Membrane: A Posteriori Detection of Malicious Code Loading by Memory Paging Analysis

  • Gábor Pék
  • Zsombor Lázár
  • Zoltán Várnagy
  • Márk Félegyházi
  • Levente Buttyán
Conference paper

DOI: 10.1007/978-3-319-45744-4_10

Part of the Lecture Notes in Computer Science book series (LNCS, volume 9878)
Cite this paper as:
Pék G., Lázár Z., Várnagy Z., Félegyházi M., Buttyán L. (2016) Membrane: A Posteriori Detection of Malicious Code Loading by Memory Paging Analysis. In: Askoxylakis I., Ioannidis S., Katsikas S., Meadows C. (eds) Computer Security – ESORICS 2016. ESORICS 2016. Lecture Notes in Computer Science, vol 9878. Springer, Cham

Abstract

In this paper, we design and implement Membrane, a memory forensics tool to detect code loading behavior by stealthy malware. Instead of trying to detect the code loading itself, we focus on the changes it causes on the memory paging of the Windows operating system. As our method focuses on the anomalies caused by code loading, we are able to detect a wide range of code loading techniques. Our results indicate that we can detect code loading malware behavior with 86–98 % success in most cases, including advanced targeted attacks. Our method is generic enough and hence could significantly raise the bar for attackers to remain stealthy and persist for an extended period of time.

Keywords

Code loading Memory paging Windows Memory forensics 

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Gábor Pék
    • 1
  • Zsombor Lázár
    • 1
  • Zoltán Várnagy
    • 1
  • Márk Félegyházi
    • 1
  • Levente Buttyán
    • 1
  1. 1.CrySyS LabBudapest University of Technology and EconomicsBudapestHungary

Personalised recommendations