A new approach for detecting process injection attacks using memory analysis

This paper introduces a new approach for examining and analyzing fileless malware artifacts in computer memory. The proposed approach offers the distinct advantage of conducting a comprehensive live analysis of memory without the need for periodic memory dumping. Once a new process arrives, log file...

Full description

Saved in:
Bibliographic Details
Published in:International journal of information security 2024-06, Vol.23 (3), p.2099-2121
Main Authors: Nasereddin, Mohammed, Al-Qassas, Raad
Format: Article
Language:English
Subjects:
Coding and Information Theory
Communications Engineering
Computer Communication Networks
Computer memory
Computer Science
Cryptology
Dumping
Hard disks
Malware
Management of Computing and Information Systems
Networks
Operating Systems
Regular Contribution
Software
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:This paper introduces a new approach for examining and analyzing fileless malware artifacts in computer memory. The proposed approach offers the distinct advantage of conducting a comprehensive live analysis of memory without the need for periodic memory dumping. Once a new process arrives, log files are collected by monitoring the Event Tracing for Windows facility as well as listing the executables of the active process for violation detection. The proposed approach significantly reduces detection time and minimizes resource consumption by adopting parallel computing (programming), where the main software (Master) divides the work, organizes the process of searching for artifacts, and distributes tasks to several agents. A dataset of 17411 malware samples is used in the assessment of the new approach. It provided satisfactory and reliable results in dealing with at least six different process injection techniques including classic DLL injection, reflective DLL injection, process hollowing, hook injection, registry modifications, and .NET DLL injection. The detection accuracy rate has reached 99.93 % with a false-positive rate of 0.068 % . Moreover, the accuracy was monitored in the case of launching several malwares using different process injection techniques simultaneously, and the detector was able to detect them efficiently. Also, it achieved a detection time with an average of 0.052 msec per detected malware.
ISSN:1615-5262
1615-5270
DOI:10.1007/s10207-024-00836-w