A new approach to malware detection by comparative analysis of data structures in a memory image

Author

Aghaeikheirabady, Masoume ; Farshchi, Seyyed Mohammad Reza ; Shirazi, Hossein

Author_Institution

Dept. oflnformation Technol. & Commun. Security, MalekAshtar Univ., Tehran, Iran

fYear

2014

fDate

26-27 Nov. 2014

Firstpage

1

Lastpage

4

Abstract

Physical memory forensics has grown in popularity in recent years. Since malware typically operate in user space, it is important to reconstruct and track their process behavior. This paper focuses on detecting malware through a comparison of the information in the user space memory data structures. In order to expedite information extraction and ensure accuracy, the data in multiple memory management structures in the user space and the kernel are used concurrently. In the proposed methodising descriptions of memory structures, we extract malware artifacts related to registry changes as well as, calls to library files and operating system functions. The extracted features are then evaluated, and samples are classified according to the selected attributes. The best results include a 98% detection rate and false positive rate of 16%, which indicates the effectiveness of the proposed behavior extraction method.

Keywords

data structures; digital forensics; feature extraction; invasive software; storage management; behavior extraction method; comparative analysis; detection rate; false positive rate; feature extraction; information extraction; library files; malware artifact; malware detection; memory image; memory structure; multiple memory management structure; operating system function; physical memory forensic; user space memory data structure; Computers; Data mining; Feature extraction; Forensics; Kernel; Malware;

fLanguage

English

Publisher

ieee

Conference_Titel

Technology, Communication and Knowledge (ICTCK), 2014 International Congress on

Conference_Location

Mashhad

Type

conf

DOI

10.1109/ICTCK.2014.7033519

Filename

7033519