory is equivalent to the memory of the current instruction (line 18 Algorithm 1). Case (1) happens in two scenarios.…”

Section: Collecting the Execution Wavesmentioning

confidence: 99%

“…In particular, Panorama [43], DiskDuster [1], Tartarus [29] and API Chaser [25] use dynamic taint analysis to capture this. Barabosch et al has also investigated the problem with code injection by analysing memory dumps [4] and also at run time [5]. Minerva relies on the same techniques as Tartarus to trace malware execution through the system.…”

Section: Related Workmentioning

confidence: 99%

Precise system-wide concatic malware unpacking

Korczynski

2019

Preprint

View full text Add to dashboard Cite

Run time packing is a common approach malware use to obfuscate their payloads, and automatic unpacking is, therefore, highly relevant.e problem has received much a ention, and so far, solutions based on dynamic analysis have been the most successful. Nevertheless, existing solutions lack in several areas, both conceptually and architecturally, because they focus on a limited part of the unpacking problem. ese limitations signi cantly impact their applicability, and current unpackers have, therefore, experienced limited adoption.In this paper, we introduce a new tool, called Minerva, for effective automatic unpacking of malware samples. Minerva introduces a uni ed approach to precisely uncover execution waves in a packed malware sample and produce PE les that are well-suited for follow-up static analysis. At the core, Minerva deploys a novel information ow model of system-wide dynamically generated code, precise collection of API calls and a new approach for merging execution waves and API calls. Together, these novelties amplify the generality and precision of automatic unpacking and make the output of Minerva highly usable. We extensively evaluate Minerva against synthetic and real-world malware samples and show that our techniques signi cantly improve on several aspects compared to previous work.

show abstract

Quincy: Detecting Host-Based Code Injection Attacks in Memory Dumps

Cited by 17 publications

References 16 publications

You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis

You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis

Novel Feature Extraction, Selection and Fusion for Effective Malware Family Classification

Precise system-wide concatic malware unpacking

Contact Info

Product

Resources

About