Affiliation:
1. Qilu University of Technology (Shandong Academy of Sciences), Shandong Computer Science Center (Na- 5 tional Supercomputer Center in Jinan), Shandong Provincial Key Laboratory of Computer Networks), Jinan 250014, China
2. Mathematical Institute, The Serbian Academy of Sciences and Arts, 11000 Belgrade, Serbia
Abstract
As cyber attacks grow more complex and sophisticated, new types of malware become more dangerous and challenging to detect. In particular, fileless malware injects malicious code into the physical memory directly without leaving attack traces on disk files. This type of attack is well concealed, and it is difficult to find the malicious code in the static files. For malicious processes in memory, signature-based detection methods are becoming increasingly ineffective. Facing these challenges, this paper proposes a malware detection approach based on convolutional neural network and memory forensics. As the malware has many symmetric features, the saved training model can detect malicious code with symmetric features. The method includes collecting executable static malicious and benign samples, running the collected samples in a sandbox, and building a dataset of portable executables in memory through memory forensics. When a process is running, not all the program content is loaded into memory, so binary fragments are utilized for malware analysis instead of the entire portable executable (PE) files. PE file fragments are selected with different lengths and locations. We conducted several experiments on the produced dataset to test our model. The PE file with 4096 bytes of header fragment has the highest accuracy. We achieved a prediction accuracy of up to 97.48%. Moreover, an example of fileless attack is illustrated at the end of the paper. The results show that the proposed method can detect malicious codes effectively, especially the fileless attack. Its accuracy is better than that of common machine learning methods.
Funder
the National Natural Science Foundation of China
the Shandong Provincial Natural Science Foundation of China
the Shandong Provincial Key Research and Development Program
Subject
Physics and Astronomy (miscellaneous),General Mathematics,Chemistry (miscellaneous),Computer Science (miscellaneous)
Reference38 articles.
1. A few-shot malware classification approach for unknown family recognition using malware feature visualization;Conti;Comput. Secur.,2022
2. (2022, December 23). Malware Statistics & Trends Report|AV-TEST. AV Test Malware Statistics. Available online: https://www.av-test.org/en/statistics/malware.
3. The Economics of Information Security and Privacy;Greenstein;J. Econ. Lit.,2014
4. Khalid, O., Ullah, S., Ahmad, T., Saeed, S., Alabbad, D.A., Aslam, M., Buriro, A., and Ahmad, R. (2023). An Insight into the Machine-Learning-Based Fileless Malware Detection. Sensors, 23.
5. Fileless malware threats: Recent advances, analysis approach through memory forensics and research challenges;Kara;Expert Syst. Appl.,2022
Cited by
3 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献