Browse > Article
http://dx.doi.org/10.7471/ikeee.2022.26.3.380

A Countermeasure against a Whitelist-based Access Control Bypass Attack Using Dynamic DLL Injection Scheme  

Kim, Dae-Youb (Dept. of Information Security, Suwon University)
Publication Information
Journal of IKEEE / v.26, no.3, 2022 , pp. 380-388 More about this Journal
Abstract
The traditional malware detection technologies collect known malicious programs and analyze their characteristics. Then such a detection technology makes a blacklist based on the analyzed malicious characteristics and checks programs in the user's system based on the blacklist to determine whether each program is malware. However, such an approach can detect known malicious programs, but responding to unknown or variant malware is challenging. In addition, since such detection technologies generally monitor all programs in the system in real-time, there is a disadvantage that they can degrade the system performance. In order to solve such problems, various methods have been proposed to analyze major behaviors of malicious programs and to respond to them. The main characteristic of ransomware is to access and encrypt the user's file. So, a new approach is to produce the whitelist of programs installed in the user's system and allow the only programs listed on the whitelist to access the user's files. However, although it applies such an approach, attackers can still perform malicious behavior by performing a DLL(Dynamic-Link Library) injection attack on a regular program registered on the whitelist. This paper proposes a method to respond effectively to attacks using DLL injection.
Keywords
Malware; Ransomware; Blacklist; Whitelist; DLL Injection;
Citations & Related Records
Times Cited By KSCI : 4  (Citation Analysis)
연도 인용수 순위
1 S. Chakkaravarthy, D. Sangeetha, and V. Vaidehi, "A Survey on malware analysis and mitigation techniques," Computer Science Review, vol.32, pp.1-23, 2019. DOI: 10.1016/j.cosrev.2019.01.002   DOI
2 D. Gibert, C. Mateu, and J. Planes, "The rise of machine learning for detection and classification of malware: Research developments, trends and challenges," Journal of Network and Computer Applications, vol.153, no.1, 2020. DOI: 10.1016/j.jnca.2019.102526   DOI
3 B. Khammas, "Ransomware Detection using Random Forest Technique," ICT Express, vol.6, no.4, 2020. DOI: 10.1016/j.icte.2020.11.001   DOI
4 BS K, WH C, and DJ J, "A Study on the Tracking and Blocking of Malicious Actors through ThreadBased Monitoring," Korea Institute of Information Security and Cryptology, vol.30, no.1, pp.75-86, 2020. DOI: 10.13089/JKIISC.2020.30.1.75   DOI
5 D. Kim and J. Lee, "Blacklist vs. Whitelist-Based Ransomware Solutions," IEEE Consumer Electronics Magazine, vol.9, no.3, pp.22-28, 2020. DOI: 10.1109/MCE.2019.2956192   DOI
6 T. McIntosh, A. Kayes, Y. Chen, A. Ng, and P. Watters, "Ransomware Mitigation in the Modern Era: A Comprehensive Review, Research Challenges, and Future Directions," Computer Science ACM Computing Surveys (CSUR), vol.7, 2021. DOI: 10.1145/3479393   DOI
7 S. Kim, I. Hwang, and D. Kim, "A Study on Creation of Secure Storage Area and Access Control to Protect Data from Unspecified Threats," Journal of the Society of Disaster Information, vol.17, no.4, pp.897-903, 2021. DOI: 10.15683/kosdi.2021.12.31.897   DOI
8 Microsoft Docs, "Filter Manager and Minifilter Driver Architecture," 2020, https://docs.microsoft.com/ko-kr/windows-hardware/drivers/ifs/filtermanager-concepts
9 L. Abrams, "Windows 10 Ransomware Protection Bypassed Using DLL Injection," https://www.bleepingcomputer.com/news/security/windows-10-ransomware-protection-bypassed-using-dll-injection/
10 Microsoft Docs, "Enable controlled folder access," https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlledfolders?view=o365-worldwide