Paper Titles

A Novel and Practical Method for Network Security Situation Prediction
p.907

A Novel File Hierarchy Access Control Scheme Using Attribute-Based Encryption
p.911

A Security Power Defense System Based on Cloud Computing
p.919

A Two-Layer Hybrid Trust Mechanism Based on Agent Trust
p.923

An APT Trojan Detection Method Based on Memory Forensics Techniques
p.927

An End-to-End Encrypted Scheme for PoС Based on Cellular Network
p.935

An Energy-Saving Algorithm of Wireless Sensor Network for the Internet of Things
p.939

An Information Real-Time Transmission Algorithm Based on the Android Platform
p.943

An Integrated Electricity Information Security Monitoring Platform
p.947

HomeApplied Mechanics and MaterialsApplied Mechanics and Materials Vols. 701-702An APT Trojan Detection Method Based on Memory...

An APT Trojan Detection Method Based on Memory Forensics Techniques

Article Preview

Abstract:

Advanced Persistent Threat (APT) is currently reported to be one of the most serious threats. It is very important to detect the APT Trojan as early as possible. There are three types of approaches to conduct APT detection: network traffic analysis, change controlling and sandboxing. Unfortunately, all these approaches have limitations in detecting unknown APT Trojans. This paper proposes a novel APT Trojan detection method by utilizing memory forensics techniques. The proposed method first acquires the raw physical memory image from a target running system and then finds the APT’s traces in the memory image based on the ATP’s characteristics and memory forensics techniques. If enough traces are found, we can judge that there must be Trojans in the target system. Experimental results show that the proposed method can effectively detect new APT Trojans.

You might also be interested in these eBooks

Industrial Engineering, Computation and Information Technologies

Info:

Periodical:

Applied Mechanics and Materials (Volumes 701-702)

Pages:

927-934

DOI:

https://doi.org/10.4028/www.scientific.net/AMM.701-702.927

Citation:

Cite this paper

Online since:

December 2014

Authors:

Lian Hai Wang*, Qiu Liang Xu

Keywords:

Advanced Persistent Threat, Digital Forensics, Live Forensics, Memory Forensics, Unknown Trojan Detection

Export:

RIS, BibTeX

Price:

Permissions CCC:

Request Permissions

Permissions PLS:

Request Permissions

Сopyright:

© 2015 Trans Tech Publications Ltd. All Rights Reserved

Share:

Citation:

* - Corresponding Author

[1] Wikipedia. On Advanced persistent threat[EB/OL]. [2014-07-7]. http: /en. wikipedia. org/wiki/Advanced_Persistent_Threat.

[2] LIANG Yu1, PENG Guojun etc. An Unknown Trojan Detection Method Based on Software Network Behavior[J], Wuhan University Journal of Natural Sciences 2013, Vol. 18 No. 5 369-376.

DOI: 10.1007/s11859-013-0944-6

[3] Matrosov A, Rodionov E, Harley D, et al. Stuxnet under the microscope [EB/OL]. [2012-10-17]. http: /www. eset. com/us/resources/white-papers/stuxnet_under_the_mciroscope. pdf.

[4] Falliere N, Murchu O L, Chien E. W32. stuxnet dossier[EB/OL]. [2012-05-21]. http: /www. cert. org. cn/userfiles/file/201203192011annualreport(1). pdf.

[5] Bencsáth B, Pek G, Buttyan L, et al. Duqu: A Stuxnet-like malware found in the wild [EB/OL]. [2012-07-14]. http: /www. crysys. hu/mfelegyhazi/publications/Bencsath2011duqu. pdf.

[6] Wikipedia. on Dynamic-link library[EB/OL]. [2014-07-07] http: /en. wikipedia. org/wiki/Dynamic-link_library.

[7] S. T. Institute. Assessing outbound traffic to uncover advanced persistent threat[EB/OL]. [2013-04-14]. http: /www. sans. edu/student-files/projects/JWP-Binde-McRee-OConnor. pdf.

[8] N. Villeneuve and J. Bennet. Detecting apt activity with network traffic analysis. Visited April (2013).

[9] Perdisci R, Lee W, Feamster N. Behavioral clustering of HTTP-based malware and signature generation using malicious network traces [EB/OL]. [2011-06-14]. http: /static. usenix. org/event/nsdi10/tech/full_papers/perdisci. pdf.

[10] Brumley D, Hartwig C, Liang Z, et al. Automatically identifying trigger-based behavior in malware [J]. Botnet Detection, 2008, 36: 65-88.

DOI: 10.1007/978-0-387-68768-1_4

[11] Jiang X, Wang X, Xu D. Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction [C]/Proceedings of the 14th ACM Conference on Computer and Communications Security. New York: ACM Press, 2007: 128-138.

DOI: 10.1145/1315245.1315262

[12] Wang L, Zhang R, Zhang S. A model of computer live forensics based on physical memory analysis[C]/Information Science and Engineering (ICISE), 2009 1st International Conference on. IEEE, 2009: 4647-4649.

DOI: 10.1109/icise.2009.69

[13] BILBY D, Low down and dirty: anti-forensic rootkits, Proceedings of Ruxcon, (2006).

[14] Hejazi S. M, Talhi C, Debbabi M, Extraction of forensically sensitive information from windows physical memory, Digital Investigation 6 2009: S121-S131.

DOI: 10.1016/j.diin.2009.06.003

[15] James Okolica, Gilbert L. Peterson, Windows operating systems agnostic memory analysis Digital Investigation7 2010: S48-S56.

DOI: 10.1016/j.diin.2010.05.007

[16] Richard M. Stevens , Eoghan Casey, Extracting Windows command line details from physical memory, Digital Investigation 7 2010: S57-S63.

DOI: 10.1016/j.diin.2010.05.008

[17] Vivienne Mee, Theodore Tryfonas, Iain Sutherland, The Windows Registry as a forensic artefact: Illustrating evidence collection for Internet usage, Digital Investigation 3 2006: I66-I73.

DOI: 10.1016/j.diin.2006.07.001

[18] Brendan Dolan-Gavitt, Forensic analysis of the Windows registry in memory, Digital Investigation 5 (2008)S26-S32.

DOI: 10.1016/j.diin.2008.05.003

[19] Shuhui Zhang, Lianhai Wang, Lei Zhang, Extracting windows registry information from physical memory, Computer Research and Development (ICCRD), 2011 3rd International Conference on Issue Date: 11-13 March 2011: 85 - 89.

DOI: 10.1109/iccrd.2011.5764089

[20] Andreas Schuster Searching for Processes and Threads in Microsoft Windows Memory Dumps[C/OL], Proceedings of the 2006 Digital Forensic Research Workshop (DFRWS), 2006 http: /www. dfrws. org/2006/proceedings/2-Schuster. pdf.

DOI: 10.1016/j.diin.2006.06.010

[21] WALTERS A., PETRONNI Jr NL. Volatools: Integrating volatile Memory Forensics into the Digital Investigation Process[C/OL] In: Black Hat DC 2007; 2007 http: /www. blackhat. com/presentations/bh-dc-07/Walters/Paper/bh-dc-07-Walters-WP. pdf.

[22] Zhang Lei, Wang Lianhai, Zhang Shuhui , Live Memory acquisition through Firewire[J], China Communications, vol. 6, 71-77, (2010).

[23] Wang Lianhai, Xu lijuan, Zhang Shuhui , A Method on Extracting Network Connection Information from 64-bit Windows 7 Memory Images[J], China Communications, vol. 6, 44-51, (2010).

[24] Xu lijuan, Wang Lianhai, Zhang Lei . Acquisition of Network connection Status Information from Physical memory on Windows vista Operating system[J], China Communications, vol. 6, 71-77, (2010).