Malware Detection for Forensic Memory Using Deep Recurrent Neural Networks
Open Access
- 1 January 2020
- journal article
- research article
- Published by Scientific Research Publishing, Inc. in Journal of Information Security
- Vol. 11 (02), 103-120
- https://doi.org/10.4236/jis.2020.112007
Abstract
Memory forensics is a young but fast-growing area of research and a promising one for the field of computer forensics. The learned model is proposed to reside in an isolated core with strict communication restrictions to achieve incorruptibility as well as efficiency, therefore providing a probabilistic memory-level view of the system that is consistent with the user-level view. The lower level memory blocks are constructed using primary block sequences of varying sizes that are fed as input into Long-Short Term Memory (LSTM) models. Four configurations of the LSTM model are explored by adding bi- directionality as well as attention. Assembly level data from 50 Windows portable executable (PE) files are extracted, and basic blocks are constructed using the IDA Disassembler toolkit. The results show that longer primary block sequences result in richer LSTM hidden layer representations. The hidden states are fed as features into Max pooling layers or Attention layers, depending on the configuration being tested, and the final classification is performed using Logistic Regression with a single hidden layer. The bidirectional LSTM with Attention proved to be the best model, used on basic block sequences of size 29. The differences between the model’s ROC curves indicate a strong reliance on the lower level, instructional features, as opposed to metadata or string features.Keywords
This publication has 13 references indexed in Scilit:
- Deep Neural Networks for Automatic Android Malware DetectionPublished by Association for Computing Machinery (ACM) ,2017
- Function Interface Analysis: A Principled Approach for Function Recognition in COTS BinariesPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2017
- Malware classification with LSTM and GRU language models and a character-level CNNPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2017
- An investigation of byte n-gram features for malware classificationJournal of Computer Virology and Hacking Techniques, 2016
- Deep Learning for Just-in-Time Defect PredictionPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2015
- Malware classification with recurrent networksPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2015
- Acquisition and analysis of compromised firmware using memory forensicsDigital Investigation, 2015
- Anti-forensic resilient memory acquisitionDigital Investigation, 2013
- Using spatio-temporal information in API calls with machine learning algorithms for malware detectionPublished by Association for Computing Machinery (ACM) ,2009
- Long Short-Term MemoryNeural Computation, 1997