Formalization and Detection of Host-Based Code Injection Attacks in the Context of Malware
Formalization and Detection of Host-Based Code Injection Attacks in the Context of Malware
dc.contributor.advisor | Martini, Peter | |
dc.contributor.author | Barabosch, Thomas Felix | |
dc.date.accessioned | 2020-04-25T12:51:02Z | |
dc.date.available | 2020-04-25T12:51:02Z | |
dc.date.issued | 31.10.2018 | |
dc.identifier.uri | https://hdl.handle.net/20.500.11811/7660 | |
dc.description.abstract | The Host-Based Code Injection Attack (HBCIAs) is a technique that malicious software utilizes in order to avoid detection or steal sensitive information. In a nutshell, this is a local attack where code is injected across process boundaries and executed in the context of a victim process. Malware employs HBCIAs on several operating systems including Windows, Linux, and macOS. This thesis investigates the topic of HBCIAs in the context of malware. First, we conduct basic research on this topic. We formalize HBCIAs in the context of malware and show in several measurements, amongst others, the high prevelance of HBCIA-utilizing malware. Second, we present Bee Master, a platform-independent approach to dynamically detect HBCIAs. This approach applies the honeypot paradigm to operating system processes. Bee Master deploys fake processes as honeypots, which are attacked by malicious software. We show that Bee Master reliably detects HBCIAs on Windows and Linux. Third, we present Quincy, a machine learning-based system to detect HBCIAs in post-mortem memory dumps. It utilizes up to 38 features including memory region sparseness, memory region protection, and the occurence of HBCIA-related strings. We evaluate Quincy with two contemporary detection systems called Malfind and Hollowfind. This evaluation shows that Quincy outperforms them both. It is able to increase the detection performance by more than eight percent. | |
dc.language.iso | eng | |
dc.rights | In Copyright | |
dc.rights.uri | http://rightsstatements.org/vocab/InC/1.0/ | |
dc.subject | Computer Security | |
dc.subject | Malware | |
dc.subject | Computer Forensics | |
dc.subject | Intrusion Detection | |
dc.subject | Code Injections | |
dc.subject.ddc | 004 Informatik | |
dc.title | Formalization and Detection of Host-Based Code Injection Attacks in the Context of Malware | |
dc.type | Dissertation oder Habilitation | |
dc.publisher.name | Universitäts- und Landesbibliothek Bonn | |
dc.publisher.location | Bonn | |
dc.rights.accessRights | openAccess | |
dc.identifier.urn | https://nbn-resolving.org/urn:nbn:de:hbz:5n-52402 | |
ulbbn.pubtype | Erstveröffentlichung | |
ulbbnediss.affiliation.name | Rheinische Friedrich-Wilhelms-Universität Bonn | |
ulbbnediss.affiliation.location | Bonn | |
ulbbnediss.thesis.level | Dissertation | |
ulbbnediss.dissID | 5240 | |
ulbbnediss.date.accepted | 04.09.2018 | |
ulbbnediss.institute | Mathematisch-Naturwissenschaftliche Fakultät : Fachgruppe Informatik / Institut für Informatik | |
ulbbnediss.fakultaet | Mathematisch-Naturwissenschaftliche Fakultät | |
dc.contributor.coReferee | Mees, Wim |
Files in this item
This item appears in the following Collection(s)
-
E-Dissertationen (4069)