MRm-DLDet: a memory-resident malware detection framework based on memory forensics and deep neural network-Reference-Cited by-同舟云学术

MRm-DLDet: a memory-resident malware detection framework based on memory forensics and deep neural network

Published:2023-08-03 Issue:1 Volume:6 Page:
ISSN:2523-3246
Container-title:Cybersecurity
language:en
Short-container-title:Cybersecurity

Author:

Liu Jiaxi,Feng Yun,Liu Xinyu,Zhao Jianjun,Liu Qixu

Abstract

AbstractCyber attackers have constantly updated their attack techniques to evade antivirus software detection in recent years. One popular evasion method is to execute malicious code and perform malicious actions only in memory. Malicious programs that use this attack method are called memory-resident malware, with excellent evasion capability, and have posed huge threats to cyber security. Traditional static and dynamic methods are not effective in detecting memory-resident malware. In addition, existing memory forensics detection solutions perform unsatisfactorily in detection rate and depend on massive expert knowledge in memory analysis. This paper proposes MRm-DLDet, a state-of-the-art memory-resident malware detection framework, to overcome these drawbacks. MRm-DLDet first builds a virtual machine environment and captures memory dumps, then creatively processes the memory dumps into RGB images using a pre-processing technique that combines deduplication and ultra-high resolution image cropping, followed by our neural network MRmNet in MRm-DLDet to fully extract high-dimensional features from memory dump files and detect them. MRmNet receives the labeled sub-images of the cropped high-resolution RGB images as input of ResNet-18, which extracts the features of the sub-images. Then trains a network of gated recurrent units with an attention mechanism. Finally, it determines whether a program is memory-resident malware based on the detection results of each sub-image through a specially designed voting layer. We created a high-quality dataset consisting of 2,060 benign and memory-resident programs. In other words, the dataset contains 1,287,500 labeled sub-images cut from the MRm-DLDet transformed ultra-high resolution RGB images. We implement MRm-DLDet for Windows 10, and it performs better than the latest methods, with a detection accuracy of up to 98.34

$$\%$$

% . Moreover, we measured the effects of mimicry and adversarial attacks on MRm-DLDet, and the experimental results demonstrated the robustness of MRm-DLDet.

Funder

Youth Innovation Promotion Association of the Chinese Academy of Sciences

Strategic Priority Research Program of Chinese Academy of Sciences

Publisher

Springer Science and Business Media LLC

Subject

Artificial Intelligence,Computer Networks and Communications,Information Systems,Software

Link

https://link.springer.com/content/pdf/10.1186/s42400-023-00157-w.pdf

Reference67 articles.

1. Abrams L (2020) TrickBot malware now checks screen resolution to evade analysis. https://www.bleepingcomputer.com/news/security/trickbot-malware-now-checks-screen-resolution-to-evade-analysis/

2. Alrawi O, Ike M, Pruett M, Kasturi RP, Barua S, Hirani T, Hill B, Saltaformaggio B (2021) Forecasting malware capabilities from cyber attack memory images. In: 30th USENIX security symposium (USENIX security 21), pp 3523–3540

3. Anderson HS, Roth P (2018) Ember: an open dataset for training static pe malware machine learning models. arXiv preprint arXiv:1804.04637

4. Anderson HS, Kharkar A, Filar B, Evans D, Roth P (2018) Learning to evade static pe machine learning malware models via reinforcement learning. arXiv preprint arXiv:1801.08917

5. Arefi MN, Alexander G, Rokham H, Chen A, Faloutsos M, Wei X, Oliveira DS, Crandall JR (2018) Faros: illuminating in-memory injection attacks via provenance-based whole-system dynamic information flow tracking. In: 2018 48th annual IEEE/IFIP international conference on dependable systems and networks (DSN), pp 231–242. IEEE