Behaviour Anomaly on Linux Systems to Detect Zero-day Malware Attacks

Simple item page
aut.embargoNoen_NZ
aut.thirdpc.containsNoen_NZ
dc.contributor.advisorNisbet, Alastair
dc.contributor.authorAhmed, Ovais
dc.date.accessioned2022-05-02T00:13:28Z
dc.date.available2022-05-02T00:13:28Z
dc.date.copyright2022
dc.date.issued2022
dc.date.updated2022-04-29T08:35:35Z
dc.description.abstractInternet-connected devices have been the subject of cyber threats due to the gain malicious actors can get by compromising these systems. Endpoint protection is available on these systems, protecting if the malware signature is available for the malicious software. The challenge is that if the signature is not available on the endpoint protection, as in the case of zero-day malware, the endpoint will not detect or protect the system. The system follows the file analysis of zero-day malware in the sandbox environment for file identification, creating the signature and updating the endpoint database. The process of zero-day can generate a delay which can result in substantial damage to the systems by the time signature is updated. The research examines the abnormal behaviour on a Linux-based operating system and evaluates the method to explore the zero-day malware build for the platform. Malware samples are sourced from the available public repositories. The sample files used include known malicious and known non-malicious files. The known malicious files have the signatures available on the antivirus tool. Therefore, the setup removes the necessary signatures for the known malware sample files to treat them as zero-day malware. Total twenty-two malware has been used to test the method to detect the zero-day malware, out of which few have been tried without signature information on endpoint antivirus to determine the consistency of the test results. The research examines the malware behaviour on the Linux based system. It monitors the process in the two different situations where non-malicious and known malware is executed at different intervals. The abnormal process behaviour detects the malicious file. The second phase of the research explores the methods to act on the file after the detection. It discusses YARA rules and programable interface integration across the platform to automate the file quarantine feature.en_NZ
dc.identifier.urihttps://hdl.handle.net/10292/15107
dc.language.isoenen_NZ
dc.publisherAuckland University of Technology
dc.rights.accessrightsOpenAccess
dc.subjectMalware detectionen_NZ
dc.subjectAnomaly Behaviouren_NZ
dc.subjectLinux Systemen_NZ
dc.subjectZero-day Malwareen_NZ
dc.titleBehaviour Anomaly on Linux Systems to Detect Zero-day Malware Attacksen_NZ
dc.typeThesisen_NZ
thesis.degree.grantorAuckland University of Technology
thesis.degree.levelMasters Theses
thesis.degree.nameMaster of Information Security and Digital Forensicsen_NZ
Files
Original bundle
Now showing 1 - 2 of 2
Thumbnail Image
Name:
AhmedO.pdf
Size:
2.31 MB
Format:
Adobe Portable Document Format
Description:
Thesis
Download
Thumbnail Image
Name:
Behaviour Anomaly on Linux Systems to Detect Zero-day Malware Attacks.pdf
Size:
2 MB
Format:
Adobe Portable Document Format
Description:
Download
License bundle
Now showing 1 - 1 of 1
Thumbnail Image
Name:
license.txt
Size:
897 B
Format:
Item-specific license agreed upon to submission
Description:
Download
Collections
Masters Theses