| Code injection attack is one of the most important threats in the domain of computer system security.Host-based Code Injection Attacks(HBCIA)usually cause tremendous threat to personal computer systems compared with the earlier code injection attack techniqus due to the high covertness and complexity of its attack approach.In the host-based code injection attack,the injector entity and the victim entity reside in the same operating system as processes.The injector entity usually leverages the system calls as interface to inject code to the victim entity.In order to detect the malware conducting HBCIA,a variety of HBCIA detection approaches have been proposed.These approaches can be applied to detect the malicious HBCIA behaviors at different granularities and over different entities through either dynamic or static detection technique.In these approaches,HBCIA memory forensics approach detects HBCIA based on the analysis of memory dump files and is considered as one of the most effective HBCIA detection approaches.In this thesis,we investigated the mainstream HBCIA detection system Quincy which uses memory dump files for the detection.We find that the memory feature extraction scheme for machine learning used by Quincy system has the following drawbacks:(1)the HBCIA memory feature extraction scheme used by Quincy system only consideres the local features describing the distribution of process memory structure and the properties of programming language.It does not consider the global feature related to the process and thread.(2)The HBCIA memory feature extraction scheme used by Quincy system has lost some features in the local feature categories,and some of the local features is too coarse in granularity for the HBCIA detection.These two problems result in the low precision of malicious software detection on Windows 10.In order to solve the above problems,we propose a new memory feature extraction scheme for HBCIA detection.The new scheme has the following advantages:(1)we added a new global feature category to the traditional seven-feature-category HBCIA memory feature extraction scheme used by Quincy.The new feature category strengthened the detection of HBCIA features by considering the information of process or thread that the target malicious code reside in.(2)we add several new features,including the ones related to countermeasure forensics,malicious trojan covert communication,and the malicious trojan operations,into the seven feature categories used by Quincy system.The added features and feature category greatly improve the precision of the original seven-featurecategory HBCIA memory feature extraction scheme.Based on the new memory feature extraction scheme,we design and implement a component for Quincy,named Eugen,to extract the new features of HBCIA and extend the performance of HBCIA detection.We have tested the performance of Eugen-enhanced Quincy system.The experimental results show that the new system based on the new memory feature extraction scheme exhibites better family detection ability compared with the original memory feature extraction scheme used by Quincy on Windows 10.The new scheme outperforms Quincy to detect 1.6 more malicious families on family detection,1.6 more malicious families on family completeness,and by 7.2% on precision. |
PDF Full Text Request