MRm-DLDet: a memory-resident malware detection framework based on memory forensics and deep neural network

Jiaxi Liu; Yun Feng; Xinyu Liu; Jianjun Zhao; Qixu Liu

doi:10.1186/s42400-023-00157-w

Cybersecurity (Aug 2023)

MRm-DLDet: a memory-resident malware detection framework based on memory forensics and deep neural network

Jiaxi Liu,
Yun Feng,
Xinyu Liu,
Jianjun Zhao,
Qixu Liu

Affiliations

Jiaxi Liu: Institute of Information Engineering, Chinese Academy of Sciences
Yun Feng: Institute of Information Engineering, Chinese Academy of Sciences
Xinyu Liu: Institute of Information Engineering, Chinese Academy of Sciences
Jianjun Zhao: Institute of Information Engineering, Chinese Academy of Sciences
Qixu Liu: Institute of Information Engineering, Chinese Academy of Sciences

DOI: https://doi.org/10.1186/s42400-023-00157-w
Journal volume & issue: Vol. 6, no. 1
pp. 1 – 22

Abstract

Read online

Abstract Cyber attackers have constantly updated their attack techniques to evade antivirus software detection in recent years. One popular evasion method is to execute malicious code and perform malicious actions only in memory. Malicious programs that use this attack method are called memory-resident malware, with excellent evasion capability, and have posed huge threats to cyber security. Traditional static and dynamic methods are not effective in detecting memory-resident malware. In addition, existing memory forensics detection solutions perform unsatisfactorily in detection rate and depend on massive expert knowledge in memory analysis. This paper proposes MRm-DLDet, a state-of-the-art memory-resident malware detection framework, to overcome these drawbacks. MRm-DLDet first builds a virtual machine environment and captures memory dumps, then creatively processes the memory dumps into RGB images using a pre-processing technique that combines deduplication and ultra-high resolution image cropping, followed by our neural network MRmNet in MRm-DLDet to fully extract high-dimensional features from memory dump files and detect them. MRmNet receives the labeled sub-images of the cropped high-resolution RGB images as input of ResNet-18, which extracts the features of the sub-images. Then trains a network of gated recurrent units with an attention mechanism. Finally, it determines whether a program is memory-resident malware based on the detection results of each sub-image through a specially designed voting layer. We created a high-quality dataset consisting of 2,060 benign and memory-resident programs. In other words, the dataset contains 1,287,500 labeled sub-images cut from the MRm-DLDet transformed ultra-high resolution RGB images. We implement MRm-DLDet for Windows 10, and it performs better than the latest methods, with a detection accuracy of up to 98.34 $$\%$$ % . Moreover, we measured the effects of mimicry and adversarial attacks on MRm-DLDet, and the experimental results demonstrated the robustness of MRm-DLDet.

Published in Cybersecurity

ISSN: 2523-3246 (Online)
Publisher: SpringerOpen
Country of publisher: Singapore
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering: Electronics: Computer engineering. Computer hardware; Science: Mathematics: Instruments and machines: Electronic computers. Computer science
Website: https://cybersecurity.springeropen.com/

About the journal

Abstract

Keywords