SlideShare a Scribd company logo
Introduction Proposed Solution Evaluation Conclusions
Near-memory & In-Memory
Detection of Fileless Malware
Marcus Botacin1, André Grégio1, Marco Zanata Alves1
1Federal University of Paraná (UFPR)
{mfbotacin, gregio, mazalves}@inf.ufpr.br
MEMSYS 2020
Near-memory & In-Memory Detection of Fileless Malware 1 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
Agenda
1 Introduction
2 Proposed Solution
3 Evaluation
4 Conclusions
Near-memory & In-Memory Detection of Fileless Malware 2 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
Agenda
1 Introduction
2 Proposed Solution
3 Evaluation
4 Conclusions
Near-memory & In-Memory Detection of Fileless Malware 3 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
What Is Fileless Malware?
Figure: Source: https://www.wired.com/2017/02/
say-hello-super-stealthy-malware-thats-going-mainstream/
Figure: Source: https://www.cyberscoop.com/
kaspersky-fileless-malware-memory-attribution-detection/
Near-memory & In-Memory Detection of Fileless Malware 4 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
The Cost of Scanning Memory
0
50
100
150
200
250
300
perl namd Bzip milc mfc
Execution
Time
(s)
Benchmark
AV scanning overhead
Scan
Baseline
Figure: In-memory AV scans worst-case and best-case performance penalties.
Near-memory & In-Memory Detection of Fileless Malware 5 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
A Drawback for Current Security Solutions
Figure: Default policy is not to scan memory.
Near-memory & In-Memory Detection of Fileless Malware 6 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
Why Not New AV implementations?
10
100
1000
1 2 4 8
Time
(s)
RAM (GB)
Virtual−Proc Virtual−Full Physical
Figure: Memory dump time for distinct software-based techniques and memory sizes.
Near-memory & In-Memory Detection of Fileless Malware 7 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
Understanding Malware Detection Tasks
Monitoring
You need to know: When to inspect.
Classifying
You need to know: What to inspect.
Near-memory & In-Memory Detection of Fileless Malware 8 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
Can’t We Rely on Page Faults?
Table: Blocking on Page Faults. The performance impact is greater as more complex is the
applied detection routine.
Benchmark Cycles PF 5K 10K 20K 30K
perf 187G 1,8M 4,74% 9,48% 18,96% 28,44%
mcf 69G 375K 2,72% 5,45% 10,89% 16,34%
milc 556G 1,2M 1,05% 2,10% 4,21% 6,31%
bzip 244G 170K 0,35% 0,69% 1,38% 2,08%
namd 491G 325K 0,33% 0,66% 1,32% 1,98%
Near-memory & In-Memory Detection of Fileless Malware 9 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
Agenda
1 Introduction
2 Proposed Solution
3 Evaluation
4 Conclusions
Near-memory & In-Memory Detection of Fileless Malware 10 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
Observing Memory Accesses Patterns
Figure: Write-to-Read window. Read requests originated from the MSHR might overlap
other memory-buffered read requests for any address, but must not overlap previous
memory-buffered write requests for the same address.
Near-memory & In-Memory Detection of Fileless Malware 11 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
Malware Identification based on Near- and In-Memory Evaluation
(MINI-ME)
Figure: MINI-ME Architecture. MINI-ME is implemented within the memory controller.
Near-memory & In-Memory Detection of Fileless Malware 12 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
Handling Notifications via Page Faults
1 void __do_page_fault (...) {
2 // Original Code
3 if (X86_PF_WRITE) ...
4 if (X86_PF_INSTR) ...
5 // Added Code
6 if (X86_MALICIOUS) ...
Code 1: Modified PF handler. Malicious bit is set
when suspicious pages are mapped.
Near-memory & In-Memory Detection of Fileless Malware 13 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
Agenda
1 Introduction
2 Proposed Solution
3 Evaluation
4 Conclusions
Near-memory & In-Memory Detection of Fileless Malware 14 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
How Much Performance Overhead is Acceptable?
0.0%
1.0%
2.0%
3.0%
4.0%
5.0%
6.0%
0 8 24 32 64 128
IPC
Overhead
(%)
Delay (Cycles)
IPC vs. Memory Delay
astar
calculix
dealII
gromacs
namd
Figure: MINI-ME database overhead. Delays of up 32 cycles impose less than 1% of IPC
overhead.
Near-memory & In-Memory Detection of Fileless Malware 15 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
Signatures as the Detection Mechanism
1 if( IsDebuggerPresent ()){
2 evade ()
Code 2: C code
1 mov eax , [fs:0x30]
2 mov eax , [eax+0x2]
3 jne 0 <evade >
Code 3: ASM code
1 64 8b 04 25 30 00 00
2 67 8b 40 02
3 75 e1
Code 4: Instructions Bytes
Near-memory & In-Memory Detection of Fileless Malware 16 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
Signature Size Definition
Table: Signature Generation. Signatures (%) detected as false positives for each signature
size and memory dump size.
Memory Size
1 GB 2 GB 4 GB 8 GB
Signature
Size
8 B 8.65% 9.92% 10.18% 11.45%
16 B 3.06% 3.32% 3.32% 3.32%
32 B 0.00% 0.00% 0.00% 0.00%
64 B 0.00% 0.00% 0.00% 0.00%
Near-memory & In-Memory Detection of Fileless Malware 17 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
Matching Mechanism Definition
Table: Matching Techniques. FP rates for multiple signature sizes and techniques.
Signature size
8 B 16 B 32 B 64 B
Match.
Tech.
Dir. Mapped Table 8.33% 3.15% 0.00% 0.00%
Signature Tree 8.33% 3.15% 0.00% 0.00%
Bloom Filter 8.41% 3.47% 0.00% 0.00%
Near-memory & In-Memory Detection of Fileless Malware 18 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
Matching Policies Definition
Table: Scan Policies. FP rate for multiple signature sizes and policies.
Signature size
8 B 16 B 32 B 64 B
Scan
Policy
Whole Memory 8.33% 3.15% 0.00% 0.00%
Mapped Pages 0.06% 0.01% 0.00% 0.00%
Whitelist 0.00% 0.00% 0.00% 0.00%
Code-Only 0.01% 0.00% 0.00% 0.00%
Near-memory & In-Memory Detection of Fileless Malware 19 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
MINI-ME in Practice
0.0%
1.0%
2.0%
3.0%
4.0%
5.0%
6.0%
7.0%
8.0%
9.0%
10.0%
11.0%
12.0%
13.0%
perl namd bzip mcf milc
Execution
Time
Overhead
(%)
Monitoring Overhead
On−Access
MINI−ME
Figure: Monitoring Overhead. MINI-ME imposes a smaller overhead while still checking more
pages than an on-access solution.
Near-memory & In-Memory Detection of Fileless Malware 20 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
Agenda
1 Introduction
2 Proposed Solution
3 Evaluation
4 Conclusions
Near-memory & In-Memory Detection of Fileless Malware 21 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
Conclusions
Challenges & Lessons
Fileless malware is a growing hard-to-detect class of threats.
Traditional AntiViruses (AVs) impose significant performance overhead to perform
memory scans.
In-memory and Near-memory AVs helps reducing AV’s performance overheads.
The more complex the matching mechanism, the greater the performance
overhead.
MINI-ME as platform for future developments.
Near-memory & In-Memory Detection of Fileless Malware 22 / 23 MEMSYS’20
Introduction Proposed Solution Evaluation Conclusions
Questions & Comments.
Contact
mfbotacin@inf.ufpr.br
twitter.com/MarcusBotacin
Additional Material
https://github.com/marcusbotacin/In.Memory
Near-memory & In-Memory Detection of Fileless Malware 23 / 23 MEMSYS’20

More Related Content

Similar to Near-memory & In-Memory Detection of Fileless Malware

Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
How do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guideHow do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guide
Marcus Botacin
 
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Marcus Botacin
 
Hardware-Assisted Malware Analysis
Hardware-Assisted Malware AnalysisHardware-Assisted Malware Analysis
Hardware-Assisted Malware Analysis
Marcus Botacin
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software Repositories
Marcus Botacin
 
A Tale of Experiments on Bug Prediction
A Tale of Experiments on Bug PredictionA Tale of Experiments on Bug Prediction
A Tale of Experiments on Bug Prediction
Martin Pinzger
 
Machine vision Application
Machine vision ApplicationMachine vision Application
Machine vision Application
Abhishek Sainkar
 
Machine Vision On Embedded Platform
Machine Vision On Embedded Platform Machine Vision On Embedded Platform
Machine Vision On Embedded Platform
Omkar Rane
 
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...
IRJET Journal
 
BH-US-06-Bilar.pdf
BH-US-06-Bilar.pdfBH-US-06-Bilar.pdf
BH-US-06-Bilar.pdf
MohammadRazavi17
 
IRJET - Automated Fraud Detection Framework in Examination Halls
 IRJET - Automated Fraud Detection Framework in Examination Halls IRJET - Automated Fraud Detection Framework in Examination Halls
IRJET - Automated Fraud Detection Framework in Examination Halls
IRJET Journal
 
Esem2010 shihab
Esem2010 shihabEsem2010 shihab
Esem2010 shihab
SAIL_QU
 
Paper multi-modal biometric system using fingerprint , face and speech
Paper   multi-modal biometric system using fingerprint , face and speechPaper   multi-modal biometric system using fingerprint , face and speech
Paper multi-modal biometric system using fingerprint , face and speech
Aalaa Khattab
 
Machine Learning for Malware Detection: Beyond Accuracy Rates
Machine Learning for Malware Detection: Beyond Accuracy RatesMachine Learning for Malware Detection: Beyond Accuracy Rates
Machine Learning for Malware Detection: Beyond Accuracy Rates
Marcus Botacin
 
Detecting Discontinuties in Large Scale Systems
Detecting  Discontinuties in Large Scale SystemsDetecting  Discontinuties in Large Scale Systems
Detecting Discontinuties in Large Scale Systems
haroonmalik786
 
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Amine Barrak
 
Sample Paper 1233140926359988 2
Sample Paper 1233140926359988 2Sample Paper 1233140926359988 2
Sample Paper 1233140926359988 2
mnassef
 
Accelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slidesAccelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slides
Dmitry Vostokov
 
Cerita
CeritaCerita
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
iosrjce
 

Similar to Near-memory & In-Memory Detection of Fileless Malware (20)

Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
 
How do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guideHow do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guide
 
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
 
Hardware-Assisted Malware Analysis
Hardware-Assisted Malware AnalysisHardware-Assisted Malware Analysis
Hardware-Assisted Malware Analysis
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software Repositories
 
A Tale of Experiments on Bug Prediction
A Tale of Experiments on Bug PredictionA Tale of Experiments on Bug Prediction
A Tale of Experiments on Bug Prediction
 
Machine vision Application
Machine vision ApplicationMachine vision Application
Machine vision Application
 
Machine Vision On Embedded Platform
Machine Vision On Embedded Platform Machine Vision On Embedded Platform
Machine Vision On Embedded Platform
 
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...
 
BH-US-06-Bilar.pdf
BH-US-06-Bilar.pdfBH-US-06-Bilar.pdf
BH-US-06-Bilar.pdf
 
IRJET - Automated Fraud Detection Framework in Examination Halls
 IRJET - Automated Fraud Detection Framework in Examination Halls IRJET - Automated Fraud Detection Framework in Examination Halls
IRJET - Automated Fraud Detection Framework in Examination Halls
 
Esem2010 shihab
Esem2010 shihabEsem2010 shihab
Esem2010 shihab
 
Paper multi-modal biometric system using fingerprint , face and speech
Paper   multi-modal biometric system using fingerprint , face and speechPaper   multi-modal biometric system using fingerprint , face and speech
Paper multi-modal biometric system using fingerprint , face and speech
 
Machine Learning for Malware Detection: Beyond Accuracy Rates
Machine Learning for Malware Detection: Beyond Accuracy RatesMachine Learning for Malware Detection: Beyond Accuracy Rates
Machine Learning for Malware Detection: Beyond Accuracy Rates
 
Detecting Discontinuties in Large Scale Systems
Detecting  Discontinuties in Large Scale SystemsDetecting  Discontinuties in Large Scale Systems
Detecting Discontinuties in Large Scale Systems
 
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
 
Sample Paper 1233140926359988 2
Sample Paper 1233140926359988 2Sample Paper 1233140926359988 2
Sample Paper 1233140926359988 2
 
Accelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slidesAccelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slides
 
Cerita
CeritaCerita
Cerita
 
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
 

More from Marcus Botacin

Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024
Marcus Botacin
 
GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?
Marcus Botacin
 
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
Marcus Botacin
 
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change![Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
Marcus Botacin
 
Hardware-accelerated security monitoring
Hardware-accelerated security monitoringHardware-accelerated security monitoring
Hardware-accelerated security monitoring
Marcus Botacin
 
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários ExecutáveisExtraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Marcus Botacin
 
On the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel ApproachesOn the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel Approaches
Marcus Botacin
 
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
Marcus Botacin
 
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Marcus Botacin
 
Integridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomwareIntegridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomware
Marcus Botacin
 
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
Marcus Botacin
 
UMLsec
UMLsecUMLsec
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
Marcus Botacin
 
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Marcus Botacin
 
Towards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyTowards Malware Decompilation and Reassembly
Towards Malware Decompilation and Reassembly
Marcus Botacin
 
Reverse Engineering Course
Reverse Engineering CourseReverse Engineering Course
Reverse Engineering Course
Marcus Botacin
 
Malware Variants Identification in Practice
Malware Variants Identification in PracticeMalware Variants Identification in Practice
Malware Variants Identification in Practice
Marcus Botacin
 
The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!
Marcus Botacin
 
Windows Kernel & Driver Development
Windows Kernel & Driver DevelopmentWindows Kernel & Driver Development
Windows Kernel & Driver Development
Marcus Botacin
 
Monitoring Systems & Binaries
Monitoring Systems & BinariesMonitoring Systems & Binaries
Monitoring Systems & Binaries
Marcus Botacin
 

More from Marcus Botacin (20)

Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024
 
GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?
 
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
 
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change![Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
 
Hardware-accelerated security monitoring
Hardware-accelerated security monitoringHardware-accelerated security monitoring
Hardware-accelerated security monitoring
 
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários ExecutáveisExtraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
 
On the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel ApproachesOn the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel Approaches
 
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
 
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
 
Integridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomwareIntegridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomware
 
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
 
UMLsec
UMLsecUMLsec
UMLsec
 
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
 
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
 
Towards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyTowards Malware Decompilation and Reassembly
Towards Malware Decompilation and Reassembly
 
Reverse Engineering Course
Reverse Engineering CourseReverse Engineering Course
Reverse Engineering Course
 
Malware Variants Identification in Practice
Malware Variants Identification in PracticeMalware Variants Identification in Practice
Malware Variants Identification in Practice
 
The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!
 
Windows Kernel & Driver Development
Windows Kernel & Driver DevelopmentWindows Kernel & Driver Development
Windows Kernel & Driver Development
 
Monitoring Systems & Binaries
Monitoring Systems & BinariesMonitoring Systems & Binaries
Monitoring Systems & Binaries
 

Recently uploaded

National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 

Recently uploaded (20)

National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 

Near-memory & In-Memory Detection of Fileless Malware

  • 1. Introduction Proposed Solution Evaluation Conclusions Near-memory & In-Memory Detection of Fileless Malware Marcus Botacin1, André Grégio1, Marco Zanata Alves1 1Federal University of Paraná (UFPR) {mfbotacin, gregio, mazalves}@inf.ufpr.br MEMSYS 2020 Near-memory & In-Memory Detection of Fileless Malware 1 / 23 MEMSYS’20
  • 2. Introduction Proposed Solution Evaluation Conclusions Agenda 1 Introduction 2 Proposed Solution 3 Evaluation 4 Conclusions Near-memory & In-Memory Detection of Fileless Malware 2 / 23 MEMSYS’20
  • 3. Introduction Proposed Solution Evaluation Conclusions Agenda 1 Introduction 2 Proposed Solution 3 Evaluation 4 Conclusions Near-memory & In-Memory Detection of Fileless Malware 3 / 23 MEMSYS’20
  • 4. Introduction Proposed Solution Evaluation Conclusions What Is Fileless Malware? Figure: Source: https://www.wired.com/2017/02/ say-hello-super-stealthy-malware-thats-going-mainstream/ Figure: Source: https://www.cyberscoop.com/ kaspersky-fileless-malware-memory-attribution-detection/ Near-memory & In-Memory Detection of Fileless Malware 4 / 23 MEMSYS’20
  • 5. Introduction Proposed Solution Evaluation Conclusions The Cost of Scanning Memory 0 50 100 150 200 250 300 perl namd Bzip milc mfc Execution Time (s) Benchmark AV scanning overhead Scan Baseline Figure: In-memory AV scans worst-case and best-case performance penalties. Near-memory & In-Memory Detection of Fileless Malware 5 / 23 MEMSYS’20
  • 6. Introduction Proposed Solution Evaluation Conclusions A Drawback for Current Security Solutions Figure: Default policy is not to scan memory. Near-memory & In-Memory Detection of Fileless Malware 6 / 23 MEMSYS’20
  • 7. Introduction Proposed Solution Evaluation Conclusions Why Not New AV implementations? 10 100 1000 1 2 4 8 Time (s) RAM (GB) Virtual−Proc Virtual−Full Physical Figure: Memory dump time for distinct software-based techniques and memory sizes. Near-memory & In-Memory Detection of Fileless Malware 7 / 23 MEMSYS’20
  • 8. Introduction Proposed Solution Evaluation Conclusions Understanding Malware Detection Tasks Monitoring You need to know: When to inspect. Classifying You need to know: What to inspect. Near-memory & In-Memory Detection of Fileless Malware 8 / 23 MEMSYS’20
  • 9. Introduction Proposed Solution Evaluation Conclusions Can’t We Rely on Page Faults? Table: Blocking on Page Faults. The performance impact is greater as more complex is the applied detection routine. Benchmark Cycles PF 5K 10K 20K 30K perf 187G 1,8M 4,74% 9,48% 18,96% 28,44% mcf 69G 375K 2,72% 5,45% 10,89% 16,34% milc 556G 1,2M 1,05% 2,10% 4,21% 6,31% bzip 244G 170K 0,35% 0,69% 1,38% 2,08% namd 491G 325K 0,33% 0,66% 1,32% 1,98% Near-memory & In-Memory Detection of Fileless Malware 9 / 23 MEMSYS’20
  • 10. Introduction Proposed Solution Evaluation Conclusions Agenda 1 Introduction 2 Proposed Solution 3 Evaluation 4 Conclusions Near-memory & In-Memory Detection of Fileless Malware 10 / 23 MEMSYS’20
  • 11. Introduction Proposed Solution Evaluation Conclusions Observing Memory Accesses Patterns Figure: Write-to-Read window. Read requests originated from the MSHR might overlap other memory-buffered read requests for any address, but must not overlap previous memory-buffered write requests for the same address. Near-memory & In-Memory Detection of Fileless Malware 11 / 23 MEMSYS’20
  • 12. Introduction Proposed Solution Evaluation Conclusions Malware Identification based on Near- and In-Memory Evaluation (MINI-ME) Figure: MINI-ME Architecture. MINI-ME is implemented within the memory controller. Near-memory & In-Memory Detection of Fileless Malware 12 / 23 MEMSYS’20
  • 13. Introduction Proposed Solution Evaluation Conclusions Handling Notifications via Page Faults 1 void __do_page_fault (...) { 2 // Original Code 3 if (X86_PF_WRITE) ... 4 if (X86_PF_INSTR) ... 5 // Added Code 6 if (X86_MALICIOUS) ... Code 1: Modified PF handler. Malicious bit is set when suspicious pages are mapped. Near-memory & In-Memory Detection of Fileless Malware 13 / 23 MEMSYS’20
  • 14. Introduction Proposed Solution Evaluation Conclusions Agenda 1 Introduction 2 Proposed Solution 3 Evaluation 4 Conclusions Near-memory & In-Memory Detection of Fileless Malware 14 / 23 MEMSYS’20
  • 15. Introduction Proposed Solution Evaluation Conclusions How Much Performance Overhead is Acceptable? 0.0% 1.0% 2.0% 3.0% 4.0% 5.0% 6.0% 0 8 24 32 64 128 IPC Overhead (%) Delay (Cycles) IPC vs. Memory Delay astar calculix dealII gromacs namd Figure: MINI-ME database overhead. Delays of up 32 cycles impose less than 1% of IPC overhead. Near-memory & In-Memory Detection of Fileless Malware 15 / 23 MEMSYS’20
  • 16. Introduction Proposed Solution Evaluation Conclusions Signatures as the Detection Mechanism 1 if( IsDebuggerPresent ()){ 2 evade () Code 2: C code 1 mov eax , [fs:0x30] 2 mov eax , [eax+0x2] 3 jne 0 <evade > Code 3: ASM code 1 64 8b 04 25 30 00 00 2 67 8b 40 02 3 75 e1 Code 4: Instructions Bytes Near-memory & In-Memory Detection of Fileless Malware 16 / 23 MEMSYS’20
  • 17. Introduction Proposed Solution Evaluation Conclusions Signature Size Definition Table: Signature Generation. Signatures (%) detected as false positives for each signature size and memory dump size. Memory Size 1 GB 2 GB 4 GB 8 GB Signature Size 8 B 8.65% 9.92% 10.18% 11.45% 16 B 3.06% 3.32% 3.32% 3.32% 32 B 0.00% 0.00% 0.00% 0.00% 64 B 0.00% 0.00% 0.00% 0.00% Near-memory & In-Memory Detection of Fileless Malware 17 / 23 MEMSYS’20
  • 18. Introduction Proposed Solution Evaluation Conclusions Matching Mechanism Definition Table: Matching Techniques. FP rates for multiple signature sizes and techniques. Signature size 8 B 16 B 32 B 64 B Match. Tech. Dir. Mapped Table 8.33% 3.15% 0.00% 0.00% Signature Tree 8.33% 3.15% 0.00% 0.00% Bloom Filter 8.41% 3.47% 0.00% 0.00% Near-memory & In-Memory Detection of Fileless Malware 18 / 23 MEMSYS’20
  • 19. Introduction Proposed Solution Evaluation Conclusions Matching Policies Definition Table: Scan Policies. FP rate for multiple signature sizes and policies. Signature size 8 B 16 B 32 B 64 B Scan Policy Whole Memory 8.33% 3.15% 0.00% 0.00% Mapped Pages 0.06% 0.01% 0.00% 0.00% Whitelist 0.00% 0.00% 0.00% 0.00% Code-Only 0.01% 0.00% 0.00% 0.00% Near-memory & In-Memory Detection of Fileless Malware 19 / 23 MEMSYS’20
  • 20. Introduction Proposed Solution Evaluation Conclusions MINI-ME in Practice 0.0% 1.0% 2.0% 3.0% 4.0% 5.0% 6.0% 7.0% 8.0% 9.0% 10.0% 11.0% 12.0% 13.0% perl namd bzip mcf milc Execution Time Overhead (%) Monitoring Overhead On−Access MINI−ME Figure: Monitoring Overhead. MINI-ME imposes a smaller overhead while still checking more pages than an on-access solution. Near-memory & In-Memory Detection of Fileless Malware 20 / 23 MEMSYS’20
  • 21. Introduction Proposed Solution Evaluation Conclusions Agenda 1 Introduction 2 Proposed Solution 3 Evaluation 4 Conclusions Near-memory & In-Memory Detection of Fileless Malware 21 / 23 MEMSYS’20
  • 22. Introduction Proposed Solution Evaluation Conclusions Conclusions Challenges & Lessons Fileless malware is a growing hard-to-detect class of threats. Traditional AntiViruses (AVs) impose significant performance overhead to perform memory scans. In-memory and Near-memory AVs helps reducing AV’s performance overheads. The more complex the matching mechanism, the greater the performance overhead. MINI-ME as platform for future developments. Near-memory & In-Memory Detection of Fileless Malware 22 / 23 MEMSYS’20
  • 23. Introduction Proposed Solution Evaluation Conclusions Questions & Comments. Contact mfbotacin@inf.ufpr.br twitter.com/MarcusBotacin Additional Material https://github.com/marcusbotacin/In.Memory Near-memory & In-Memory Detection of Fileless Malware 23 / 23 MEMSYS’20