Traditional malware detection and analysis approaches have been focusing on code-centric aspects of malicious programs, such as detection of the injection of malicious code or matching malicious code sequences. However, modern malware has been employing advanced strategies, such as reusing legitimate code or obfuscating malware code to circumvent the detection. As a new perspective to complement code-centric approaches, we propose a data-centric OS kernel malware characterization architecture that detects and characterizes malware attacks based on the properties of data objects manipulated during the attacks. This framework consists of two system components with novel features: First, a runtime kernel object mapping system which has an un-tampered view of kernel data objects resistant to manipulation by malware. This view is effective at detecting a class of malware that hides dynamic data objects. Second, this framework consists of a new kernel malware detection approach that generates malware signatures based on the data access patterns specific to malware attacks. This approach has an extended coverage that detects not only the malware with the signatures, but also the malware variants that share the attack patterns by modeling the low level data access behaviors as signatures. Our experiments against a variety of real-world kernel root kits demonstrate the effectiveness of data-centric malware signatures.
http://kaashivinfotech.com/
http://inplanttrainingchennai.com/
http://inplanttraining-in-chennai.com/
http://internshipinchennai.in/
http://inplant-training.org/
http://kernelmind.com/
http://inplanttraining-in-chennai.com/
http://inplanttrainingchennai.com/
1. IEEE TRANSACTIONS ON INFORMATION FORENSICS AND
SECURITY, VOL. 9, NO. 1, JANUARY 2014 “
Data-Centric OS Kernel Malware Characterization
2. Abstract
Traditional malware detection and analysis approaches have been
focusing on code-centric aspects of malicious programs, such as
detection of the injection of malicious code or matching malicious
code sequences. However, modern malware has been employing
advanced strategies, such as reusing legitimate code or obfuscating
malware code to circumvent the detection. As a new perspective to
complement code-centric approaches, we propose a data-centric OS
kernel malware characterization architecture that detects and
characterizes malware attacks based on the properties of data objects
manipulated during the attacks. This framework consists of two system
components with novel features: First, a runtime kernel object
mapping system which has an un-tampered view of kernel data objects
resistant to manipulation by malware. This view is effective at detecting
a class of malware that hides dynamic data objects. Second, this
framework consists of a new kernel malware detection approach that
generates malware signatures based on the data access patterns specific
to malware attacks. This approach has an extended coverage that
detects not only the malware with the signatures, but also the malware
variants that share the attack patterns by modeling the low level data
access behaviors as signatures. Our experiments against a variety of
real-world kernel root kits demonstrate the effectiveness of data-centric
malware signatures
3. Abstract
Traditional malware detection and analysis approaches have been
focusing on code-centric aspects of malicious programs, such as
detection of the injection of malicious code or matching malicious
code sequences. However, modern malware has been employing
advanced strategies, such as reusing legitimate code or obfuscating
malware code to circumvent the detection. As a new perspective to
complement code-centric approaches, we propose a data-centric OS
kernel malware characterization architecture that detects and
characterizes malware attacks based on the properties of data objects
manipulated during the attacks. This framework consists of two system
components with novel features: First, a runtime kernel object
mapping system which has an un-tampered view of kernel data objects
resistant to manipulation by malware. This view is effective at detecting
a class of malware that hides dynamic data objects. Second, this
framework consists of a new kernel malware detection approach that
generates malware signatures based on the data access patterns specific
to malware attacks. This approach has an extended coverage that
detects not only the malware with the signatures, but also the malware
variants that share the attack patterns by modeling the low level data
access behaviors as signatures. Our experiments against a variety of
real-world kernel root kits demonstrate the effectiveness of data-centric
malware signatures
4. Existing System
Existing approach projects towards Memory Performance Check,
Memory management Leaks and Interoperability between
managed (New version of Microsoft Language like c#) and
unmanaged code(Older version of Microsoft Language like
VC++).
System call through Widows level coding invokes some of the
malicious malware specification matching up with the
suspicious system calls arises with existing malicious activity in
the virtual operating system .
Memory Mapping / Leaks leads to memory leakage in the
virtual machine which leads to handle the files with the
improper usage of Application call for Kernel Mode Services
Irregular memory wastage and improper properties of exe files
while accessing the VM access program are considered to be
some of the drawbacks of the existing approach
5. Proposed System
In our proposed approach, the malware in the virtual
machine is being detected and also tends to be monitored
with the help of malware detector.
Monitoring application execution involves
Memory Management Leaks
Memory Performance Checks
Unmanaged Code execution
Listing down the malware and fixing it by implementing
over some testing analysis like Malware bytes Anti-
Malware (MBAM) scanner was considered to be projected
in our proposed analysis.
Dynamic detection of malware activity in virtual
environment detects the vulnerable activity in kernel aided
with proof carrying out over the injected malware code and
memory leakage mechanism.
6. System Requirements
Hardware Requirements:
Platform : DOTNET (VS2010) , ASP.NET
Dot net framework 4.0
Database : SQL Server 2008 R2
Software Requirements:
Processor : Core 2 duo
Speed : 2.2GHZ
RAM : 2GB
Hard Disk : 160GB