Internal Interface Diversification with Multiple Fake Interfaces

Abstract

<p>Malware uses knowledge of well-known interfaces to achieve<br />its goals. However, if we uniquely diversify these interfaces<br />in each system, the malware no longer knows the ”language”<br />of a specific system and it becomes much more difficult for<br />malicious programs to operate. This paper extends the idea<br />of interface diversification by presenting a scheme where a<br />fake original interface and multiple other fake interfaces are<br />provided along with the valid interface in order to log the<br />suspicious activity in the system and possibly deceive malware<br />by initiating fallacious interaction with it. We also<br />present a proof-of-concept implementation of this scheme in<br />Linux environment and conduct experiments with it.<br /></p>