Membrane: A posteriori detection of malicious code loading by memory paging analysis

Gábor Pék, Zsombor Lázár, Zoltán Várnagy, Márk Félegyházi, L. Buttyán

Research output: Conference contribution

3 Citations (Scopus)

Abstract

In this paper, we design and implement Membrane, a memory forensics tool to detect code loading behavior by stealthy malware. Instead of trying to detect the code loading itself, we focus on the changes it causes on the memory paging of the Windows operating system. As our method focuses on the anomalies caused by code loading, we are able to detect a wide range of code loading techniques. Our results indicate that we can detect code loading malware behavior with 86–98% success in most cases, including advanced targeted attacks. Our method is generic enough and hence could significantly raise the bar for attackers to remain stealthy and persist for an extended period of time.

Original languageEnglish
Title of host publicationComputer Security - 21st European Symposium on Research in Computer Security, ESORICS 2016, Proceedings
PublisherSpringer Verlag
Pages199-216
Number of pages18
Volume9878 LNCS
ISBN (Print)9783319457437
DOIs
Publication statusPublished - 2016
Event21st European Symposium on Research in Computer Security, ESORICS 2016 - Heraklion, Greece
Duration: szept. 26 2016szept. 30 2016

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume9878 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other21st European Symposium on Research in Computer Security, ESORICS 2016
CountryGreece
CityHeraklion
Period9/26/169/30/16

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Fingerprint Dive into the research topics of 'Membrane: A posteriori detection of malicious code loading by memory paging analysis'. Together they form a unique fingerprint.

  • Cite this

    Pék, G., Lázár, Z., Várnagy, Z., Félegyházi, M., & Buttyán, L. (2016). Membrane: A posteriori detection of malicious code loading by memory paging analysis. In Computer Security - 21st European Symposium on Research in Computer Security, ESORICS 2016, Proceedings (Vol. 9878 LNCS, pp. 199-216). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9878 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-45744-4_10