JITScanner: Just-in-Time Executable Page Check in the Linux Operating System
arxiv(2024)
摘要
Modern malware poses a severe threat to cybersecurity, continually evolving
in sophistication. To combat this threat, researchers and security
professionals continuously explore advanced techniques for malware detection
and analysis. Dynamic analysis, a prevalent approach, offers advantages over
static analysis by enabling observation of runtime behavior and detecting
obfuscated or encrypted code used to evade detection. However, executing
programs within a controlled environment can be resource-intensive, often
necessitating compromises, such as limiting sandboxing to an initial period. In
our article, we propose an alternative method for dynamic executable analysis:
examining the presence of malicious signatures within executable virtual pages
precisely when their current content, including any updates over time, is
accessed for instruction fetching. Our solution, named JITScanner, is developed
as a Linux-oriented package built upon a Loadable Kernel Module (LKM). It
integrates a user-level component that communicates efficiently with the LKM
using scalable multi-processor/core technology. JITScanner's effectiveness in
detecting malware programs and its minimal intrusion in normal runtime
scenarios have been extensively tested, with the experiment results detailed in
this article. These experiments affirm the viability of our approach,
showcasing JITScanner's capability to effectively identify malware while
minimizing runtime overhead.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要