To evade detection by safety options, cybercriminals make use of varied methods that masks their malicious exercise. One of many strategies more and more seen in recent times in assaults on Home windows programs is DLL hijacking: changing dynamic-link libraries (DLLs) with malicious ones. And conventional safety instruments usually don’t detect use of this method. To unravel this downside, our colleagues from the Kaspersky AI Know-how Analysis Middle developed a machine-learning mannequin that may detect DLL hijacking with excessive accuracy. This mannequin has already been applied within the newest launch of our SIEM system, the Kaspersky Unified Monitoring and Evaluation Platform . On this put up, we clarify the challenges of detecting DLL hijacking, and the way our expertise addresses them.
How DLL hijacking works and why it’s arduous to detect
The sudden launch of an unknown file in a Home windows surroundings inevitably attracts the eye of safety instruments — or is just blocked. Basically, DLL hijacking is an try and move off a malicious file as a identified and trusted one. There are a number of variations of DLL hijacking: one is when attackers distribute a malicious library together with official software program (DLL sideloading) in order that the software program executes it; one other is after they exchange normal DLLs which are known as by already-installed packages on the pc; and there’s additionally after they manipulate system mechanisms that decide the placement of the library {that a} course of masses and executes. Because of this, the malicious DLL file is launched by a official course of inside its personal handle area and with its personal privileges; thus the same old endpoint safety programs view this exercise as wanting official. That’s why our consultants determined to counter this risk with the usage of AI applied sciences.
Detecting DLL hijacking with ML
AI Know-how Analysis Middle consultants skilled an ML mannequin to detect DLL hijacking primarily based on oblique details about the library and the method that known as it. They recognized key indicators of an try to govern a library: whether or not the executable file and the library are positioned in normal paths, whether or not the file was renamed, whether or not the library’s measurement and construction have modified, whether or not its digital signature is unbroken, and so forth. They initially skilled the mannequin on knowledge about dynamic hyperlink libraries’ being loaded — sourced from each inside automated evaluation programs and anonymized telemetry from the Kaspersky Safety Community (KSN) voluntarily supplied by our customers. For labeling, our consultants used knowledge from our file popularity databases.
The primary mannequin was relatively inaccurate, so earlier than including it to the answer our consultants experimented by way of a number of iterations, refining each the labeling of the coaching dataset and the options that point out DLL hijacking. Because of this, the mannequin now detects this method with excessive accuracy. On Securelist, our colleagues printed a detailed article about how they developed this expertise — from the preliminary speculation, by way of testing in Kaspersky Managed Detection and Response, and eventually to the sensible software in our SIEM platform.
DLL hijacking detection in Kaspersky SIEM
Within the SIEM system, the mannequin analyzes the metadata of loaded DLLs and processes that known as them from the telemetry, flags suspicious instances, after which cross-checks its verdict towards KSN cloud knowledge. This not solely improves the accuracy of DLL hijacking detection, but in addition reduces false positives. The mannequin can function in each the correlation subsystem and the occasion assortment subsystem.
Within the first case, it checks solely the occasions which have already triggered correlation guidelines. This permits for a extra exact risk evaluation and sooner alert technology if wanted. Since not all occasions are checked, the quantity of cloud queries doesn’t considerably impression the mannequin’s response velocity.
Within the second case, the mannequin processes all library loading occasions that meet sure situations. This methodology consumes extra sources however is invaluable for retrospective risk looking.
In one other Securelist weblog put up, colleagues from the Anti-Malware Analysis group described intimately how the DLL hijacking detection mannequin helps Kaspersky SIEM catch focused assaults, with actual examples of early incident detection.
Most significantly, the mannequin’s accuracy will solely proceed to enhance as extra knowledge on threats and legit processes accumulates and KSN algorithms evolve.
