CHARACTERISTICS OF MALICIOUS DLLS IN WINDOWS MEMORY

Abstract : Dynamic link library (DLL) injection is a method of forcing a running process to load a DLL into its address space. Malware authors use DLL injection to hide their code while it executes on a system. Due to the large number and variety of DLLs in modern Windows systems, distinguishing a malicious DLL from a legitimate DLL in an arbitrary process is non-trivial and often requires the use of previously-established indicators of compromise. Additionally, the DLLs loaded in a process naturally fluctuate over time, adding to the difficulty of identifying malicious DLLs. Machine learning has been shown to be a viable approach for classifying malicious software, but it has not as yet been applied to malware in memory images. In order to identify the behavior of malicious DLLs that were injected into processes, 33,160 Windows 7 x86 memory images were generated from a set of malware samples obtained from VirusShare. DLL artifacts were extracted from the memory images and analyzed to identify behavioral patterns of malicious and legitimate DLLs. These patterns highlight features of DLLs that can be applied as heuristics to help identify malicious injected DLLs in Windows 7 memory. They also establish that machine learning is a viable approach for classifying injected DLLs in Windows memory.
Type de document :
Communication dans un congrès
Gilbert Peterson; Sujeet Shenoi. 11th IFIP International Conference on Digital Forensics (DF), Jan 2015, Orlando, FL, United States. IFIP Advances in Information and Communication Technology, AICT-462, pp.149-161, 2015, Advances in Digital Forensics XI. 〈10.1007/978-3-319-24123-4_9〉
Liste complète des métadonnées

Littérature citée [11 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01449075
Contributeur : Hal Ifip <>
Soumis le : lundi 30 janvier 2017 - 09:13:54
Dernière modification le : vendredi 1 décembre 2017 - 01:17:00

Fichier

978-3-319-24123-4_9_Chapter.pd...
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Dae Glendowne, Cody Miller, Wesley Mcgrew, David Dampier. CHARACTERISTICS OF MALICIOUS DLLS IN WINDOWS MEMORY. Gilbert Peterson; Sujeet Shenoi. 11th IFIP International Conference on Digital Forensics (DF), Jan 2015, Orlando, FL, United States. IFIP Advances in Information and Communication Technology, AICT-462, pp.149-161, 2015, Advances in Digital Forensics XI. 〈10.1007/978-3-319-24123-4_9〉. 〈hal-01449075〉

Partager

Métriques

Consultations de la notice

48

Téléchargements de fichiers

82