Attacks On Volatile Memory Can Be Detected, Researchers Say

In-memory attacks create processing delays that give hackers away, Triumfant research says

Elusive attacks on a computers volatile memory can be detected through a detailed analysis of processor behavior, according to new research.
Researchers at security vendor Triumfant have discovered that in-memory attacks create a significant delay in system calls that is typically beyond the normal variance of processing time. The ability to detect such attacks -- which have generally eluded most security tools because they attack data that is not stored -- could enable enterprises to interrupt the attacks before they can do any damage, Triumfant says.
Theres a temporal dimension to in-memory attacks that is detectable, says John Prisco, CEO of Triumfant. Were seeing delays in system calls that are two or three times the norm, and its possible to isolate those processes and shut them down.
In-memory attacks, recently referred to as
Advanced volatile threats (AVTs)
, enable an attacker to access a computers random access memory (RAM) or other volatile memory processes to redirect a computers behavior. AVTs allow attackers to steal data or insert malware, but because they are never stored in long-term memory, they can be difficult to detect.
Industry experts suspect that in-memory attacks are on the increase because they evade the prevalent defenses that rely on attack signatures and malware behavior analysis. Oded Horovitz, CEO and founder of security firm PrivateCore, last month
presented his companys findings on server in-memory attacks
(PDF) and recommended tools for encrypting such data.
Hacking hasnt changed,” said Daniel Clemens, owner of Packetninjas, in a
recent Dark Reading report on low-level memory threats
. We still have code, we still have data. Exploiting memory corruption vulnerabilities is effectively flipping data to code for creative execution.
So far, however, there is little industry data to back up experts suspicions about in-memory threats because most security analysis tools focus on stored data. Triumfant hopes its new research will help identify in-memory attacks and provide trend data over time.
So far, weve only tested it in our own environment, but weve been able to see a clear pattern, Prisco says. System calls that take 20 or 25 milliseconds consistently go up to 50 milliseconds or more when theres an in-memory attack. When you have processing delays like that -- delays that are two or three deltas beyond the norm -- then you know that something is not right.
Triumfant is also working on a way to identify the memory objects responsible for the delays and remove them before they can execute, Prisco says.
These in-memory attacks are going to become more attractive to the bad guys as conventional malware detection tools get better, Prisco predicts. Its a way to execute the same attacks without being detected.
Have a comment on this story? Please click Add a Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Attacks On Volatile Memory Can Be Detected, Researchers Say