Figure 1 - uploaded by Igor Korkin
Content may be subject to copyright.
Fingerprints of kernel-mode drivers in a memory dump: loaded drivers and their metadata
Source publication
This paper focuses on the anticipatory enhancement of methods of detecting stealth software. Cyber security detection tools are insufficiently powerful to reveal the most recent cyber-attacks which use malware. In this paper, we will present first an idea of the highest stealth malware, as this is the most complicated scenario for detection because...
Similar publications
Physical memory acquisition is a prerequisite when performing memory forensics, referring to a set of techniques for acquiring and analyzing traces associated with user activity information, malware analysis, cyber incident response, and similar areas when the traces remain in the physical RAM. However, certain types of malware have applied anti-me...
Citations
... Their implementation was three times faster than the serial implementation on CPU. In 2016, to accelerate the statistical detection of zero-day malware Igor Korkin et al. has proposed a technique using CUDA-enabled GPU Hardware [12]. In their work, they used GPU mainly for achieving speedup in memory forensic task. ...
Due to continuous increase in the number of malware (according to AV-Test institute total ~8 x 10^8 malware are already known, and every day they register ~2.5 x 10^4 malware) and files in the computational devices, it is very important to design a system which not only effectively but can also efficiently detect the new or previously unseen malware to prevent/minimize the damages. Therefore, this paper presents a novel group-wise approach for the efficient detection of malware by parallelizing the classification using the power of GPGPU and shown that by using the Naive Bayes classifier the detection speed-up can be boosted up to 200x. The investigation also shows that the classification time increases significantly with the number of features.
... Their implementation was three times faster than the serial implementation on CPU. In 2016, to accelerate the statistical detection of zero-day malware Igor Korkin et al. has proposed a technique using CUDA-enabled GPU Hardware [12]. In their work, they used GPU mainly for achieving speedup in memory forensic task. ...
Due to continuous increase in the number of malware (according to AV-Test institute total malware are already known, and every day they register malware) and files in the computational devices, it Sahay, Sanjay K. very important to design a Chaudhari, Mayank which not only effectively but can also efficiently detect the new or previously unseen malware to prevent/minimize the damages. Therefore, this paper presents a novel group-wise approach for the efficient detection of malware by parallelizing the classification using the power of GPGPU and shown that by using the Naive Bayes classifier, the detection speedup can be boosted up to 200x. The investigation also shows that the classification time increases significantly with the number of features.
The everlasting increase in usage of information systems and online services have triggered the birth of the new type of malware which are more dangerous and hard to detect. In particular, according to the recent reports, the new type of fileless malware infect the victims’ devices without a persistent trace (i.e. file) on hard drives. Moreover, existing static malware detection methods in literature often fail to detect sophisticated malware utilizing various obfuscation and encryption techniques. Our contribution in this study is two-folded. First, we present a novel approach to recognize malware by capturing the memory dump of suspicious processes which can be represented as a RGB image. In contrast to the conventional approaches followed by static and dynamic methods existing in the literature, we aimed to obtain and use memory data to reveal visual patterns that can be classified by employing computer vision and machine learning methods in a multi-class open-set recognition regime. And second, we have applied a state of art manifold learning scheme named UMAP to improve the detection of unknown malware files through binary classification. Throughout the study, we have employed our novel dataset covering 4294 samples in total, including 10 malware families along with the benign executables. Lastly, we obtained their memory dumps and converted them to RGB images by applying 3 different rendering schemes. In order to generate their signatures (i.e. feature vectors), we utilized GIST and HOG (Histogram of Gradients) descriptors as well as their combination. Moreover, the obtained signatures were classified via machine learning algorithms of j48, RBF kernel-based SMO, Random Forest, XGBoost and linear SVM. According to the results of the first phase, we have achieved prediction accuracy up to 96.39% by employing SMO algorithm on the feature vectors combined with GIST+HOG. Besides, the UMAP based manifold learning strategy has improved accuracy of the unknown malware recognition models up to 12.93%, 21.83%, 20.78% on average for Random Forest, linear SVM and XGBoost algorithms respectively. Moreover, on a commercially available standard desktop computer, the suggested approach takes only 3.56 s for analysis on average. The results show that our vision based scheme provides an effective protection mechanism against malicious applications.
Threats that have been primarily targeting nation states and its associated entities, have long before expanded their target zone to include private and corporate sectors. These class of threats that every nation and organization wants to protect itself against are known as Advanced Persistent Threats. While nation sponsored attacks will always be marked for their sophistication, attacks that have become prominent in corporate sectors do not make it any less challenging for the organizations. The rate at which the attack tools and techniques are evolving is making any existing security measures, they have, inadequate. As defenders strive hard to secure every endpoint and every link with in their networked system, attackers are finding new ways to penetrate into their target systems. With each day bringing new forms of malware with new signatures and behavior that’s close to normal, a single traditional threat detection system would not suffice. These so called Advanced Persistent Threats are difficult to achieve as well as difficult to detect. While it requires time and patience to perform APT, solutions that adapt to the adapting behavior of APT attacker(s) are required. Several works have been published in detecting an APT attack at one or two of its stages, but very limited research exists in detecting APT as a whole from reconnaissance to clean-up as one such solution demands complex correlation and behavior analysis of every event, user, system with in the network and across the network. Through this survey paper, we intend to bring before you all those methods and techniques that could be used to detect different stages of APT attacks, learning methods that need to be applied and where, to make your threat detection framework smart and undecipherable for those adapting APT attackers. We also present you with different case studies of APT attacks, different monitoring methods and deception methods to be employed for a fine grained control of security of a networked system. We conclude our paper with different types of challenges that one would face in defending against APT, and the opportunities for further research ending with a note on what we learned during our writing of this paper.
