|
In the open environment such as Internet, end-user host or machine is easily compromised and infected malicious code or malware due to vulnerabilities or user's mindlessness. This infection procedure may include a bootstrap to plant and load malware. Some researchers focus on detection this bootstrap, which locates at stack or heap, and others may concentrate on the detection malware at planting stage according to predefined patterns or signatures. The former detection depends on the structure and semantics of bootstrap, and may be intractable because code and data may be mixed in an input of normal program. Moreover, the later detection has the limitation to handle unknown malware.
We analyze the attack steps of malware, and focus on the malware loading. Our assumption is that a malware contains no less than one module, so monitoring module loading is indispensable to defeat malware. Moreover, we design security policies, and employ these policies when a module is loaded by operating system. These policies depend on properties of module, the connection to created modules, and the link to user intention. The properties of module and this connection can improve the accuracy of malware detection. User intention can be helpful to handle unknown module, and enhances the flexibility of policy. Finally, ModuleGuard, a gatekeeper for dynamic module loading against malware, has been designed and implemented, which is integrated these security policies. Our experimental results have shown the feasibility and effectiveness of our method. |
|
Keywords:software security; module; user intention; security polices; malware |
|