论文信息 - Towards Architecture and OS-Independent Malware Detection via Memory Forensics

Towards Architecture and OS-Independent Malware Detection via Memory Forensics

In this work, we take a fundamentally different approach to the problem of analyzing a device for compromises via malware; our approach is OS and instruction architecture independent and relies only on having the raw binary data extracted from the memory dump of a device. Our system leverages a multi-hundred TB dataset of both compromised host memory dumps extracted from the MalRec dataset [8] and the first known dataset of benign host memory dumps running normal, non-compromised software. After an average of 30 to 45 seconds of pre-processing on a single memory dump, our system leverages both traditional machine learning and deep learning algorithms to achieve an average of 98% accuracy of detecting a compromised host.

[1] Jared M. Smith,et al. DEMO: Akatosh: Automated Cyber Incident Verification and Impact Analysis , 2017, CCS.

[2] Andrew Zisserman,et al. Very Deep Convolutional Networks for Large-Scale Image Recognition , 2014, ICLR.

[3] Wei Song,et al. DeepMem: Learning Graph Neural Network Models for Fast and Robust Memory Forensic Analysis , 2018, CCS.

[4] B. S. Manjunath,et al. Malware images: visualization and automatic classification , 2011, VizSec '11.

[5] Chia-Mu Yu,et al. R2-D2: ColoR-inspired Convolutional NeuRal Network (CNN)-based AndroiD Malware Detections , 2017, 2018 IEEE International Conference on Big Data (Big Data).

[6] Brendan Dolan-Gavitt,et al. Malrec: Compact Full-Trace Malware Recording for Retrospective Deep Analysis , 2018, DIMVA.

[7] Michael Brengel,et al. MemScrimper: Time- and Space-Efficient Storage of Malware Sandbox Memory Dumps , 2018, DIMVA.

[8] Chang Hoon Kim,et al. CNN Model to Classify Malware Using Image Feature , 2018 .