129 lines
6.6 KiB
TeX
129 lines
6.6 KiB
TeX
\documentclass[runningheads]{llncs}
|
|
%
|
|
\usepackage[T1]{fontenc}
|
|
% T1 fonts will be used to generate the final print and online PDFs,
|
|
% so please use T1 fonts in your manuscript whenever possible.
|
|
% Other font encondings may result in incorrect characters.
|
|
%
|
|
\usepackage{graphicx}
|
|
\usepackage{xcolor}
|
|
\usepackage{amsfonts}
|
|
\usepackage{amssymb}
|
|
% Used for displaying a sample figure. If possible, figure files should
|
|
% be included in EPS format.
|
|
|
|
\newcommand\agd[1]{{\color{red}$\bigstar$}\footnote{agd: #1}}
|
|
|
|
% If you use the hyperref package, please uncomment the following two lines
|
|
% to display URLs in blue roman font according to Springer's eBook style:
|
|
%\usepackage{color}
|
|
%\renewcommand\UrlFont{\color{blue}\rmfamily}
|
|
%\urlstyle{rm}
|
|
%
|
|
\begin{document}
|
|
%
|
|
\title{PowPrint: Big Patounes all over the Power Trace}
|
|
%
|
|
%\titlerunning{Abbreviated paper title}
|
|
% If the paper title is too long for the running head, you can set
|
|
% an abbreviated paper title here
|
|
%
|
|
\author{Arthur Grisel-Davy\inst{1}\orcidID{0000-1111-2222-3333} \and
|
|
Sebastiean Fischmeister\inst{1}\orcidID{1111-2222-3333-4444}}
|
|
%
|
|
\authorrunning{A. Grisel-Davy and Sebastian Fischmeister.}
|
|
% First names are abbreviated in the running head.
|
|
% If there are more than two authors, 'et al.' is used.
|
|
%
|
|
\institute{University of Waterloo, Waterloo, CA
|
|
\email{agriseld@uwaterloo.ca}\\
|
|
}
|
|
%
|
|
\maketitle % typeset the header of the contribution
|
|
%
|
|
\begin{abstract}
|
|
The cat and mouse game has led attackers to use ever-increasingly complex evasion technics to hide their malware.
|
|
|
|
\keywords{Intrusion Detection \and Side-Channel Analysis \and Power Trace.}
|
|
\end{abstract}
|
|
|
|
\section{Introduction}
|
|
%The modern landscape of malware families is diverse.
|
|
%Attackers write malware for a wide range or purposes, each with their goals, target systems, attacks vectors, and constraints.
|
|
%Some malware are purely destructive, designed to destroy data or equipement or harm people.
|
|
%Others have ulterior notive like disrupting target operations, extract sensitive information, or request ransoms.
|
|
%
|
|
%Most malware a complexe pieces of sotware that require expertise and time to developp.
|
|
%Among them, one group sits above all in terms of complexity and capabilities, the Advanced Persistent Threats.
|
|
%APTs are meta-malware that may not be directly intended to cause harm to the target.
|
|
%Instead, they are a framework from which a payloads can operate.
|
|
%The APT are diverse depending on the authors, the capabilities, and the intendent audience.
|
|
%However common capabilities of APTs are deployment, persistence, and stealth.
|
|
%
|
|
%In this sutdy, we are interested in the stealth capabilities of malwares.
|
|
%Malware authors often wish for their program to remain undetected on the infected machine.
|
|
%Hidden on the target, the malware can remain active and either continuously perform its intended actions or wait for commands.
|
|
%Effectively hiding a piece of software is a complex task on two main levels.
|
|
%First, from a filesystem of static analysispoint of view, the executable or code that consitute the malware must be invisible or appear innofensive.
|
|
%Then, when running, the malware must also either hide its activity from HIDS or masquerade a valid process.
|
|
%
|
|
%In this study, we consider the second case when a program is performing actions shile remaining invisible or innofensive from the operating system.
|
|
|
|
Malware developement has always been a field of computer science that rivals in complexity with the most current academic research.
|
|
To remain effective, malware must keep up and even lead the most advanced detection and prevention mechanisms.
|
|
This complexity has kept modern malware capable of infiltrate and iscrupt systems while avoiding detection.
|
|
|
|
While stealth may not be main focus of all malwares --- some are designed with destructive power or speed of deployement and action ---, the ability to remain hidden on the infected system --- called evasion --- is a common feature of many modern malware.
|
|
Thanks to the creativity of malware authors, many evasions technics have been used over time.
|
|
While most were discovered and documented, it is safe to assume that there are and will always be evasions technics that are on step ahead and bypases the current detection methods.
|
|
|
|
Evasions technics is un umbrella terms that englobes \agd{find appropriate word} multiple sub categories, each for a different purpose.
|
|
One aspect of evasion is the ability to conceal the malicious nature of the files that consitute the ;alware.
|
|
For this purpose, alware may employ homomorphic or metamorphic methods to "dejouer" signature analysis or use a fileless design to avoid analsysi altogether.
|
|
Another compleing capability is the ... \agd{find another evasion technic}
|
|
|
|
This study focuses on another specific evasion domain, process hiding.
|
|
The list of running processes is an obvious compeling ressource to start detectin malware.
|
|
To detect running malware, one could simply gather the list of all running software and search for known malware.
|
|
With the list of processes frequently collected, an HIDS \agd{replace acronym} can detect known malware, mine rules, define an activity profile, or detect anomalous situations \agd{}.
|
|
|
|
Staying off the process list is good first step for any malware aiming for stealth.
|
|
We can categorize the technics achieving this type of evasion between hiding and masquerading.
|
|
For process hiding, the goal is to execute a program and leave no trace of it in the process list.
|
|
For process masquerading, the aim is not so much to avoid the listing but to avoid the malware being listed with its real identity.
|
|
A process masquerading an another will assume its process name and characteristics, with the goal of appearing legitimate on the machine.
|
|
Process hiding and masquerading differ in their ultimate goal but leverage a lot of the same technics.
|
|
The core idea of process list manipulation is tampering with the process listing mechanism provided by the OS to the monitoring software.
|
|
Independently of the OS, attackers often rely on intercepting system's call to remove or replace information or directly manipulating kernel objects.
|
|
For the purpose of this study, we do not differentiate between Unix-based OSs and Windows systems as process hiding is a common practice for malware in both environments.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\subsection{Contribution}
|
|
This paper proposes a novel approach for detecting tampering on the process listing.
|
|
|
|
|
|
\section{Related Work}
|
|
|
|
\section{Problem Statement}
|
|
|
|
\subsection{Attacker Model}
|
|
|
|
\section{Proposed Approach}
|
|
|
|
\section{Case Studies}
|
|
|
|
\section{Discussion}
|
|
|
|
\section{Conclusion}
|
|
|
|
\bibliography{biblio} % Import the bibliography
|
|
\bibliographystyle{plain} % set the reference style
|
|
|
|
\end{document}
|