An ELF Recovery Method for Linux Malicious Process Detection

In recent years, malicious attacks against cloud hosts and IoT devices have become more frequent. New types of ransomware and mining viruses have brought a huge threat to Internet security. Traditional static detection methods cannot effectively deal with No-File malware, and the detection methods based on behavior characteristics are difficult to identify the owner of malicious samples. Compared the binary file extracted from process memory with library sample file can detect the malicious process accurately. we retain the dynamic characteristics based on network characteristics in consideration of the time cost of static detection. In this paper, we implemented a prototype system. We selected six typical Linux malicious samples for experiments. By setting similar thresholds, we can accurately screen out malicious processes. The ELF recovery degree of the samples is all above 98%. This technology can be applied to internal memory forensics in the future and can also help combat Internet crimes.