A Solution for Early Detection and Negation of Code and DLL Injection Attacks of Malwares

Document Type : Original Article

Authors

Department of Computer Engineering, Science and Research Branch, Islamic Azad University, Tehran, Iran.

Abstract

Malwares have grown drastically in recent years. Furthermore, the behavior of the newly produced malwares are getting more complex and shrewd. This paper present malware detection methods and especially focus on code and DLL injection attacks. Novel malwares try to obfuscate and hide their behavior through the injection of malicious code in allocated memory and binary file of trusted applications. By data mining on massive volume of malwares, the proposed method of the paper derive chain of API calls through installing logger hook at the kernel space of the operating system in order to model the malicious behavior of code/DLL injection based on linear regression function. The proposed method use association rules machine learning based on Apriori algorithm for early detection of attacks and is able to prevent completion of the attack by blocking remote thread creation. Finnaly, the accuracy of the proposed method is evaluated using dataset from valid references and the results are compared with available Antivirus tools under the same conditions. Results of the evaluation indicate that the proposed method can recognize code/DLL injection attacks by the accuracy of about 94%. Moreover, success coefficient of the proposed self-defense system is evaluated of 88.88% against real code/DLL injection attacks.

Keywords


[1]     Hootsuite & WAS Institute; https://wearesocial. com/blog/2018/01/global-digital-report-2018, 2018.##
[2]     Huang, T.; Zhao, Y. “Revolution of Securities Law in the Internet Age: A Review on Equity Crowd-Funding”; J. Comput. Law Secur. Rev. 2017, 33, 802-810.##
[3]     Garry, L. W. “Education and Prevention Relationships on Security Incidents for Home Computers”; J. Comput. Inform. Syst. 2015, 55, 29-37.##
[4]     Han, L.; Liu, S.; Han, S.; Jia, W.; Lei, J. “Owner Based Malware Discrimination”; J. Future Gener. Comput. Syst. 2018, 80, 496-504.##
[5]     Vidal, J. M.; Sandoval Orozco, A. L.; García Villalba, L. J. “Alert Correlation Framework for Malware Detection By Anomaly-Based Packet Payload Analysis”; J. Netw. Comput. Appl. 2017, 97, 11-22.##
[6]     McAfee Report “Infographic: The State of Malware”; http://www.mcafee.com/in/security-awareness/articles/ state-of-malware-2013.aspx, Accessed 2014.##
[7]     AV-Test Security Institute “Malware Statics and Trends Report”; https://www.av-test.org/en/statistics/malware, 2016-2018.##
[8]     Nayeem, Kh.; Johari, A.; Adnan, Sh. “Defending Malicious Script Attacks Using Machine Learning Classifiers”; Wirel. Commun. Mob. Com. 2017.##
[9]     Kaspersky Report; https://usa.kaspersky.com/about/press-releases/2016_kaspersky-lab-number-of-the-year-2016-323000 -pieces-of-malware-detected-daily, 2017.##
[10]  Yan, J.; Qi, Y.; Rao, Q. “Detecting Malware with an Ensemble Method Based on Deep Neural Network”; Secur. Commun. Netw. 2018 (doi:10.1155/2018/7247095).##
[11]  Seo, S. H.; Gupta, A.; Mohamed Sallam, A.; Bertino, E.; Yim, K. “Detecting Mobile Malware Threats to Homeland Security through Static Analysis”; J. Netw. Comput. Appl. 2014, 38, 43-53.##
[12]  Arshad, S.; Shah, M. A.; Wahid, A.; Mehmood, A.; Song, H.; Yu, H. “SAMADroid: A Novel 3-Level Hybrid Malware Detection Model for Android Operating System”; IEEE Access 2018, 6, 4321-4339.##
[13]  Du, Y.; Wang, J.; Li, Q. “An Android Malware Detection Approach Using Community Structures of Weighted Function Call Graphs”; IEEE Access 2017, 5, 17478-17486.##
[14]  Rudd, E. M.; Rozsa, A.; Günther, M.; Boult, T. E. “A Survey of Stealth Malware Attacks, Mitigation Measures, and Steps toward Autonomous Open World Solutions”; IEEE Commun. Surv. Tutor. 2017, 19, 1145-1172.##
[15]  Gandotra, E.; Bansal, D.; Sofat, S. “Malware Analysis and Classification: A Survey”; J. Inf. Secur. 2014, 5, 56-64.##
[16]  Javaheri, D. “A Solution for Recognition and Confronting of Obfuscation and Stealth Techniques of Behavior in Spywares”; Ph.D. Thesis, Islamic Azad University, Science and Research Branch, Tehran, Iran, 2018 (In Persian).##
[17]  Javaheri, D. “Detection and Behavioral Analysis of Modern Malwares”; Olom Rayaneh Publications, Iran, 2017 (In Persian).##
[18]  OWASP Security Institute; https://www.owasp.org/ index.php/Category:OWASP_Top_Ten_Project, 2018.##
[19]  Javaheri D.; Parsa S. “Protection of Operation System against Spywares and Their Diversion”; J. Adv. Defence Sci. & Technol. 2014, 5, 171-181.##
[20]  Alam, Sh.; Horspool, R. N.; Traore, I.; Sogukpinar, I. “A Framework for Metamorphic Malware Analysis and Real-Time Detection”; Comput. Secur. 2015, 48, 212-233.##
[21]  Wang, P.; Wang, Y. “Malware Behavioral Detection and Vaccine Development by Using a Support Vector Model Classifier”; J. Comput. Syst. Sci. 2015, 81, 1012-1026.##
[22]  Javaheri, D.; Parsa, S. “A Malware Detection Method Based on Static Analysis of a Portable Executable Structure”; J. Adv. Defence Sci. & Technol.  2014, 5, 187-201.##
 [23]  Liu, L.; Wang, B. Sh.; Yu, B.; Zhong, Q. X. “Automatic Malware Classification and New Malware Detection Using Machine Learning”; Front. Inf. Technol. Electron. Eng. 2017, 18, 1336–1347.##
[24]  Mohaisen, A.; Alrawi, O.; Mohaisen, M. “AMAL: High-Fidelity, Behavior-Based Automated Malware Analysis and Classification”; Comput. Secur. 2015, 52, 251–266.##
[25]  Hansen, S.; Larson, M. L.; Stevanovic, M.; Pedersen, J. M. “An Approach for Detection and Family Classification of Malware Based on Behavioral Analysis”; Int. Conf. on Computing, Networking and Communications, 2016.##
[26]  Imran, M.; Afzal, M. T.; Qadir, M. A.; Xiao, Zh.; Li, K. “Malware Classification using Dynamic Features and Hidden Markov Model”; J. Intell. Fuzzy Syst. 2016, 31, 837.##
[27]  Das, S.; Liu, Y.; Zhangy, W.; Chandramohan, M. “Semantics-based Online Malware Detection: Towards Efficient Real-time Protection against Malware”; IEEE Trans. Inf. Forensic Secur. 2016, 11, 289-302.##
[28]  Javaheri, D.; Hosseinzadeh, M. “A Framework for Recognition and Confronting of Obfuscated Malwares Based on Memory Dumping and Filter Drivers”; Wirel. Pers. Commun. 2018, 98, 119-137.##
[29]  Gouran Orimi, A. “Provide an Optimal and Transparent Framework for Automatic Analysis of Malware”; M.Sc. Thesis, Iran University of Science and Technology, Tehran, 2014 (In Persian).##
[30]  Mohammadzadeh Lajevardi, A. “Design and Implementation of a Behavior-Based Method for Malware Detection”; M.Sc. Thesis, Iran University of Science and Technology, Tehran, 2013 (In Persian).##
[31]  Adminus Malware Database; http://www.adminus.net, 2017-2018.##
[32]  Virus Share Malware Database; http://www.virusshare .com, 2016- 2017.##
[33]  Virus Sign Malware Data Base; http://www.virussign .com, 2013-2016.##
[34]  Zaki, M. J.; Wagner M. J. “Data Mining and Analysis: Fundamental Concepts and Algorithms”; Cambridge University Press, 2014, 243-339.##
[35]  Conway, D.; Myles, W. J. “Machine Learning for Hackers”; O`Reilly, 2012.##
[36]  Salmani Balu, A. “Design and Implementing a Solution for Detection and Disinfection of Injected Code”; M.Sc. Thesis, Islamic Azad University, Shabestar Branch, East Azerbaijan, Iran, 2014 (In Persian).##
[37]  NTCORE Injector Stub; http://www.ntcore.com/files/ inject2exe.htm, 2018.##
Volume 10, Issue 4 - Serial Number 38
September 2020
Pages 393-406
  • Receive Date: 29 October 2018
  • Revise Date: 13 December 2018
  • Accept Date: 16 January 2019
  • Publish Date: 21 January 2020