Enhancing Linux System Security: A Kernel-Based Approach to Fileless Malware Detection and Mitigation-Reference-Cited by-同舟云学术

Enhancing Linux System Security: A Kernel-Based Approach to Fileless Malware Detection and Mitigation

Published:2024-09-08 Issue:17 Volume:13 Page:3569
ISSN:2079-9292
Container-title:Electronics
language:en
Short-container-title:Electronics

Author:

Wu Min-Hao¹^ORCID,Hsu Fu-Hau²^ORCID,Huang Jian-Hung²,Wang Keyuan²^ORCID,Hwang Yan-Ling³,Wang Hao-Jyun²,Chen Jian-Xin²,Hsiao Teng-Chuan²,Yang Hao-Tsung²^ORCID

Affiliation:

1. College of Artificial Intelligence, Xiamen City University, Xiamen 361000, China

2. Department of Computer Science and Information Engineering, National Central University, Taoyuan 32001, Taiwan

3. Department of Applied Foreign Languages, Chung Shan Medical University, Taichung 40201, Taiwan

Abstract

In the late 20th century, computer viruses emerged as powerful malware that resides permanently in target hosts. For a virus to function, it must load into memory from persistent storage, such as a file on a hard drive. Due to the significant destructive potential of viruses, numerous defense measures have been developed to protect computer systems. Among these, antivirus software is one of the most recognized and widely used. Typically, antivirus solutions rely on static analysis (signature-based) technologies to detect infections in files stored on permanent storage devices, such as hard drives or USB (Universal Serial Bus) flash drives. However, a new breed of malware, fileless malware, has been designed to evade detection and enhance durability. Fileless malware resides solely in the memory of the target hosts, circumventing traditional antivirus software, which cannot access or analyze processes executed directly from memory. This study proposes the Check-on-Execution (CoE) kernel-based approach to detect fileless malware on Linux systems. CoE intervenes by suspending code execution before a program executes code from a process’s writable and executable memory area. To prevent the execution of fileless malware, CoE extracts the code from memory, packages it with an ELF (Executable and Linkable Format) header to create an ELF file, and uses VirusTotal for analysis. Experimental results demonstrate that CoE significantly enhances a Linux system’s ability to defend against fileless malware. Additionally, CoE effectively protects against shell code injection attacks, including buffer and memory overflows, and can handle packed malware. However, it is important to note that this study focuses exclusively on fileless malware, and further research is needed to address other types of malware.

Funder

Taiwan’s Ministry of Science and Technology

Publisher

MDPI AG

Link

https://www.mdpi.com/2079-9292/13/17/3569/pdf

Reference18 articles.

1. Alzuri, A., Andrade, D.C., Escobar, Y.N., and Zamora, B.M. (2024, September 05). The growth of fileless malware. Available online: https://www.semanticscholar.org/paper/The-Growth-of-Fileless-Malware-Alzuri-Andrade/2e58298eda935452d7009ea440c838b9fc1a5658https://www.semanticscholar.org/paper/The-Growth-of-Fileless-Malware-Alzuri-Andrade/2e58298eda935452d7009ea440c838b9fc1a5658.

2. Rayome, A.D. (2024, September 05). Report: Fileless Malware Attacks 10× More Likely to Infect Your Machine than Others. Available online: https://www.enisa.europa.eu/publications/report-files/ETL-translations/fr/etl2020-malware-ebook-en-fr.pdf.

3. WatchGudrd (2024, September 05). New Research: Fileless Malware Attacks Surge by 900% and Cryptominers Make a Comeback, While Ransomware Attacks Decline. Available online: https://www.globenewswire.com/en/newsrelease/2021/03/30/2201173/0/en/New-Research-Fileless-Malware-Attacks-Surge-by-900-and-Cryptominers-Make-a-Comeback-While-Ransomware-Attacks-Decline.html.

4. Nick, B. (2024, September 05). Fileless Attack Detection for Linux in Preview. Available online: https://azure.microsoft.com/zh-tw/blog/filelessattack-detection-for-linux-in-preview/.

5. Stuart (2024, September 05). In-Memory-Only Elf Execution (without Tmpfs). Available online: https://magisterquis.github.io/2018/03/31/in-memory-only-elfexecution.html.