TY - GEN
T1 - Detective
T2 - IEEE International Conference on Communications, ICC 2015
AU - Duan, Yiheng
AU - Fu, Xiao
AU - Luo, Bin
AU - Wang, Ziqi
AU - Shi, Jin
AU - Du, Xiaojiang
N1 - Publisher Copyright:
© 2015 IEEE.
PY - 2015/9/9
Y1 - 2015/9/9
N2 - Current memory forensic methods mainly focus on evidence collection and data recovery. A little work is about how to automatically identify malwares from many unknown processes and analyze their behaviors in high semantic level so as to collect related evidences. In fact, in real cases, investigators are often faced with large number of processes that they have no knowledge of. Although current malware detection tools could provide some help, they usually can't illustrate the purposes, abilities and behavior details of malwares and are thus often not fit for the forensic requirements. In this paper, we present a framework named Detective to cope with these issues. Given a set of unknown processes, Detective can classify benign and malware processes automatically. This is implemented by HNB classifying algorithm and a Dynamic-Link Libraries-based model. Detective could then explain malware behaviors in high semantic level through clustering and frequent item sets mining techniques. Besides, Detective sheds light on evidence collection by the information obtained from previous steps. Detective is applicable for both online and offline forensic scenarios. Experiments on real-world malware set have proved that the accuracy of Detective is above 90% and the time cost is only several seconds.
AB - Current memory forensic methods mainly focus on evidence collection and data recovery. A little work is about how to automatically identify malwares from many unknown processes and analyze their behaviors in high semantic level so as to collect related evidences. In fact, in real cases, investigators are often faced with large number of processes that they have no knowledge of. Although current malware detection tools could provide some help, they usually can't illustrate the purposes, abilities and behavior details of malwares and are thus often not fit for the forensic requirements. In this paper, we present a framework named Detective to cope with these issues. Given a set of unknown processes, Detective can classify benign and malware processes automatically. This is implemented by HNB classifying algorithm and a Dynamic-Link Libraries-based model. Detective could then explain malware behaviors in high semantic level through clustering and frequent item sets mining techniques. Besides, Detective sheds light on evidence collection by the information obtained from previous steps. Detective is applicable for both online and offline forensic scenarios. Experiments on real-world malware set have proved that the accuracy of Detective is above 90% and the time cost is only several seconds.
KW - DLL
KW - data mining
KW - malware processes
KW - memory forensics
UR - http://www.scopus.com/inward/record.url?scp=84953750416&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84953750416&partnerID=8YFLogxK
U2 - 10.1109/ICC.2015.7249229
DO - 10.1109/ICC.2015.7249229
M3 - Conference contribution
AN - SCOPUS:84953750416
T3 - IEEE International Conference on Communications
SP - 5691
EP - 5696
BT - 2015 IEEE International Conference on Communications, ICC 2015
Y2 - 8 June 2015 through 12 June 2015
ER -