Still, a multi-angle analysis was required to detect malicious code using technologies such as deformation, polymorphism, code obfuscation, and encryption. The static analysis method had high sample coverage. designed a set of fine-grained binary integrity verification schemes to check the integrity of binary files in virtual machines. It includes the extraction process of components, instructions, control flow, and function calling of sequence static code features, such as anomaly detection. Static analysis is built on the premise of not running the program. The computer forensics approaches are divided into the dynamic and static analysis. By close analysis of this information, benign and malicious data can be classified through a detection platform. The dataset in this paper takes multiple dumps of memory images and extracts all processes and DLL data. Only extracting a malicious running single process cannot fully reflect the value of memory analysis. In this case, extracting a single malicious process cannot fully reflect the malicious behavior of the process. Some malicious processes are injected into new processes to perform malicious actions. The extracted process potentially did not load malicious code into memory. However, collecting malicious memory data in this manner is inadequate. presented an approach to recognize malware by capturing the memory dump of suspicious processes, which can be represented as an RGB image. In addition to dumping the memory data, malicious portable executable (PE) files must be extracted from thousands of memory data as sample data. In this paper, the memory data are dumped to the disk using the memory dump algorithm for further analysis. Memory data must be collected in a timely manner when malware is running on the virtual machine (VM). During memory analysis, malwares are executed in a sandbox to prevent the malwares from causing damage to the entire computer system, which is accomplished by establishing virtual machines. By contrast, these traces are not available by the traditional disk analysis method. The analysis target of memory forensics is a memory dump from where the attack traces can be extracted. Memory has a high potential to contain malicious code from an infection, in whole or in part, even if it is never written to disk, because it must be loaded in memory to execute. Memory forensics offers unique insights into the internal state of kernel system and running programs. To combat such threats, much research is carried out in various fields, including deep learning, memory forensics, number theory, and so on. Its accuracy is better than that of common machine learning methods. The results show that the proposed method can detect malicious codes effectively, especially the fileless attack. Moreover, an example of fileless attack is illustrated at the end of the paper. We achieved a prediction accuracy of up to 97.48%. The PE file with 4096 bytes of header fragment has the highest accuracy. We conducted several experiments on the produced dataset to test our model. PE file fragments are selected with different lengths and locations. When a process is running, not all the program content is loaded into memory, so binary fragments are utilized for malware analysis instead of the entire portable executable (PE) files. The method includes collecting executable static malicious and benign samples, running the collected samples in a sandbox, and building a dataset of portable executables in memory through memory forensics. As the malware has many symmetric features, the saved training model can detect malicious code with symmetric features. Facing these challenges, this paper proposes a malware detection approach based on convolutional neural network and memory forensics. For malicious processes in memory, signature-based detection methods are becoming increasingly ineffective. This type of attack is well concealed, and it is difficult to find the malicious code in the static files. In particular, fileless malware injects malicious code into the physical memory directly without leaving attack traces on disk files. As cyber attacks grow more complex and sophisticated, new types of malware become more dangerous and challenging to detect.
0 Comments
Leave a Reply. |