Early Detection of In-Memory Malicious Activity based on Run-time Environmental Features

• URL: http://arxiv.org/abs/2103.16029v1
• Date: Tue, 30 Mar 2021 02:19:00 GMT
• Title: Early Detection of In-Memory Malicious Activity based on Run-time Environmental Features
• Authors: Dorel Yaffe and Danny Hendler
• Abstract summary: We present a novel end-to-end solution for in-memory malicious activity detection done prior to exploitation. This solution achieves reduced overhead and false positives as well as deployment simplicity.
• Score: 4.213427823201119
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: In recent years malware has become increasingly sophisticated and difficult to detect prior to exploitation. While there are plenty of approaches to malware detection, they all have shortcomings when it comes to identifying malware correctly prior to exploitation. The trade-off is usually between false positives, causing overhead, preventing normal usage and the risk of letting the malware execute and cause damage to the target. We present a novel end-to-end solution for in-memory malicious activity detection done prior to exploitation by leveraging machine learning capabilities based on data from unique run-time logs, which are carefully curated in order to detect malicious activity in the memory of protected processes. This solution achieves reduced overhead and false positives as well as deployment simplicity. We implemented our solution for Windows-based systems, employing multi disciplinary knowledge from malware research, machine learning, and operating system internals. Our experimental evaluation yielded promising results. As we expect future sophisticated malware may try to bypass it, we also discuss how our solution can be extended to thwart such bypassing attempts.

Related papers

• EarlyMalDetect: A Novel Approach for Early Windows Malware Detection Based on Sequences of API Calls [0.7373617024876725]
  We propose EarlyMalDetect, a novel approach for early Windows malware detection based on sequences of API calls. EarlyMalDetect can predict and reveal what a malware program is going to perform on the target system before it occurs. Our extensive experimental evaluations show that the proposed approach is highly effective in predicting malware behaviors.
  arXiv  Detail & Related papers  (2024-07-18T09:54:33Z)
• Understanding crypter-as-a-service in a popular underground marketplace [51.328567400947435]
  Crypters are pieces of software whose main goal is to transform a target binary so it can avoid detection from Anti Viruses (AVs) applications. The crypter-as-a-service model has gained popularity, in response to the increased sophistication of detection mechanisms. This paper provides the first study on an online underground market dedicated to crypter-as-a-service.
  arXiv  Detail & Related papers  (2024-05-20T08:35:39Z)
• Enhancing Enterprise Network Security: Comparing Machine-Level and Process-Level Analysis for Dynamic Malware Detection [2.812395851874055]
  Dynamic analysis can overcome evasion techniques commonly used to bypass static analysis. A malicious machine does not necessarily mean all running processes on the machine are also malicious. The existence of background applications decreases previous state-of-the-art accuracy by about 20.12% on average.
  arXiv  Detail & Related papers  (2023-10-27T14:17:35Z)
• DRSM: De-Randomized Smoothing on Malware Classifier Providing Certified Robustness [58.23214712926585]
  We develop a certified defense, DRSM (De-Randomized Smoothed MalConv), by redesigning the de-randomized smoothing technique for the domain of malware detection. Specifically, we propose a window ablation scheme to provably limit the impact of adversarial bytes while maximally preserving local structures of the executables. We are the first to offer certified robustness in the realm of static detection of malware executables.
  arXiv  Detail & Related papers  (2023-03-20T17:25:22Z)
• Ransomware Detection using Process Memory [0.0]
  This study focuses on the inner workings and main function of ransomware. New signatures and fingerprints of ransomware families can be identified to classify novel ransomware attacks correctly. Several well-known machine learning algorithms were explored with an accuracy range of 81.38 to 96.28 percents.
  arXiv  Detail & Related papers  (2022-03-31T08:03:48Z)
• Detecting Ransomware Execution in a Timely Manner [0.0]
  In recent times ransomware has spread from traditional computational resources to cyber-physical systems and industrial controls. We devised a series of experiments in which virtual instances are infected with ransomware. We design a change point detection and learning method for identifying ransomware execution.
  arXiv  Detail & Related papers  (2022-01-12T11:40:59Z)
• Adversarial Attacks against Windows PE Malware Detection: A Survey of the State-of-the-Art [44.975088044180374]
  This paper focuses on malware with the file format of portable executable (PE) in the family of Windows operating systems, namely Windows PE malware. We first outline the general learning framework of Windows PE malware detection based on ML/DL. We then highlight three unique challenges of performing adversarial attacks in the context of PE malware.
  arXiv  Detail & Related papers  (2021-12-23T02:12:43Z)
• Mate! Are You Really Aware? An Explainability-Guided Testing Framework for Robustness of Malware Detectors [49.34155921877441]
  We propose an explainability-guided and model-agnostic testing framework for robustness of malware detectors. We then use this framework to test several state-of-the-art malware detectors' abilities to detect manipulated malware. Our findings shed light on the limitations of current malware detectors, as well as how they can be improved.
  arXiv  Detail & Related papers  (2021-11-19T08:02:38Z)
• Being Single Has Benefits. Instance Poisoning to Deceive Malware Classifiers [47.828297621738265]
  We show how an attacker can launch a sophisticated and efficient poisoning attack targeting the dataset used to train a malware classifier. As opposed to other poisoning attacks in the malware detection domain, our attack does not focus on malware families but rather on specific malware instances that contain an implanted trigger. We propose a comprehensive detection approach that could serve as a future sophisticated defense against this newly discovered severe threat.
  arXiv  Detail & Related papers  (2020-10-30T15:27:44Z)
• Adversarial EXEmples: A Survey and Experimental Evaluation of Practical Attacks on Machine Learning for Windows Malware Detection [67.53296659361598]
  adversarial EXEmples can bypass machine learning-based detection by perturbing relatively few input bytes. We develop a unifying framework that does not only encompass and generalize previous attacks against machine-learning models, but also includes three novel attacks. These attacks, named Full DOS, Extend and Shift, inject the adversarial payload by respectively manipulating the DOS header, extending it, and shifting the content of the first section.
  arXiv  Detail & Related papers  (2020-08-17T07:16:57Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.