%0 Conference Proceedings
%T Anti-forensic = Suspicious: Detection of Stealthy Malware that Hides Its Network Traffic
%+ Telekom Innovation Laboratories
%+ School of Computer Science and Engineering (SCSE)
%A Agarwal, Mayank
%A Puzis, Rami
%A Haj-Yahya, Jawad
%A Zilberman, Polina
%A Elovici, Yuval
%Z Part 3: Secuirty Management / Forensic
%< avec comité de lecture
%( IFIP Advances in Information and Communication Technology
%B 33th IFIP International Conference on ICT Systems Security and Privacy Protection (SEC)
%C Poznan, Poland
%Y Lech Jan Janczewski
%Y Mirosław Kutyłowski
%I Springer International Publishing
%3 ICT Systems Security and Privacy Protection
%V AICT-529
%P 216-230
%8 2018-09-18
%D 2018
%R 10.1007/978-3-319-99828-2_16
%K Stealthy
%K Malware
%K Security
%K [0000−0002−6374−6737]
%K Rami Puzis 1[0000−0002−7229−3899]
%K Jawad Haj-Yahya 2[0000−0003−2911−0329]
%K Polina Zilberman 1[0000−0003−3593−7330]
%K and Keywords: Stealthy
%K Command & Control
%K Trusted Network Monitor
%Z Computer Science [cs]Conference papers
%X Stealthy malware hides its presence from the users of a system by hooking the relevant libraries, drivers, system calls or manipulating the services commonly used to monitor system behaviour. Tampering the network sensors of host-based intrusion detection systems (HIDS) may impair their ability to detect malware and significantly hinders subsequent forensic investigations. Nevertheless, the mere attempt to hide the traffic indicates malicious intentions. In this paper we show how comparison of the data collected by multiple sensors at different levels of resilience may reveal these intentions. At the lowest level of resilience, information from untrusted sensors such as netstat and process lists are used. At the highest resilience level, we analyse mirrored traffic using a secured hardware device. This technique can be considered as fully trusted. The detection of a discrepancy between what is reported by these common tools and what is observed on a trusted system operating at a different level is a good way to force a dilemma on malware writers: either apply hiding techniques, with the risk that the discrepancy is detected, or keep the status of network connections untouched, with a greater ability for the administrator to recognize the presence and to understand the behaviour of malware. The proposed method was implemented on an evaluation testbed and is able to detect stealthy malware that hides its communication from the HIDS. The false positive rate is 0.01% of the total traffic analysed, and barring a few exceptions that can easily be white-listed, there are no legitimate processes which raise false alerts.
%G English
%Z TC 11
%2 https://inria.hal.science/hal-02023723/document
%2 https://inria.hal.science/hal-02023723/file/472722_1_En_16_Chapter.pdf
%L hal-02023723
%U https://inria.hal.science/hal-02023723
%~ IFIP
%~ IFIP-AICT
%~ IFIP-TC
%~ IFIP-TC11
%~ IFIP-SEC
%~ IFIP-AICT-529