Volatile memory analysis using the MinHash method for efficient and secured detection of malware in private cloud

Abstract Today, most organizations employ cloud computing environments for both computational reasons and for storing their critical files and data. Virtual servers are an example of widely used virtual resources provided by cloud computing architecture. Therefore, virtual servers are considered an attractive target for cyber-attackers, who launch their attacks by malware such as the well-known remote access trojans (RATs) and more modern malware such as ransomware and cryptojacking. Existing security solutions implemented on virtual servers fail to detect these newly created malware (zero-day attacks). In fact, by the time the security solution is updated, the organization has likely already been attacked. In this study, we present a designated framework aimed at trusted and secured detection of newly created and unknown instances of malware on virtual machines in an organization's private cloud. We took volatile memory dumps from a virtual machine (VM) in a secured and trusted manner, and analyzed all of the data within the memory dumps using the MinHash method; MinHash is well suited for the accurate detection of malware in VMs based on efficient volatile memory dump comparisons. The proposed framework is evaluated in a comprehensive set of experiments of increasing difficulty in which we also measured the detection performance of different classifiers (both similarity and machine learning-based classifiers, using collections of real-world, professional, notorious malware and legitimate applications. The evaluation results show that our framework can detect the anomalous state of a virtual server, as well as known, new, and unknown malware, with very high TPRs (100% for ransomware and RATs) and very low FPRs (1.8% for ransomware and no FPR for RATs). We also show how the methodology's performance can be improved, in terms of required time and storage space, saving more than 86% of these resources. Finally, we demonstrate the generalization capabilities and practicality of our methodology by using transfer learning and learning from just one virtual server in order to detect unknown malware on a different virtual server.

[1]  Stefano Zanero,et al.  HelDroid: Dissecting and Detecting Mobile Ransomware , 2015, RAID.

[2]  S. Dija,et al.  Extraction of memory forensic artifacts from windows 7 RAM image , 2013, 2013 IEEE CONFERENCE ON INFORMATION AND COMMUNICATION TECHNOLOGIES.

[3]  L vanRijswijk,et al.  Guilt by association. , 1998 .

[4]  Ziad A. Al-Sharif,et al.  Towards the Memory Forensics of MS Word Documents , 2018 .

[5]  Qiang Yang,et al.  Boosting for transfer learning , 2007, ICML '07.

[6]  Thomas Barabosch,et al.  Quincy: Detecting Host-Based Code Injection Attacks in Memory Dumps , 2017, DIMVA.

[7]  Yuval Elovici,et al.  Novel set of general descriptive features for enhanced detection of malicious emails using machine learning methods , 2018, Expert Syst. Appl..

[8]  Yuval Elovici,et al.  ALPD: Active Learning Framework for Enhancing the Detection of Malicious PDF Files , 2014, 2014 IEEE Joint Intelligence and Security Informatics Conference.

[9]  Walter Finsinger,et al.  Pollen and plant macrofossils at Lac de Fully (2135 m a.s.l.): Holocene forest dynamics on a highland plateau in the Valais, Switzerland , 2007 .

[10]  Rajat Raina,et al.  Self-taught learning , 2009 .

[11]  Ciprian Oprisa,et al.  Locality-sensitive hashing optimizations for fast malware clustering , 2014, 2014 IEEE 10th International Conference on Intelligent Computer Communication and Processing (ICCP).

[12]  Andrei Z. Broder,et al.  On the resemblance and containment of documents , 1997, Proceedings. Compression and Complexity of SEQUENCES 1997 (Cat. No.97TB100171).

[13]  Yuval Elovici,et al.  Trusted system-calls analysis methodology aimed at detection of compromised virtual machines using sequential mining , 2018, Knowl. Based Syst..

[14]  Jaeyeon Moon,et al.  Ransomware Analysis and Method for Minimize the Damage , 2016 .

[15]  Qiang Yang,et al.  A Survey on Transfer Learning , 2010, IEEE Transactions on Knowledge and Data Engineering.

[16]  Steve R. White,et al.  Anatomy of a Commercial-Grade Immune System , 1999 .

[17]  Lior Rokach,et al.  SFEM: Structural feature extraction methodology for the detection of malicious office documents using machine learning methods , 2016, Expert Syst. Appl..

[18]  Somesh Jha,et al.  Testing malware detectors , 2004, ISSTA '04.

[19]  Patrick Traynor,et al.  CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data , 2016, 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS).

[20]  Yuval Elovici,et al.  Keeping pace with the creation of new malicious PDF files using an active-learning based detection framework , 2016, Security Informatics.

[21]  Dan Jiang,et al.  An Approach to Detect Remote Access Trojan in the Early Stage of Communication , 2015, 2015 IEEE 29th International Conference on Advanced Information Networking and Applications.

[22]  Engin Kirda,et al.  UNVEIL: A large-scale, automated approach to detecting ransomware (keynote) , 2016, SANER.

[23]  Yuval Elovici,et al.  Malicious Code Detection Using Active Learning , 2009, PinKDD.

[24]  Karl Sigler Crypto-jacking: how cyber-criminals are exploiting the crypto-currency boom , 2018 .

[25]  Lianhai Wang,et al.  Extracting windows registry information from physical memory , 2011, 2011 3rd International Conference on Computer Research and Development.

[26]  Pavol Zavarsky,et al.  Comparative Analysis of Volatile Memory Forensics: Live Response vs. Memory Imaging , 2011, 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing.

[27]  Hardeep Singh,et al.  A Socio-Technical Approach to Preventing, Mitigating, and Recovering from Ransomware Attacks , 2016, Applied Clinical Informatics.

[28]  Lior Rokach,et al.  ALDROID: efficient update of Android anti-virus software using designated active learning methods , 2016, Knowledge and Information Systems.

[29]  David A. Wagner,et al.  Towards Evaluating the Robustness of Neural Networks , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[30]  Vinay Avasthi,et al.  Ransomware Digital Extortion: A Rising New Age Threat , 2016 .

[31]  Priya Narasimhan,et al.  Binary Function Clustering Using Semantic Hashes , 2012, 2012 11th International Conference on Machine Learning and Applications.

[32]  Leyla Bilge,et al.  Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks , 2015, DIMVA.

[33]  Qiming Chen,et al.  PrefixSpan,: mining sequential patterns efficiently by prefix-projected pattern growth , 2001, Proceedings 17th International Conference on Data Engineering.

[34]  Nir Nissim,et al.  Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory , 2018, Expert Syst. Appl..

[35]  Amaury Lendasse,et al.  A Two-Stage Methodology Using K-NN and False-Positive Minimizing ELM for Nominal Data Classification , 2014, Cognitive Computation.