Memory access patterns for malware detection
Journal article, Peer reviewed
MetadataVis full innførsel
OriginalversjonNorsk Informasjonssikkerhetskonferanse (NISK). 2016, 96-107.
Malware brings significant threats to modern digitized society. Malware developers put in significant efforts to evade detection and remain unnoticed on victims' computers despite a number of malware detection techniques. To eliminate known and noticeable traces in memory, network or disk activities, they use encryption and obfuscation. Because of this, there remains a strong need for new malware detection methods, especially ones based on Machine Learning models, because processing of large amounts of data is not a suitable task for a human. This paper presents a novel method that could potentially detect zero-day attacks and contribute to proactive malware detection. Our method is based on analysis of sequences of memory access operations produced by binary le during execution. In order to perform experiments, we utilized an automated virtualized environment with binary instrumentation tools to trace the memory access sequences. Unlike the other relevant papers, we focus only on analysis of basic (Read and Write) memory access operations and their n-grams rather than on the fact of a presence or an overall number of operations. Additionally, we performed a study of n-grams of memory accesses and tested it against real-world malware samples collected from open sources. Collected data and proposed feature construction methods resulted in accuracy of up to 98.92% using such Machine Learning methods as k-NN and ANN. Thus, we believe that our proposed method will serve as a stepping stone for better proactive malware detection techniques in the future.