Catch them alive: A malware detection approach through memory forensics, manifold learning and computer vision

Catch them alive: A malware detection approach through memory forensics, manifold learning and computer vision

•We proposed a new memory dumping and computer vision based method to detect malware in memory even they do not exist on hard drive.•We released a publicly available memory dump dataset called “Dumpware10” involving 10 malware classes together with benign samples for future research.•We applied and...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Computers & security 2021-04, Vol.103, p.102166, Article 102166
Hauptverfasser: Bozkir, Ahmet Selman, Tahillioglu, Ersan, Aydos, Murat, Kara, Ilker
Format: Artikel
Sprache:eng
Schlagworte:
Algorithms
Color imagery
Computer vision
Encryption
Hierarchies
Histograms
Image contrast
Information systems
Machine learning
Malware
Malware detection
Manifold learning
Manifolds (mathematics)
Memory dump
Memory forensics
Model accuracy
Personal computers
Recognition
Signatures
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:•We proposed a new memory dumping and computer vision based method to detect malware in memory even they do not exist on hard drive.•We released a publicly available memory dump dataset called “Dumpware10” involving 10 malware classes together with benign samples for future research.•We applied and benchmarked four different binary-to-image rendering schemes.•The state of art manifold learning and dimension reduction technique named UMAP was used for the first time in the problem domain for better discrimination.•Proposed approach shows competitive performance to the state of art deep learning based solutions. The everlasting increase in usage of information systems and online services have triggered the birth of the new type of malware which are more dangerous and hard to detect. In particular, according to the recent reports, the new type of fileless malware infect the victims’ devices without a persistent trace (i.e. file) on hard drives. Moreover, existing static malware detection methods in literature often fail to detect sophisticated malware utilizing various obfuscation and encryption techniques. Our contribution in this study is two-folded. First, we present a novel approach to recognize malware by capturing the memory dump of suspicious processes which can be represented as a RGB image. In contrast to the conventional approaches followed by static and dynamic methods existing in the literature, we aimed to obtain and use memory data to reveal visual patterns that can be classified by employing computer vision and machine learning methods in a multi-class open-set recognition regime. And second, we have applied a state of art manifold learning scheme named UMAP to improve the detection of unknown malware files through binary classification. Throughout the study, we have employed our novel dataset covering 4294 samples in total, including 10 malware families along with the benign executables. Lastly, we obtained their memory dumps and converted them to RGB images by applying 3 different rendering schemes. In order to generate their signatures (i.e. feature vectors), we utilized GIST and HOG (Histogram of Gradients) descriptors as well as their combination. Moreover, the obtained signatures were classified via machine learning algorithms of j48, RBF kernel-based SMO, Random Forest, XGBoost and linear SVM. According to the results of the first phase, we have achieved prediction accuracy up to 96.39% by employing SMO algorithm on the feature vectors c
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2020.102166