Abstract: The use of Computer systems to keep track of day to day activities for single-user systems as well as the implementation of business logic in enterprises is the demand of the hour. As it plays a vital role in making available information on one click as well as impacts improvement in business and influences the profit or loss. There is always a possible threat from unauthorized users as well as untrusted or unknown applications. Trivially a host is intended to run with a list of known or trusted applications based on user’s preference. Any application beyond the trusted list can be called as untrusted or unknown application, which is not expected to run on that host. Untrusted applications becomes available to a host from sources like websites, emails, external storage devices etc. Such untrusted programs may be malicious or non-malicious in nature but the presence must be detected, as it is not a trusted program from user’s view point. All such programs may target the system either to steal valuable information or to decrease the system performance without the knowledge of the user of the system. Antimalware vendors provide support to defend the system from malicious programs. They do not include users trusted program list in to consideration. It is also true that new instances of attacks are found very frequently. Hence there is a need for a system which can be self-defending from anomalous activities on the system with reference to a trusted program list. In this paper design of an “Anomalous In-Memory Process detector based on the use of the DLL (Dynamic Link Library) sequence” is proposed, which does accountability of trusted programs intended to run on a particular host and create a knowledgebase of classes of processes with TF-IDF (Term Frequency-Inverse Document Frequency) multinomial logistic regression based learning approach. This knowledgebase becomes useful to map a suspected In-memory process to a class of processes using loaded DLL’s of it. With a cross-validation approach, the suspected process and processes of its predicted class are used to conclude whether it is a trusted, variant of the trusted or untrusted process for that host. Not necessarily the untrusted program is a malware but it may be a program not listed in the trusted program list for the specific host. Hence this work aims to detect anomaly in concern with list of trusted applications based on user’s preference by doing a dynamic analysis on In-memory processes.

Binayak Panda and Satya Narayan Tripathy, “Detection of Anomalous In-Memory Process based on DLL Sequence” International Journal of Advanced Computer Science and Applications(IJACSA), 11(10), 2020. http://dx.doi.org/10.14569/IJACSA.2020.0111025

@article{Panda2020,
title = {Detection of Anomalous In-Memory Process based on DLL Sequence},
journal = {International Journal of Advanced Computer Science and Applications},
doi = {10.14569/IJACSA.2020.0111025},
url = {http://dx.doi.org/10.14569/IJACSA.2020.0111025},
year = {2020},
publisher = {The Science and Information Organization},
volume = {11},
number = {10},
author = {Binayak Panda and Satya Narayan Tripathy}
}