Formalization and Detection of Host-Based Code Injection Attacks in the Context of Malware

The Host-Based Code Injection Attack (HBCIAs) is a technique that malicious software utilizes in order to avoid detection or steal sensitive information. In a nutshell, this is a local attack where code is injected across process boundaries and executed in the context of a victim process. Malware employs HBCIAs on several operating systems including Windows, Linux, and macOS. This thesis investigates the topic of HBCIAs in the context of malware. First, we conduct basic research on this topic. We formalize HBCIAs in the context of malware and show in several measurements, amongst others, the high prevelance of HBCIA-utilizing malware. Second, we present Bee Master, a platform-independent approach to dynamically detect HBCIAs. This approach applies the honeypot paradigm to operating system processes. Bee Master deploys fake processes as honeypots, which are attacked by malicious software. We show that Bee Master reliably detects HBCIAs on Windows and Linux. Third, we present Quincy, a machine learning-based system to detect HBCIAs in post-mortem memory dumps. It utilizes up to 38 features including memory region sparseness, memory region protection, and the occurence of HBCIA-related strings. We evaluate Quincy with two contemporary detection systems called Malfind and Hollowfind. This evaluation shows that Quincy outperforms them both. It is able to increase the detection performance by more than eight percent

Digital Forensics and Cyber Crime: 10th International EAI Conference, ICDF2C 2018

This book constitutes the refereed proceedings of the 10th International Conference on Digital Forensics and Cyber Crime, ICDF2C 2018, held in New Orleans, LA, USA, in September 2018. The 11 reviewed full papers and 1 short paper were selected from 33 submissions and are grouped in topical sections on carving and data hiding, android, forensic readiness, hard drives and digital forensics, artifact correlation. Contents: On Efficiency and Effectiveness of Linear Function Detection Approaches for Memory Carving.- fishy - A Framework for Implementing Filesystem-based Data Hiding Techniques.- If I Had a Million Cryptos: Cryptowallet Application Analysis and A Trojan Proof-of-Concept.- AndroParse - An Android Feature Extraction.- Digital Forensic Readiness Framework for Ransomware Investigation.- Forensics Analysis of an On-line Game over Steam Platform.- A Digital Forensic Investigation and Verification Model for Industria l Espionage.- Hard Drives and Digital Forensics.- Solid State Drive Forensics: Where Do We Stand?.- Associating Drives Based on Their Artifact and Metadata Distributions.- Digital Forensics Event Graph Reconstruction.- Multi-Item Passphrases: A Self-Adaptive Approach.- Against Offline Guessing Attacks.- Hybrid Intrusion Detection System for Worm Attacks Based on Their Network Behaviorhttps://digitalcommons.newhaven.edu/electricalcomputerengineering-books/1006/thumbnail.jp