Detection of Malicious Tools by Monitoring DLL Using Deep Learning

この論文をさがす

抄録

In targeted attacks, various malicious tools are leveraged by attackers. According to the Cybersecurity and Infrastructure Security Agency (CISA), tools such as China Chopper, Mimikatz, PowerShell Empire, and HUC Packet Transmitter are used in targeted attacks. Standard malware detection methods include those based on file names or hashes. However, attackers tend to avoid detection by changing the file name of malicious tools or by rebuilding them. Therefore, detecting malicious tools used in targeted attacks is difficult. We found that the order of Windows built-in DLLs loaded by each malicious tool has unique characteristics. In this study, we propose a detection method of malicious tools by analyzing DLL information using deep learning, considering the DLL and its order of loading by each process. We confirmed that even if the file names are changed or tools are rebuilt, our proposed method could detect the mentioned four tools with high detection rates: with a recall rate of 97.45%, a precision rate of 97.29%, and F value of 97.37% on average. Furthermore, the proposed method can detect malicious tools with more than a 90% detection rate, even if about 10% of loaded DLLs are changed in the future.------------------------------This is a preprint of an article intended for publication Journal ofInformation Processing(JIP). This preprint should not be cited. Thisarticle should be cited as: Journal of Information Processing Vol.28(2020) (online)DOI http://dx.doi.org/10.2197/ipsjjip.28.1052------------------------------

In targeted attacks, various malicious tools are leveraged by attackers. According to the Cybersecurity and Infrastructure Security Agency (CISA), tools such as China Chopper, Mimikatz, PowerShell Empire, and HUC Packet Transmitter are used in targeted attacks. Standard malware detection methods include those based on file names or hashes. However, attackers tend to avoid detection by changing the file name of malicious tools or by rebuilding them. Therefore, detecting malicious tools used in targeted attacks is difficult. We found that the order of Windows built-in DLLs loaded by each malicious tool has unique characteristics. In this study, we propose a detection method of malicious tools by analyzing DLL information using deep learning, considering the DLL and its order of loading by each process. We confirmed that even if the file names are changed or tools are rebuilt, our proposed method could detect the mentioned four tools with high detection rates: with a recall rate of 97.45%, a precision rate of 97.29%, and F value of 97.37% on average. Furthermore, the proposed method can detect malicious tools with more than a 90% detection rate, even if about 10% of loaded DLLs are changed in the future.------------------------------This is a preprint of an article intended for publication Journal ofInformation Processing(JIP). This preprint should not be cited. Thisarticle should be cited as: Journal of Information Processing Vol.28(2020) (online)DOI http://dx.doi.org/10.2197/ipsjjip.28.1052------------------------------

収録刊行物

詳細情報 詳細情報について

  • CRID
    1050006297339200896
  • NII論文ID
    170000184165
  • NII書誌ID
    AN00116647
  • ISSN
    18827764
  • Web Site
    http://id.nii.ac.jp/1001/00208756/
  • 本文言語コード
    en
  • 資料種別
    journal article
  • データソース種別
    • IRDB
    • CiNii Articles

問題の指摘

ページトップへ