Anti-forensic = Suspicious: Detection of Stealthy Malware that Hides Its Network Traffic - ICT Systems Security and Privacy Protection Access content directly
Conference Papers Year : 2018

Anti-forensic = Suspicious: Detection of Stealthy Malware that Hides Its Network Traffic

Mayank Agarwal
  • Function : Author
  • PersonId : 1042891
Rami Puzis
  • Function : Author
  • PersonId : 1042892
Jawad Haj-Yahya
  • Function : Author
  • PersonId : 1042893
Polina Zilberman
  • Function : Author
  • PersonId : 1042894
Yuval Elovici
  • Function : Author
  • PersonId : 1042895


Stealthy malware hides its presence from the users of a system by hooking the relevant libraries, drivers, system calls or manipulating the services commonly used to monitor system behaviour. Tampering the network sensors of host-based intrusion detection systems (HIDS) may impair their ability to detect malware and significantly hinders subsequent forensic investigations. Nevertheless, the mere attempt to hide the traffic indicates malicious intentions. In this paper we show how comparison of the data collected by multiple sensors at different levels of resilience may reveal these intentions. At the lowest level of resilience, information from untrusted sensors such as netstat and process lists are used. At the highest resilience level, we analyse mirrored traffic using a secured hardware device. This technique can be considered as fully trusted. The detection of a discrepancy between what is reported by these common tools and what is observed on a trusted system operating at a different level is a good way to force a dilemma on malware writers: either apply hiding techniques, with the risk that the discrepancy is detected, or keep the status of network connections untouched, with a greater ability for the administrator to recognize the presence and to understand the behaviour of malware. The proposed method was implemented on an evaluation testbed and is able to detect stealthy malware that hides its communication from the HIDS. The false positive rate is 0.01% of the total traffic analysed, and barring a few exceptions that can easily be white-listed, there are no legitimate processes which raise false alerts.
Fichier principal
Vignette du fichier
472722_1_En_16_Chapter.pdf (341.87 Ko) Télécharger le fichier
Origin : Files produced by the author(s)

Dates and versions

hal-02023723 , version 1 (21-02-2019)





Mayank Agarwal, Rami Puzis, Jawad Haj-Yahya, Polina Zilberman, Yuval Elovici. Anti-forensic = Suspicious: Detection of Stealthy Malware that Hides Its Network Traffic. 33th IFIP International Conference on ICT Systems Security and Privacy Protection (SEC), Sep 2018, Poznan, Poland. pp.216-230, ⟨10.1007/978-3-319-99828-2_16⟩. ⟨hal-02023723⟩
54 View
120 Download



Gmail Facebook X LinkedIn More