In-Execution Malware Detection Using Task Structures of Linux Processes

In this paper, we present a novel framework -- it uses the information in kernel structures of a process -- to do run-time analysis of the behavior of an executing program. Our analysis shows that classifying a process as malicious or benign -- using the information in kernel structures of a process -- is not only very accurate but also has very low processing overheads; as a result, this lightweight framework can be incorporated within operating system kernel. To provide a proof-of-concept of our thesis, we design and implement our system as a kernel module in Linux. We perform the time series analysis of 118 parameters of Linux task structures and pre-process them to come up with a minimal features´ set of 11 features. Our analysis show that these features have remarkably different values for benign and malicious processes; as a result, a number of classifiers operating on these features provide 93% detection accuracy with 0% false alarm rate within 100 milliseconds. Last but not the least, we justify that it is very difficult for a crafty attacker to evade these low-level system specific features.