Proposal of a Method Detecting Malicious Processes

Author

Yamamoto, Takayuki ; Kawauchi, Kiyoto ; Sakurai, Satoshi

Author_Institution

Inf. Technol. R&D Center, Mitsubishi Electr. Corp., Kamakura, Japan

fYear

2014

fDate

13-16 May 2014

Firstpage

518

Lastpage

523

Abstract

Malwares´ communication detection methods based on communication characteristics have been proposed. However as malwares are getting more sophisticated and legitimate softwares´ communication is getting diverse, it becomes harder to correctly tell malwares´ communication and legitimate softwares´ communication apart. Therefore we propose a method to check whether a process generating suspicious communication is malicious or not. This method focuses on malwares which impersonate a legitimate process by injecting malicious codes into the process. This method extracts two process images. One is obtained from a process to be checked (target process) generating suspicious communication. The other is obtained by executing the same executable as the target process in a clean Virtual Machine. Then the two process images are compared to extract injected codes. Finally the codes are verified whether the codes are malicious or not.

Keywords

invasive software; virtual machines; legitimate software communication; malicious codes; malicious process detection; malware communication detection methods; suspicious communication; virtual machine; Binary codes; Cryptography; Data mining; Malware; Organizations; Ports (Computers); Software; Malware; communication; process; code injection; memory analysis;

fLanguage

English

Publisher

ieee

Conference_Titel

Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on

Conference_Location

Victoria, BC

Print_ISBN

978-1-4799-2652-7

Type

conf

DOI

10.1109/WAINA.2014.164

Filename

6844689