MRm-DLDet:a memory-resident malware detection framework based on memory forensics and deep neural network  

作　　者：Jiaxi Liu Yun Feng Xinyu Liu Jianjun Zhao Qixu Liu 

机构地区：[1]Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100085,China [2]School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China

出　　处：《Cybersecurity》2024年第1期88-109,共22页网络空间安全科学与技术（英文）

基　　金：supported by the Youth Innovation Promotion Association CAS(No.2019163);the Strategic Priority Research Program of Chinese Academy of Sciences(No.XDC02040100);the Key Laboratory of Network Assessment Technology at Chinese Academy of Sciences and Beijing Key Laboratory of Network security and Protection Technology.

摘　　要：Cyber attackers have constantly updated their attack techniques to evade antivirus software detection in recent years.One popular evasion method is to execute malicious code and perform malicious actions only in memory.Mali-cious programs that use this attack method are called memory-resident malware,with excellent evasion capability,and have posed huge threats to cyber security.Traditional static and dynamic methods are not effective in detect-ing memory-resident malware.In addition,existing memory forensics detection solutions perform unsatisfactorily in detection rate and depend on massive expert knowledge in memory analysis.This paper proposes MRm-DLDet,a state-of-the-art memory-resident malware detection framework,to overcome these drawbacks.MRm-DLDet first builds a virtual machine environment and captures memory dumps,then creatively processes the memory dumps into RGB images using a pre-processing technique that combines deduplication and ultra-high resolution image cropping,followed by our neural network MRmNet in MRm-DLDet to fully extract high-dimensional features from memory dump files and detect them.MRmNet receives the labeled sub-images of the cropped high-resolution RGB images as input of ResNet-18,which extracts the features of the sub-images.Then trains a network of gated recurrent units with an attention mechanism.Finally,it determines whether a program is memory-resident malware based on the detection results of each sub-image through a specially designed voting layer.We created a high-quality dataset consisting of 2,060 benign and memory-resident programs.In other words,the dataset contains 1,287,500 labeled sub-images cut from the MRm-DLDet transformed ultra-high resolution RGB images.We implement MRm-DLDet for Windows 10,and it performs better than the latest methods,with a detection accuracy of up to 98.34%.Moreover,we measured the effects of mimicry and adversarial attacks on MRm-DLDet,and the experimental results demonstrated the robustness of MRm-DLDet.

关 键 词：Memory-resident malware Memory forensics Malware detection Deep learning Ultra-high resolution image 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]