Redirecting Malware’s Target Selection with Decoy Processes - Inria - Institut national de recherche en sciences et technologies du numérique Accéder directement au contenu
Communication Dans Un Congrès Année : 2019

Redirecting Malware’s Target Selection with Decoy Processes

Sara Sutton
  • Fonction : Auteur
  • PersonId : 1059346
Garret Michilli
  • Fonction : Auteur
  • PersonId : 1059347
Julian Rrushi
  • Fonction : Auteur
  • PersonId : 1059348

Résumé

Honeypots attained the highest accuracy in detecting malware among all proposed anti-malware approaches. Their strength lies in the fact that they have no activity of their own, therefore any system or network activity on a honeypot is unequivocally detected as malicious. We found that the very strength of honeypots can be turned into their main weakness, namely the absence of activity can be leveraged to easily detect a honeypot. To that end, we describe a practical approach that uses live performance counters to detect a honeypot, as well as decoy I/O on machines in production. To counter this weakness, we designed and implemented the existence of decoy processes through operating system (OS) techniques that make safe interventions in the OS kernel. We also explored deep learning to characterize and build the performance fingerprint of a real process, which is then used to support its decoy counterpart against active probes by malware. We validated the effectiveness of decoy processes as integrated with a decoy Object Linking and Embedding for Process Control (OPC) server, and thus discuss our findings in the paper.
Fichier principal
Vignette du fichier
480962_1_En_21_Chapter.pdf (536.61 Ko) Télécharger le fichier
Origine : Fichiers produits par l'(les) auteur(s)
Loading...

Dates et versions

hal-02384597 , version 1 (28-11-2019)

Licence

Paternité

Identifiants

Citer

Sara Sutton, Garret Michilli, Julian Rrushi. Redirecting Malware’s Target Selection with Decoy Processes. 33th IFIP Annual Conference on Data and Applications Security and Privacy (DBSec), Jul 2019, Charleston, SC, United States. pp.398-417, ⟨10.1007/978-3-030-22479-0_21⟩. ⟨hal-02384597⟩
40 Consultations
48 Téléchargements

Altmetric

Partager

Gmail Facebook X LinkedIn More