Towards Architecture and OS-Independent Malware Detection via Memory Forensics

Year
2018
Type(s)
,
Author(s)
Rachel Petrik, Berat Arik, and Jared M. Smith
Source
ACM Conference on Computer and Communications Security (ACM CCS)
Url
https://dl.acm.org/citation.cfm?id=3278527
BibTeX
BibTeX

In this work, we take a fundamentally different approach to the problem of analyzing a device for compromises via malware; our approach is OS and instruction architecture independent and relies only on having the raw binary data extracted from the memory dump of a device. Our system leverages a multi-hundred TB dataset of both compromised host memory dumps extracted from the MalRec dataset and the first known dataset of benign host memory dumps running normal, non-compromised software. After an average of 30 to 45 seconds of pre-processing on a single memory dump, our system leverages both traditional machine learning and deep learning algorithms to achieve an average of 98% accuracy of detecting a compromised host.