Automated malware detection using artifacts in forensic memory images

Malware is one of the greatest and most rapidly growing threats to the digital world. Traditional signature-based detection is no longer adequate to detect new variants and highly targeted malware. Furthermore, dynamic detection is often circumvented with anti-VM and/or anti-debugger techniques. Recently heuristic approaches have been explored to enhance detection accuracy while maintaining the generality of a model to detect unknown malware samples. In this paper, we investigate three feature types extracted from memory images - registry activity, imported libraries, and API function calls. After evaluating the importance of the different features, different machine learning techniques are implemented to compare performances of malware detection using the three feature types, respectively. The highest accuracy achieved was 96%, and was reached using a support vector machine model, fitted on data extracted from registry activity.

[1]  Aziz Mohaisen,et al.  AMAL: High-fidelity, behavior-based automated malware analysis and classification , 2014, Comput. Secur..

[2]  Gilles Louppe,et al.  Independent consultant , 2013 .

[3]  Michael Cohen,et al.  Anti-forensic resilient memory acquisition , 2013 .

[4]  David Slater,et al.  Malicious Behavior Detection using Windows Audit Logs , 2015, AISec@CCS.

[5]  Stefan Vömel,et al.  Visualizing Indicators of Rootkit Infections in Memory Forensics , 2013, 2013 Seventh International Conference on IT Security Incident Management and IT Forensics.

[6]  Bill Blunden The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System , 2009 .

[7]  Latifur Khan,et al.  Data Mining for Detecting Malicious Executables , 2011 .

[8]  Jens Myrup Pedersen,et al.  Analysis of Malware behavior: Type classification using machine learning , 2015, 2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA).

[9]  Tomer Teller,et al.  Enhancing Automated Malware Analysis Machines with Memory Analysis , 2014 .

[10]  Christopher D. Manning,et al.  Introduction to Information Retrieval , 2010, J. Assoc. Inf. Sci. Technol..

[11]  Hinrich Schütze,et al.  Introduction to information retrieval , 2008 .

[12]  Jesse D. Kornblum Exploiting the Rootkit Paradox with Windows Memory Analysis , 2006, Int. J. Digit. EVid..

[13]  Igor Korkin,et al.  Applying Memory Forensics to Rootkit Detection , 2015, ArXiv.

[14]  Zane Markel,et al.  Building a machine learning classifier for malware detection , 2014, 2014 Second Workshop on Anti-malware Testing Research (WATeR).

[15]  Igor Santos,et al.  Opcode sequences as representation of executables for data-mining-based unknown malware detection , 2013, Inf. Sci..

[16]  C. Q. Lee,et al.  Three-phase behavior-based detection and classification of known and unknown malware , 2015, Secur. Commun. Networks.

[17]  Abhinav Srivastava,et al.  Robust signatures for kernel data structures , 2009, CCS.

[18]  Hossein Shirazi,et al.  A new approach to malware detection by comparative analysis of data structures in a memory image , 2014, 2014 International Congress on Technology, Communication and Knowledge (ICTCK).

[19]  Konstantin Berlin,et al.  Deep neural network based malware detection using two dimensional binary program features , 2015, 2015 10th International Conference on Malicious and Unwanted Software (MALWARE).

[20]  Sophos,et al.  THE KERNEL : ROOTKIT DISCOVERY USING SELECTIVE AUTOMATED KERNEL MEMORY DIFFERENCING , 2014 .

[21]  Clarisse Bardiot Rekall , 2015 .

[22]  Yi-Bin Lu,et al.  Using Multi-Feature and Classifier Ensembles to Improve Malware Detection , 2010 .

[23]  Babu M. Mehtre,et al.  Static Malware Analysis Using Machine Learning Methods , 2014, SNDS.

[24]  Mohd Faizal Abdollah,et al.  Analysis of Features Selection and Machine Learning Classifier in Android Malware Detection , 2014, 2014 International Conference on Information Science & Applications (ICISA).