diff --git a/procver/ACNS/acronyms.tex b/procver/ACNS/acronyms.tex new file mode 100644 index 0000000..a108c2b --- /dev/null +++ b/procver/ACNS/acronyms.tex @@ -0,0 +1,14 @@ +\DeclareAcronym{ids}{ + short={IDS}, + long={Intrusion Detection System} +} + +\DeclareAcronym{hids}{ + short={HIDS}, + long={Host-Based Intrusion Detection System} +} + +\DeclareAcronym{os}{ + short={OS}, + long={Operating System} +} diff --git a/procver/ACNS/main.tex b/procver/ACNS/main.tex index be875cf..4c71666 100644 --- a/procver/ACNS/main.tex +++ b/procver/ACNS/main.tex @@ -9,6 +9,9 @@ \usepackage{xcolor} \usepackage{amsfonts} \usepackage{amssymb} +\usepackage{acro} +\input{acronyms} + % Used for displaying a sample figure. If possible, figure files should % be included in EPS format. @@ -85,7 +88,7 @@ Another compleing capability is the ... \agd{find another evasion technic} This study focuses on another specific evasion domain, process hiding. The list of running processes is an obvious compeling ressource to start detectin malware. To detect running malware, one could simply gather the list of all running software and search for known malware. -With the list of processes frequently collected, an HIDS \agd{replace acronym} can detect known malware, mine rules, define an activity profile, or detect anomalous situations \agd{}. +With the list of processes frequently collected, an \ac{hids} \agd{replace acronym} can detect known malware, mine rules, define an activity profile, or detect anomalous situations. Staying off the process list is good first step for any malware aiming for stealth. We can categorize the technics achieving this type of evasion between hiding and masquerading. @@ -94,13 +97,18 @@ For process masquerading, the aim is not so much to avoid the listing but to avo A process masquerading an another will assume its process name and characteristics, with the goal of appearing legitimate on the machine. Process hiding and masquerading differ in their ultimate goal but leverage a lot of the same technics. The core idea of process list manipulation is tampering with the process listing mechanism provided by the OS to the monitoring software. -Independently of the OS, attackers often rely on intercepting system's call to remove or replace information or directly manipulating kernel objects. +Independently of the \ac{os}, attackers often rely on intercepting system's call to remove or replace information or directly manipulating kernel objects. For the purpose of this study, we do not differentiate between Unix-based OSs and Windows systems as process hiding is a common practice for malware in both environments. +% there are detection methods but they are all host-based and dommed to be bypassed +Of course, many methods have been proposed and implemented to detect or counter process list tampering. +These methods --- although they leverage different mechanisms --- are all host-based. +This create a circular dependency where the \ac{ids} rely on the host system to provide the very information leveraged to assess its integrity. +As rootkis providing process hiding remained a threat since their introduction, it is safe to assume that current countermesures --- and future ones based on similar technics --- do not provide adequate protection. +% is it a bird? is it a plane? No its the good old power consumption! - - +% Thank you king of sweden. No it was nothing you are welcome. Ok get home safe now. Byeeee.