Physical memory forensics has grown in popularity in recent years. Since malware typically operate in userspace, it is important to reconstruct and track their process behavior. This paper focuses on detecting malwar...
详细信息
ISBN:
(纸本)9781479980215
Physical memory forensics has grown in popularity in recent years. Since malware typically operate in userspace, it is important to reconstruct and track their process behavior. This paper focuses on detecting malware through a comparison of the information in the user space memory data structures. In order to expedite information extraction and ensure accuracy, the data in multiple memory management structures in the userspace and the kernel are used concurrently. In the proposed method, using descriptions of memorystructures, weextractmalware artifactsrelated to registry changes as well as, calls to library files and operating system functions. The extracted features are then evaluated, and samples are classified according to the selected attributes. The best results include a 98% detection rate and false positive rate of 16%, which indicates the effectiveness of the proposed behavior extraction method.
暂无评论