Running head: MALWARE DETECTION AND MEMORY INTROSPECTION Malware Detection and Memory Introspection Cyber Security Morufudin Obalola Ricardo Rodriguez Kamal Abiola September 02 2019 Professors Imad Al Saeed 1 MALWARE DETECTION AND MEMORY INTROSPECTION Malware detection is an important aspect on the Internet since it serves as an early warning system regarding cyber-attacks. It identifies the existence of malware in systems and network, alerts the user or security official and terminates the malware before it executes its mission. The detection occurs at numerous levels within the IT infrastructure; at the network gateway, on each host and device as well as at files level. This is implemented as real time firewall discovery of malicious file downloads and network connections. Malware detection is also implemented in host and network-based IDS/IPS (Kambourakis, Shabtai, Kolias, & Damopoulos, 2017). Memory Introspection Memory introspection refers to monitoring the activities of the virtual machines’ using the hypervisor and having access to them without being present within. There exists no agent within the virtual machine an all operations are accomplished from the outside. In today’s cybersecurity environment, the traditional malware-analysis methodologies have become ineffective to detect the latest malware. However, this has been overcome by the use of hypervisors that place the monitoring of malware at Kernel-level. Memory introspection is used in malware detection since it detects malware that normal automated malware-detection systems cannot. Today’s malware utilizes enhanced techniques like Rootkits that are hard to detect using traditional methods of malware detection. The use of memory introspection includes advanced features that enable the user to have a closer look of operations (what is going on) at virtual machine level. 2 MALWARE DETECTION AND MEMORY INTROSPECTION 3 Memory introspection technology eliminates the need for getting into the malware environment to examine it. The hypervisor which is outside the virtual machine enables the monitoring of the behaviour of the processes. Also, malware that utilize debugger detection methods may not detect the debugger since the introspection system strictly interrelates with the memory of the virtual machine. It does not embed to the running processes on the machine. Likewise, malware may be misled by deploying sandbox detection methods. Due to this reason’s memory introspection is undeniably better method of malware analysis as compared to traditional automated-analysis techniques (Ligh, Case, Levy & Walters, 2014). The process of memory introspection requires introspection tools to map memory i.e. translating the virtual machine’s virtual memory addresses. The process begins by translating memory addresses from the virtual to the virtual machine’s physical memory followed by translating further to the host machine’s physical memory. As a result, the hypervisor is able to have access to the right memory area throughout the course of introspection. The memory assigned by the hypervisor to the various virtual machines enables the user to gain access to it from the hypervisor and have the information of interest. MALWARE DETECTION AND MEMORY INTROSPECTION References Kambourakis, G., Shabtai, A., Kolias, C., & Damopoulos, D. (2017). Intrusion Detection and Prevention for Mobile Ecosystems. Boca Raton, FL: CRC Press Ligh, M. H., Case, A., Levy, J., & Walters, A. (2014). The art of memory forensics: Detecting malware and threats in Windows, Linux, and Mac memory. Indianapolis, IN: Wiley 4 Running head: MALWARE DETECTION & MEMORY INTROSPECTION Malware Detection & Memory Introspection Cyber Security Morufudin Obalola Ricardo Rodriguez Kamal Abiola September 11, 2019 Professor Imad Al Saeed 1 MALWARE DETECTION & MEMORY INTROSPECTION 2 The use of Memory Introspection has enhanced malware detection since malware enhanced with techniques like Rootkits can be detected. The traditional method of malware detection cannot detect current malware. Memory introspection allows the user to have a closer look at the operations of the virtual machine. Memory introspection allows the user to operate outside the malware environment to examine it. However, the use of memory introspection in malware detection has a limitation since the malware may terminate its execution and fail to expose its malicious nature when it initiates a checksum on itself to determine whether its code has been modified. The behaviour of the malware is monitored from the hypervisor which is outside the virtual machine. Also, malware that utilizes other methods to detect the debugger will not be successful in a memory introspection system that works together with the VM’s memory and do not rely on the processes running on the system. In a similar fashion, memory introspection overcomes malware that uses sandbox detection as a mode of operation. This means that the deployment of memory introspection in malware analysis is superior to the typical automatedanalysis methods. Basically, in a computer system, there exist two kinds of memory; virtual and physical. The hypervisor, on the other hand, has three kinds of memory; the virtual and physical memories of the VM as well as the physical memory of the host computer. The hypervisor abstracts the virtual memory of the host computer. An introspection tool serves the purpose of translating MALWARE DETECTION & MEMORY INTROSPECTION memory addresses between the different levels of memory which aids the hypervisor in accessing the proper memory location for the duration of the introspection (Shackleford, 2013). The introspection begins by placing breakpoints on the APIs to be monitored within the virtual machine. This is done while keeping a lookup table comprising of breakpoint offsets and altered bytes. Once the introspection system is set up and launched, the malware matching the APIs with breakpoints is disrupted prompting an alert to be sent to the hypervisor enabling the user to discover the process that extended to the breakpoint. The user retrieves the function and the associated arguments and persists in running the malware so that the behaviour of the malware remains constant up to the succeeding breakpoint. This information enables proper understanding of the actions of the analysed malware. 3 MALWARE DETECTION & MEMORY INTROSPECTION References Miyama, S., & Kourai, K. (2017). Secure IDS Offloading with Nested Virtualization and Deep VM Introspection. Shackleford, D. (2013). Virtualization security: Protecting virtualized environments. Indianapolis, Ind: Wiley. 4 Running head: MALWARE DETECTION AND MEMORY INTROSPECTION Malware Detection and Memory Introspection Cyber Security Morufudin Obalola Ricardo Rodriguez Kamal Abiola October 21 2019 Professors Imad Al Saeed 1 Running Head: ASSIGNMENT 2 Malware Detection and Memory Introspection Malware is an acronym for malicious software and is a common term used several times to refer to an application program designed and developed with the key intention of infiltrating existing computer systems without the knowledge of any authorized person within the said system. The term malware other than big an acronym, as explained above, is also a class term that comprises several constituting elements (Kolosnjaji et al., 2018). Some of these elements include Trojan horses, rootkits, computer viruses, spyware, unwanted software, and worms. The majority of end-users utilize different anti-virus programs to detect the presence of malware in the affected system. For a system used to detect malware, he or she must reach out to antivirus software that can isolate a malware file from other "good" files in the device. Besides, malware detection can only be possible when antivirus programs with databases that contain signatures with similar characteristics as those of the targeted malware. When a new malware arrives, various antivirus suppliers will get hold of the malware, analyze it, and generate its signature, which is then distributed among end-users to use in protecting their respective computer systems. Unfortunately, some malware authors have found ways of hiding signature codes, thereby limiting the ability of antivirus suppliers to tame them. One popular method that the malware developers use to hide the signatures is encryption, where all the files pertaining to the malware are encrypted (Kolosnjaji et al., 2018). Malware detection evasion techniques have lately advanced no wonder there are many cases of unresolved malware attacks seeming not to end. For instance, many malware is now developed using polymorphic programs, which in turn utilize obfuscate and encryption to hide information in the body of the program text. Memory inspection, on the other hand, involves various interventions that can be carried out to expose the contents of the memory blocks. Such interventions can either be legal or illegal. ASSIGNMENT 3 They are storing a treasure within a device when it is possible for an attacker to gain access to where the location where the treasure is stored is almost an impossibility (Valamehr et al., 2012). Fundamentally, attacks that try to gain access into the system from time to time can be categorized into two, passive attacks and intrusive attacks. Passive attacks are those attacks that involve inspecting the system interface to know things like electrical differences, while intrusive attacks cause damage to memory contents. The damages can be informed of package breach, illegal scan, and physical memory hardware alteration. Historical Information In past, smart developers have created programs that showed unexpected behaviors just to justify and tell that world that it was possible. The first self-replicating software came about in 1971. It was known as a creeper. The developers made it replicate itself in a series of computers within the world. Later, we had the Morris worm, which replicated itself too in several networks and thus came out as a computer virus for that matter. the behavior developed and at one point, arrived at the ransomware. Here, developers just created the viruses to be able to have financial benefits from users. They created codes that blocked the usage of computer information and demanded a particular sum of cash to be able to release the same for use by the public (Inscrypt et al., 2018). While software and hardware developers began addressing the issues at hand, the hackers responded by coming up with complex codes and malicious software which they deployed in getting the best out of the users for that matter. the first malware came about in 1991. Here, developers came up with the Michelangelo virus, which prevented individuals from ever accessing their computers. The computers could not start. Later, other viruses exploited weaknesses in the Microsoft Web servers to hack and create malicious softwares for that matter ASSIGNMENT 4 (Inscrypt et al., 2018). So, the question lies, how then did developers come up with additional solutions to the ever-evolving problem? The answer lies in the fact that despite creating malware, security experts have also countered the move by developing parallel malicious software that goes ahead to counter the existing ones. They mostly rely on virtual retrospection techniques and tools at any given level. So, however much tricky it seems, the society enjoys much from solving these set of problems by understanding the community behavior and coming up with the correct fixes and detection techniques for whatever malware ASSIGNMENT 5 References Inscrypt (Conference), In Chen, X., In Lin, D., & In Yung, M. (2018). Information security and cryptology: 13th international conference, Inscrypt 2017, Xi'an, China, November 3-5, 2017, revised selected papers. Kolosnjaji, B., Demontis, A., Biggio, B., Maiorca, D., Giacinto, G., Eckert, C., & Roli, F. (2018, September). Adversarial malware binaries: Evading deep learning for malware detection in executables. In 2018 26th European Signal Processing Conference (EUSIPCO) (pp. 533-537). IEEE. Valamehr, J., Chase, M., Kamara, S., Putnam, A., Shumow, D., Vaikuntanathan, V., & Sherwood, T. (2012, June). Inspection resistant memory: architectural support for security from a physical examination. In ACM SIGARCH Computer Architecture News (Vol. 40, No. 3, pp. 130-141). IEEE Computer Society. Running head: MALWARE DETECTION AND MEMORY INTROSPECTION Malware Detection and Memory Inspection Morufudin Obalola Ricardo Rodriguez Kamal Abiola November 18 2019 Professors Imad Al Saeed 1 Running Head: MALWARE DETECTION AND MEMORY INSPECTION 2 Malware Detection and Memory Inspection Motivation There is a requirement for the U.S government to embrace data solution that considers sharing data which includes the utilization of light technological advancements. This is an endeavor of the changes in the IT segment. In many cases, the development of systems by the agencies of the federal government is only a duplication of other already developed systems in other various agencies of the national government. There has been extraordinary interest in cloud technologies, which guarantee that the operational capacity of the government expanded and enhanced. Organizations in the private sector are increasingly embracing technologies such as the cloud technologies that, as can be seen, are empowering them to accomplish extraordinary achievements. It is quite discernible that the federal government will hugely benefit if it decides to embrace the integrated approach of cloud-based resource management totally. It is no longer a secret that the increased dependence on information technology has come with a new set of challenges. The main challenge that has seen various governments, multinationals as well as private individuals spend a lot of money in trying to secure their information technology infrastructures is security. Over the years, quite a number of information technology-related security challenges have been experienced and continue to increase while also evolving into new levels of sophistication. Malware is one of these security challenges that, for a long time, has been affecting information systems belonging to both the government and private sectors. MALWARE DETECTION AND MEMORY INSPECTION 3 Malware Detection and Memory Inspection Malware is a common term in the computing space which is an abbreviation for malicious-software. Malware a typical word occasionally utilized in referring to a program structured as well as created with the intention of penetrating information technology infrastructures in existence in breach of legitimately okayed modalities (Kolosnjaji et al., 2018). Malware as a term, other than being the abbreviation as clarified herein, is likewise a compound word that includes a few comprising components. A portion of the components incorporates Trojans, worms, rootkits, viruses, spyware and undesirable software. Most the end-users rely on various anti-virus software to recognize malware presence in the compromised software. For frameworks utilized in identifying malware, the person in question has to use an antivirus software that can seclude a malware-infected files from other "good" ones. The Security Challenges It is only possible to detect malware when an antivirus program with a database containing signatures with comparative attributes as those of the focused malware. At the point when another malware shows up, different antivirus providers single-out the malware, examine it and come up with the malware’s signature and then disperse it among user’s platforms to be utilized in the protection of their individual PC frameworks. Tragically, some malware creators have discovered methods for concealing signature codes along these lines restricting antivirus vendor capacity to manage the menace. One famous technique mostly used by the malware designers shrouding malware signature through encryption, where every one of the documents relating to the malware is encoded (Kolosnjaji et al., 2018). Malware detection avoidance technique has of late gone a notch higher, giving rise to numerous instances of malware assaults MALWARE DETECTION AND MEMORY INSPECTION 4 that are unresolved. For example, numerous malware is presently created using polymorphic programs, which thus use encryption and jumble to conceal data in the program body content wise. Memory Inspection A device with the ability to process information usually includes a processor whose responsibility involves data processing and a module of memory that is made up of a first memory as well as a memory controller. The first memory has several memory chips mounted upon it and is mainly concerned with the storage of data. The memory controller, on the other hand, oversees the whole process of memory data inspection, execution of correction processing of the very data, especially moments an error bit is detected in the chip of a memory that corresponds to another layer. Going by the activities of a first location at which a single bit error occurs; and execution of the first inspection area. Memory inspection, in this case, includes different intercessions that can be completed to uncover the substance of the memory blocks. Such intercessions can either be legitimate or unlawful. They are putting away a treasure within a device when it is feasible for an aggressor to access the area where the treasure is put away is nearly an inconceivability (Valamehr et al., 2012). Generally, malware assaults that attempt to enter an information infrastructure every once in a while can be grouped as either intrusive or passive attacks. The attacks considered as passive are those that include inspecting interface of the system to detect issues such as electrical contrasts, whereas assaults seen as intrusive are those that bring about harm to the memory contents. MALWARE DETECTION AND MEMORY INSPECTION 5 References Kolosnjaji, B., Demontis, A., Biggio, B., Maiorca, D., Giacinto, G., Eckert, C., & Roli, F. (2018, September). Adversarial malware binaries: Evading deep learning for malware detection in executables. In 2018 26th European Signal Processing Conference (EUSIPCO) (pp. 533-537). IEEE. Valamehr, J., Chase, M., Kamara, S., Putnam, A., Shumow, D., Vaikuntanathan, V., & Sherwood, T. (2012, June). Inspection resistant memory: architectural support for security from a physical examination. In ACM SIGARCH Computer Architecture News (Vol. 40, No. 3, pp. 130-141). IEEE Computer Society.
Purchase answer to see full attachment