用于进程表征和恶意软件检测的内存图像的机器学习分析

2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W) Pub Date : 2022-06-01 DOI:10.1109/dsn-w54100.2022.00035

Seth Lyles, Mark Desantis, John Donaldson, Micaela Gallegos, Hannah Nyholm, C. Taylor, Kristine Monteith

{"title":"用于进程表征和恶意软件检测的内存图像的机器学习分析","authors":"Seth Lyles, Mark Desantis, John Donaldson, Micaela Gallegos, Hannah Nyholm, C. Taylor, Kristine Monteith","doi":"10.1109/dsn-w54100.2022.00035","DOIUrl":null,"url":null,"abstract":"As signature-based malware detection techniques mature, malware authors have been forced to leave fewer footprints on target machines. Malicious activity can be conducted by chaining together benign, built-in functions in subversive ways. Because the functions are native to the host system, attackers can slip under the radar of signature filtering tools such as YARA. To address this challenge, we utilize the Volatility memory forensics framework to measure and characterize typical in-memory behavior, then observe the deviations from normal use that may indicate a compromise. We demonstrate that processes have characteristic memory footprints, and that machine learning models can flag malicious behavior as anomalous.","PeriodicalId":349937,"journal":{"name":"2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W)","volume":"24 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Machine Learning Analysis of Memory Images for Process Characterization and Malware Detection\",\"authors\":\"Seth Lyles, Mark Desantis, John Donaldson, Micaela Gallegos, Hannah Nyholm, C. Taylor, Kristine Monteith\",\"doi\":\"10.1109/dsn-w54100.2022.00035\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"As signature-based malware detection techniques mature, malware authors have been forced to leave fewer footprints on target machines. Malicious activity can be conducted by chaining together benign, built-in functions in subversive ways. Because the functions are native to the host system, attackers can slip under the radar of signature filtering tools such as YARA. To address this challenge, we utilize the Volatility memory forensics framework to measure and characterize typical in-memory behavior, then observe the deviations from normal use that may indicate a compromise. We demonstrate that processes have characteristic memory footprints, and that machine learning models can flag malicious behavior as anomalous.\",\"PeriodicalId\":349937,\"journal\":{\"name\":\"2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W)\",\"volume\":\"24 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2022-06-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/dsn-w54100.2022.00035\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/dsn-w54100.2022.00035","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

摘要

随着基于签名的恶意软件检测技术的成熟，恶意软件作者被迫在目标机器上留下更少的足迹。恶意活动可以通过以颠覆的方式将良性的内置功能链接在一起来进行。由于这些功能是主机系统固有的，攻击者可以躲过诸如YARA等签名过滤工具的监视。为了应对这一挑战，我们利用波动性内存取证框架来测量和描述典型的内存行为，然后观察与正常使用的偏差，这些偏差可能表明存在妥协。我们证明了进程具有特征内存足迹，并且机器学习模型可以将恶意行为标记为异常。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Machine Learning Analysis of Memory Images for Process Characterization and Malware Detection

As signature-based malware detection techniques mature, malware authors have been forced to leave fewer footprints on target machines. Malicious activity can be conducted by chaining together benign, built-in functions in subversive ways. Because the functions are native to the host system, attackers can slip under the radar of signature filtering tools such as YARA. To address this challenge, we utilize the Volatility memory forensics framework to measure and characterize typical in-memory behavior, then observe the deviations from normal use that may indicate a compromise. We demonstrate that processes have characteristic memory footprints, and that machine learning models can flag malicious behavior as anomalous.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W)

自引率

0.00%

发文量