grizzly/deneir
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

start writing

Browse source
This commit is contained in:
Arthur 2024-11-22 16:33:25 +01:00
parent 0381009448
commit e3c313e93c
5 changed files with 3201 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

252
procver/ACNS/biblio.bib Normal file
View file

@ -0,0 +1,252 @@
@misc{smith_evasion_2022,
title = {Evasion {Techniques} — {Hiding} your process from `ps`},
url = {https://keiran.scot/2022/10/10/Evasion-Techniques-Hiding-your-process-from-ps/},
abstract = {Everything in Linux is a file, that even goes for your process information. This lived inside the /proc directory on your filesystem. Today we will use and abuse this knowledge to hide a target process from the ps command in Linux, and in essence other Unix based systems. But first…
How does the ps command work? As mentioned previously everything in Linux is a file, including the process tree in /proc.},
language = {en-us},
urldate = {2024-11-08},
author = {Smith, Keiran},
month = oct,
year = {2022},
note = {Section: posts},
annote = {Try that for both hiding and masquerading a process.
},
file = {Snapshot:/home/grizzly/Zotero/storage/EUYRZ2P7/Evasion-Techniques-Hiding-your-process-from-ps.html:text/html},
}
@article{almshari_detection_2020,
title = {Detection of {Potentially} {Compromised} {Computer} {Nodes} and {Clusters} {Connected} on a {Smart} {Grid}, {Using} {Power} {Consumption} {Data}},
volume = {20},
copyright = {http://creativecommons.org/licenses/by/3.0/},
issn = {1424-8220},
url = {https://www.mdpi.com/1424-8220/20/18/5075},
doi = {10.3390/s20185075},
abstract = {Monitoring what application or type of applications running on a computer or a cluster without violating the privacy of the users can be challenging, especially when we may not have operator access to these devices, or specialized software. Smart grids and Internet of things (IoT) devices can provide power consumption data of connected individual devices or groups. This research will attempt to provide insides on what applications are running based on the power consumption of the machines and clusters. It is therefore assumed that there is a correlation between electric power and what software application is running. Additionally, it is believed that it is possible to create power consumption profiles for various software applications and even normal and abnormal behavior (e.g., a virus). In order to achieve this, an experiment was organized for the purpose of collecting 48 h of continuous real power consumption data from two PCs that were part of a university computer lab. That included collecting data with a one-second sample period, during class as well as idle time from each machine and their cluster. During the second half of the recording period, one of the machines was infected with a custom-made virus, allowing comparison between power consumption data before and after infection. The data were analyzed using different approaches: descriptive analysis, F-Test of two samples of variance, two-way analysis of variance (ANOVA) and autoregressive integrated moving average (ARIMA). The results show that it is possible to detect what type of application is running and if an individual machine or its cluster are infected. Additionally, we can conclude if the lab is used or not, making this research an ideal management tool for administrators.},
language = {en},
number = {18},
urldate = {2024-11-07},
journal = {Sensors},
author = {Almshari, Mohammed and Tsaramirsis, Georgios and Khadidos, Adil Omar and Buhari, Seyed Mohammed and Khan, Fazal Qudus and Khadidos, Alaa Omar},
month = jan,
year = {2020},
note = {Number: 18
Publisher: Multidisciplinary Digital Publishing Institute},
keywords = {autoregressive integrated moving average (ARIMA), descriptive analysis, F-Test of two samples of variance, IoT, machine learning, malware detection, power consumption, privacy, security, smart grid, two-way analysis of variance (ANOVA)},
pages = {5075},
annote = {The goal here is to detect what application are running on a machine based on the power consumption. The application is very relevant as it concerns computers in a university and not specialized machines.
},
file = {Full Text PDF:/home/grizzly/Zotero/storage/FPWN8QSX/Almshari et al. - 2020 - Detection of Potentially Compromised Computer Nodes and Clusters Connected on a Smart Grid, Using Po.pdf:application/pdf},
}
@inproceedings{james_detection_2017,
title = {Detection of anomalous behavior of smartphones using signal processing and machine learning techniques},
url = {https://ieeexplore.ieee.org/document/8292418},
doi = {10.1109/PIMRC.2017.8292418},
abstract = {Different applications in smartphones result in different power consumption patterns. The fact that every application has been coded to perform different tasks leads to the claim that every action onboard (whether software or hardware) will consequently have a trace in the power consumption of the smartphone. Even though the power consumed by the application might not be the same every time it is used, there still remains a similarity in the power consumption pattern. An anomalous behavior on the smartphone would result in a reduction in the similarity of the power consumption pattern. This change in similarity can be used to detect the presence of anomalous behavior of smartphones. We have proposed two approaches to detecting anomalous behavior on smartphones based on the power consumption pattern. The first approach is based on signal processing and the second approach explores the area of statistical learning in detecting malware. The two approaches have been analysed, evaluated, and compared. It has been observed that the signal processing method of detection performed better for anomalous behavior of lower intensity and the statistical learning method performed better for higher intensity anomalous behavior. It was also observed that both the methods are complementary.},
urldate = {2024-11-07},
booktitle = {2017 {IEEE} 28th {Annual} {International} {Symposium} on {Personal}, {Indoor}, and {Mobile} {Radio} {Communications} ({PIMRC})},
author = {James, R. Soundar Raja and Albasir, A. and Naik, K. and Dabbagh, M. Y. and Dash, P. and Zamani, M. and Goel, N.},
month = oct,
year = {2017},
note = {ISSN: 2166-9589},
keywords = {Malware, Power demand, Power measurement, Signal processing, Smart phones, Statistical learning},
pages = {1--7},
annote = {Power pattern detection and anomalous activity detection, but on smartphone.
},
file = {Full Text PDF:/home/grizzly/Zotero/storage/JQL8YJ2D/James et al. - 2017 - Detection of anomalous behavior of smartphones using signal processing and machine learning techniqu.pdf:application/pdf;IEEE Xplore Abstract Record:/home/grizzly/Zotero/storage/XQE3UMIP/8292418.html:text/html},
}
@inproceedings{bridges_towards_2018,
title = {Towards {Malware} {Detection} via {CPU} {Power} {Consumption}: {Data} {Collection} {Design} and {Analytics}},
shorttitle = {Towards {Malware} {Detection} via {CPU} {Power} {Consumption}},
url = {https://ieeexplore.ieee.org/document/8456118},
doi = {10.1109/TrustCom/BigDataSE.2018.00250},
abstract = {This paper presents an experimental design and algorithm for power-based malware detection on general-purpose computers. Our design allows programmatic collection of CPU power profiles for a fixed set of non-malicious benchmarks, first running in an uninfected state and then in an infected state with malware running along with non-malicious software. To characterize power consumption profiles, we use both simple statistical and novel, sophisticated features. We propose an unsupervised, one-class anomaly detection ensemble and compare its perfor-mance with several supervised, kernel-based SVM classifiers (trained on clean and infected profiles) in detecting previously unseen malware. The anomaly detection system exhibits perfect detection when using all features across all benchmarks, with smaller false detection rate than the supervised classifiers. This paper provides a proof of concept that power-based malware detection is feasible for general-purpose computers and presents several future research steps toward that goal.},
urldate = {2024-11-07},
booktitle = {2018 17th {IEEE} {International} {Conference} {On} {Trust}, {Security} {And} {Privacy} {In} {Computing} {And} {Communications}/ 12th {IEEE} {International} {Conference} {On} {Big} {Data} {Science} {And} {Engineering} ({TrustCom}/{BigDataSE})},
author = {Bridges, Robert and Hernández Jiménez, Jarilyn and Nichols, Jeffrey and Goseva-Popstojanova, Katerina and Prowell, Stacy},
month = aug,
year = {2018},
note = {ISSN: 2324-9013},
keywords = {Malware, Power demand, anomaly detection, Anomaly detection, Benchmark testing, Computers, Detectors, intrusion detection, malware, power monitoring, rootkit, side channel analysis},
pages = {1680--1684},
annote = {This paper focuses on collecting a power dataset for infected and clean machine and then training a model to classify them. This is a good step toward verification of loca lressources (the label infected/clean is kind of a local ressource) but the method and goal are very different: malware vs hidden processes and SVM classification vs NN regression.
},
file = {Full Text PDF:/home/grizzly/Zotero/storage/RYB2CQ8U/Bridges et al. - 2018 - Towards Malware Detection via CPU Power Consumption Data Collection Design and Analytics.pdf:application/pdf;IEEE Xplore Abstract Record:/home/grizzly/Zotero/storage/PCBDDMKS/8456118.html:text/html},
}
@inproceedings{sukhija_towards_2022,
address = {New York, NY, USA},
series = {{MEDES} '22},
title = {Towards {Anomaly} {Detection} for {Monitoring} {Power} {Consumption} in {HPC} {Facilities}},
isbn = {978-1-4503-9219-8},
url = {https://doi.org/10.1145/3508397.3564826},
doi = {10.1145/3508397.3564826},
abstract = {Given the increasing complexity and the heterogeneity of today's computing system infrastructure, power efficiency and fault tolerance remain the top challenges of an High Performance Computing (HPC) facility operation. Recently, many research efforts are focusing on monitoring solutions for collecting, correlating, and analyzing computing infrastructures health events and metrics data to not only identify the normal events but also the anomalous, thus aiding to reduce downtime and power consumption in the face of a computational center's and users' critical needs. In this preliminary work, we present an anomaly detection methodology integrated with the Operations Monitoring and Notification Infrastructure (OMNI) data warehouse at Lawrence Berkeley National Laboratory's (LBNL) National Energy Scientific Computing Center (NERSC) that has implemented anomaly detection algorithms for identifying abnormal power patterns. We evaluated our methodology using five million unlabeled power datasets from the Cori computation system at NERSC and reported on the accuracy of the anomaly detection algorithms in detecting different anomalous behavior pertaining to the amount of power consumed. The methodology is employed to aid in monitoring and automating power alerting to achieve power efficiency and reliability in future systems to be deployed at NERSC or other HPC facilities.},
urldate = {2024-11-07},
booktitle = {Proceedings of the 14th {International} {Conference} on {Management} of {Digital} {EcoSystems}},
publisher = {Association for Computing Machinery},
author = {Sukhija, Nitin and Bautista, Elizabeth and Butz, Drake and Whitney, Cary},
month = dec,
year = {2022},
pages = {1--8},
annote = {This article does not correlate with the logs at all. The detection of anomalous events is done purely with analysis of the power only using an unsupervised model trained on the power only.
},
file = {PDF:/home/grizzly/Zotero/storage/LW4J6TQN/Sukhija et al. - 2022 - Towards Anomaly Detection for Monitoring Power Consumption in HPC Facilities.pdf:application/pdf},
}
@inproceedings{takasaki_anomalous_2021,
title = {An {Anomalous} {Behavior} {Detection} {Method} {Based} on {Power} {Analysis} {Utilizing} {Steady} {State} {Power} {Waveform} {Predicted} by {LSTM}},
url = {https://ieeexplore.ieee.org/document/9486706},
doi = {10.1109/IOLTS52814.2021.9486706},
abstract = {Hardware security issues have emerged in recent years as Internet of Things (IoT) devices have rapidly spread. Power analysis is one of the methods to detect anomalous operations, but it is hard to apply it to IoT devices where an operating system and various software programs are running and hence its power waveforms become more complex. In this paper, we propose an anomalous behavior detection method utilizing application-specific power behaviors extracted by steady-state power waveform, which is generated by LSTM (long short-term memory). The proposed method is based on extracting application-specific power behaviors by predicting steady-state power waveforms. At that time, by using LSTM, we can effectively predict steady-state power waveforms, even if they include one or more cycled waveforms and/or they are composed of many complex waveforms. In the experiment, we implement three normal application programs and one anomalous application program on a single board computer and apply the proposed method to it. The experimental results demonstrate that the proposed method successfully detects the anomalous power behavior of an anomalous application program, while the existing method cannot.},
urldate = {2024-11-07},
booktitle = {2021 {IEEE} 27th {International} {Symposium} on {On}-{Line} {Testing} and {Robust} {System} {Design} ({IOLTS})},
author = {Takasaki, Kazunari and Kida, Ryoichi and Togawa, Nozomu},
month = jun,
year = {2021},
note = {ISSN: 1942-9401},
keywords = {anomalous behavior, Hardware, Internet of Things, IoT device, LSTM, Operating systems, power analysis, Security, Software, Steady-state, System analysis and design},
pages = {1--7},
annote = {This paper gets dangerously close. If I understand correctly, they do not use the data from the machine. They use previous power consumption data to predict the next power data. Because the power consumption should follow a steady pattern for the same program, then deviation can be detected. Read the full article to be sure.
},
file = {Full Text PDF:/home/grizzly/Zotero/storage/HQBNCHA9/Takasaki et al. - 2021 - An Anomalous Behavior Detection Method Based on Power Analysis Utilizing Steady State Power Waveform.pdf:application/pdf;IEEE Xplore Abstract Record:/home/grizzly/Zotero/storage/7ECVKIEA/9486706.html:text/html},
}
@inproceedings{moreno_efficient_2016,
title = {Efficient program tracing and monitoring through power consumption - with a little help from the compiler},
url = {https://ieeexplore.ieee.org/document/7459561?arnumber=7459561},
abstract = {Ensuring correctness and enforcing security are growing concerns given the complexity of modern connected devices and safety-critical systems. A promising approach is non-intrusive runtime monitoring through reconstruction of program execution traces from power consumption measurements. This can be used for verification, validation, debugging, and security purposes. In this paper, we propose a framework for increasing the effectiveness of power-based program tracing techniques. These systems determine the most likely block of source code that produced an observed power trace (CPU power consumption as a function of time). Our framework maximizes distinguishability between power traces for different code blocks. To this end, we provide a special compiler optimization stage that reorders intermediate representation (IR) and determines the reorderings that lead to power traces with highest distances between each other, thus reducing the probability of misclassification. Our work includes an experimental evaluation, using LLVM for an ARM architecture. Experimental results confirm the effectiveness of our technique.},
urldate = {2024-11-07},
booktitle = {2016 {Design}, {Automation} \& {Test} in {Europe} {Conference} \& {Exhibition} ({DATE})},
author = {Moreno, Carlos and Kauffman, Sean and Fischmeister, Sebastian},
month = mar,
year = {2016},
note = {ISSN: 1558-1101},
keywords = {Power demand, Power measurement, Security, Electronic mail, Monitoring, Optimization, Training},
pages = {1556--1561},
annote = {The power consumption is correlated with the activity of the program for “verification, validation, debugging, and security purposes”. It does require the compiler order code blocks for maximal detectability.
},
file = {Full Text PDF:/home/grizzly/Zotero/storage/J7YXVQBD/Moreno et al. - 2016 - Efficient program tracing and monitoring through power consumption - with a little help from the com.pdf:application/pdf;IEEE Xplore Abstract Record:/home/grizzly/Zotero/storage/9YQB5S9Y/7459561.html:text/html},
}
@inproceedings{zhu_towards_2012,
title = {Towards a {Novel} {Approach} for {Hidden} {Process} {Detection} {Based} on {Physical} {Memory} {Scanning}},
url = {https://ieeexplore.ieee.org/document/6405787/?arnumber=6405787},
doi = {10.1109/MINES.2012.239},
abstract = {Leveraging developed root kit, malware could deeply hide its own process and hardly be detected. Based on analyzing various existing detecting technologies, a novel approach for hidden process detection was proposed in this paper. The approach used page table entry patching to traverse physical memory and obtain the raw data, and formulated the characteristic selection constraints to extract reliable process object characteristics, which were used to search process object instances based on string matching in physical memory to form a credible list of processes. The approach could also be used to search other kernel objects on varieties of system platforms. The experimental results show that new detection is effective in hidden process searching.},
urldate = {2024-11-06},
booktitle = {2012 {Fourth} {International} {Conference} on {Multimedia} {Information} {Networking} and {Security}},
author = {Zhu, Junhu and Zhou, Tianyang and Wang, Qingxian},
month = nov,
year = {2012},
note = {ISSN: 2162-8998},
keywords = {Hardware, Security, Data structures, hidden process, Kernel, Memory management, paging mechanism, physical memory scan, Process control, string matching},
pages = {662--665},
annote = {Yet another memory analysis tool to detect hidden processes. This time they use “physical memory scan” but it is just another version of memory analysis that is host-based.
},
file = {Full Text PDF:/home/grizzly/Zotero/storage/64LW8E8I/Zhu et al. - 2012 - Towards a Novel Approach for Hidden Process Detection Based on Physical Memory Scanning.pdf:application/pdf;IEEE Xplore Abstract Record:/home/grizzly/Zotero/storage/P5444QL5/6405787.html:text/html},
}
@article{nasereddin_new_2024,
title = {A new approach for detecting process injection attacks using memory analysis},
volume = {23},
issn = {1615-5270},
url = {https://doi.org/10.1007/s10207-024-00836-w},
doi = {10.1007/s10207-024-00836-w},
abstract = {This paper introduces a new approach for examining and analyzing fileless malware artifacts in computer memory. The proposed approach offers the distinct advantage of conducting a comprehensive live analysis of memory without the need for periodic memory dumping. Once a new process arrives, log files are collected by monitoring the Event Tracing for Windows facility as well as listing the executables of the active process for violation detection. The proposed approach significantly reduces detection time and minimizes resource consumption by adopting parallel computing (programming), where the main software (Master) divides the work, organizes the process of searching for artifacts, and distributes tasks to several agents. A dataset of 17411 malware samples is used in the assessment of the new approach. It provided satisfactory and reliable results in dealing with at least six different process injection techniques including classic DLL injection, reflective DLL injection, process hollowing, hook injection, registry modifications, and .NET DLL injection. The detection accuracy rate has reached \$\$99.93{\textbackslash}\%\$\$with a false-positive rate of \$\$0.068{\textbackslash}\%\$\$. Moreover, the accuracy was monitored in the case of launching several malwares using different process injection techniques simultaneously, and the detector was able to detect them efficiently. Also, it achieved a detection time with an average of 0.052 msec per detected malware.},
language = {en},
number = {3},
urldate = {2024-11-06},
journal = {International Journal of Information Security},
author = {Nasereddin, Mohammed and Al-Qassas, Raad},
month = jun,
year = {2024},
keywords = {Fileless malware, Intrusion detection, Malware analysis and detection, Memory forensics, Process injection attacks},
pages = {2099--2121},
annote = {Again an idea based on memory analysis.
One good point is the use of known malware.
},
file = {Full Text PDF:/home/grizzly/Zotero/storage/63B57ANI/Nasereddin and Al-Qassas - 2024 - A new approach for detecting process injection attacks using memory analysis.pdf:application/pdf},
}
@inproceedings{wang_procguard_2022,
title = {{ProcGuard}: {Process} {Injection} {Behaviours} {Detection} {Using} {Fine}-grained {Analysis} of {API} {Call} {Chain} with {Deep} {Learning}},
shorttitle = {{ProcGuard}},
url = {https://ieeexplore.ieee.org/document/10063560/?arnumber=10063560},
doi = {10.1109/TrustCom56396.2022.00109},
abstract = {New malware increasingly adopts novel fileless techniques to evade detection from antivirus programs. Process injection is one of the most popular fileless attack techniques. This technique makes malware more stealthy by writing malicious code into memory space and reusing the name and port of the host process. It is difficult for traditional security software to detect and intercept process injections due to the stealthiness of its behavior. We propose a novel framework called ProcGuard for detecting process injection behaviors. This framework collects sensitive function call information of typical process injection. Then we perform a fine-grained analysis of process injection behavior based on the function call chain characteristics of the program, and we also use the improved RCNN network to enhance API analysis on the tampered memory segments. We combine API analysis with deep learning to determine whether a process injection attack has been executed. We collect a large number of malicious samples with process injection behavior and construct a dataset for evaluating the effectiveness of ProcGuard. The experimental results demonstrate that it achieves an accuracy of 81.58\% with a lower false-positive rate compared to other systems. In addition, we also evaluate the detection time and runtime performance loss metrics of ProcGuard, both of which are improved compared to previous detection tools.},
urldate = {2024-11-06},
booktitle = {2022 {IEEE} {International} {Conference} on {Trust}, {Security} and {Privacy} in {Computing} and {Communications} ({TrustCom})},
author = {Wang, Juan and Ma, Chenjun and Li, Ziang and Yuan, Huanyu and Wang, Jie},
month = dec,
year = {2022},
note = {ISSN: 2324-9013},
keywords = {Malware, API call chain, deep learning, Deep learning, Heuristic algorithms, Measurement, Privacy, process injection, Runtime, Writing},
pages = {778--785},
annote = {In this paper, the ressource monitored to detect hidden processes is specific API calls that are related to code injection. This method seems more specific to a certain type of masquerading.
},
file = {Full Text PDF:/home/grizzly/Zotero/storage/9KU2EXSB/Wang et al. - 2022 - ProcGuard Process Injection Behaviours Detection Using Fine-grained Analysis of API Call Chain with.pdf:application/pdf;IEEE Xplore Abstract Record:/home/grizzly/Zotero/storage/WCSP8PKH/10063560.html:text/html},
}
@inproceedings{vaas_detecting_2017,
title = {Detecting disguised processes using application-behavior profiling},
url = {https://ieeexplore.ieee.org/document/7943508},
doi = {10.1109/THS.2017.7943508},
abstract = {In order to avoid detection, malware can disguise itself as a legitimate program or hijack system processes to reach its goals. Commonly used signature-based Intrusion Detection Systems (IDS) struggle to distinguish between these processes and are thus only of limited use to detect such attacks. They also have the shortcoming that they need to be updated frequently to possess the latest malware definitions. This makes them inherently prone to missing novel attack techniques. Misuse detection IDSs however overcome this problem by maintaining a ground truth of normal application behavior while reporting deviations as anomalies. In our approach, we try to accomplish this by observing a process' memory consumption. This is for two reasons: We expect the readings to be less volatile in comparison to for instance network operations. Second, by breaking the problem down, we are able to investigate thoroughly while still laying the foundations for future expansion. We use the observations from a given host to train a machine learning algorithm. After an initial learning phase, we evaluate the model with readings from the application it has been trained on and other applications in order to assess its quality. Our results indicate that the efficacy of this method is highly dependent on parametrizing the machine learning algorithm appropriately. A large variance in accuracy with only slightly altered inputs confirms this suggestion. We finish with a discussion on deploying such an IDS at scale in a realistic scenario.},
urldate = {2024-11-01},
booktitle = {2017 {IEEE} {International} {Symposium} on {Technologies} for {Homeland} {Security} ({HST})},
author = {Vaas, Christian and Happa, Jassim},
month = apr,
year = {2017},
keywords = {Malware, Training, Memory management, Intrusion detection, Data models, Time series analysis},
pages = {1--6},
annote = {This paper uses a similar idea as I do. They collect digital footprint (instead of physical ones for me) to assess the legitimacy of a process. They use memory usage as their second source of truth.
They evaluate their method on 1 day of machine data and the legitimacy of a few processes: explorer, texmaker, mintty and ssh.
Differences: Their method is host-based. So it is not immune to attackers. It simply takes the attacker one more step to bypass or feed erroneous data to the IDS.
},
file = {IEEE Xplore Abstract Record:/home/grizzly/Zotero/storage/RJHM6UXV/7943508.html:text/html;PDF:/home/grizzly/Zotero/storage/4J5RMGK9/Vaas and Happa - 2017 - Detecting disguised processes using application-behavior profiling.pdf:application/pdf},
}
@inproceedings{yu-tao_hpdbf_2016,
title = {{HPDBF}: {A} forensics method for hidden process based on memory analysis},
shorttitle = {{HPDBF}},
url = {https://ieeexplore.ieee.org/document/8070249/?arnumber=8070249},
doi = {10.1109/ICCSNT.2016.8070249},
abstract = {Malicious processes usually cooperate with concealing technology to hide themselves. The detection against hidden processes can effectively narrow the range of malicious processes. Behavior analysis is then implemented on the filtered process to finally locate the malicious one. In this paper, a method of hidden process detection and behavior forensics based on memory analysis is proposed. It uses virtual machine monitor to extract and analyze memory data, detecting hidden processes; then analyzes the executable code of the target process to determine whether there is malicious behavior during the operation of the process. Experimental results demonstrated the effectiveness and the acceptable performance overhead of the proposed method.},
urldate = {2024-11-06},
booktitle = {2016 5th {International} {Conference} on {Computer} {Science} and {Network} {Technology} ({ICCSNT})},
author = {Yu-Tao, Zhao and Qing-Bao, Li and Guang-Yu, Zeng and San-Jun, Cheng},
month = dec,
year = {2016},
keywords = {hidden process, Kernel, behavior forensics, Forensics, Linux, memory analysis, Schedules, semantic reconstruction, Semantics, Virtual machine monitors},
pages = {705--710},
annote = {Same idea as Vaas and Happa, use memory analysis to detect hidden processes.
},
file = {Full Text PDF:/home/grizzly/Zotero/storage/FU379NT5/Yu-Tao et al. - 2016 - HPDBF A forensics method for hidden process based on memory analysis.pdf:application/pdf;IEEE Xplore Abstract Record:/home/grizzly/Zotero/storage/LNAZ34XB/8070249.html:text/html},
}
@misc{noauthor_unveiling_nodate,
title = {Unveiling {WolfsBane}: {Gelsemium}s {Linux} counterpart to {Gelsevirine}},
shorttitle = {Unveiling {WolfsBane}},
url = {https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/},
abstract = {ESET researchers analyzed previously unknown Linux backdoors that are connected to known Windows malware used by the China-aligned Gelsemium group, as well as to Project Wood.},
language = {en},
urldate = {2024-11-22},
file = {Snapshot:/home/grizzly/Zotero/storage/6WSUP3XC/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine.html:text/html},
}
@misc{noauthor_unix-thrustbeurk_2024,
title = {unix-thrust/beurk},
copyright = {GPL-3.0},
url = {https://github.com/unix-thrust/beurk},
abstract = {BEURK Experimental Unix RootKit},
urldate = {2024-11-22},
publisher = {unix-thrust},
month = nov,
year = {2024},
note = {original-date: 2015-04-14T15:30:44Z},
}