Multinomial malware classification via low-level features

“…A previous work [8] presented an attempt to fill the gap between low-level activity (memory access patterns) and its high-level (more human understandable API calls) representation. During the study it was also found, that under the experimental design used in [8] and [7] most of the recorded behavioral activity emerged not from the main module of an executable (after the Entry Point 1 -AEP) but prior to the moment when instruction pointer (IP) is set to the Entry Point (before the Entry Point -BEP). Without going into much details (see Section 2 for details) these findings showed, that it is potentially possible to detect running malicious executable before it starts executing the logic that was put into it by the creator.…”

“…API and system calls, network and file activity are some of the high-level features, while memory access operations, opcodes or hardware performance counters are the low-level features. Basically we perceive behavioral features that emerge from the system's hardware as the low-level ones [7] [13] [20]. Static features are easier to change for an attacker utilizing techniques such as obfuscation or encryption.…”

“…Moreover, as soon as malware is launched -it is impossible to avoid execution on the system's hardware. That's why in this paper we use low-level features such as memory access patterns for malware detection [9] and classification [7].…”

“…Memory access patterns previously were proven to be effective features for malware detection [9] and classification [7]. A memory access pattern is a sequence of read and write operations performed by an executable and will be described in details in Section 3.…”

Detection of Running Malware Before it Becomes Malicious

“…A previous work [8] presented an attempt to fill the gap between low-level activity (memory access patterns) and its high-level (more human understandable API calls) representation. During the study it was also found, that under the experimental design used in [8] and [7] most of the recorded behavioral activity emerged not from the main module of an executable (after the Entry Point 1 -AEP) but prior to the moment when instruction pointer (IP) is set to the Entry Point (before the Entry Point -BEP). Without going into much details (see Section 2 for details) these findings showed, that it is potentially possible to detect running malicious executable before it starts executing the logic that was put into it by the creator.…”

“…API and system calls, network and file activity are some of the high-level features, while memory access operations, opcodes or hardware performance counters are the low-level features. Basically we perceive behavioral features that emerge from the system's hardware as the low-level ones [7] [13] [20]. Static features are easier to change for an attacker utilizing techniques such as obfuscation or encryption.…”

“…Moreover, as soon as malware is launched -it is impossible to avoid execution on the system's hardware. That's why in this paper we use low-level features such as memory access patterns for malware detection [9] and classification [7].…”

“…Memory access patterns previously were proven to be effective features for malware detection [9] and classification [7]. A memory access pattern is a sequence of read and write operations performed by an executable and will be described in details in Section 3.…”

Detection of Running Malware Before it Becomes Malicious

“…Kodun istifadə etdiyi kitabxanalar "stub" adı verilən, daha sonra əsliylə dəyişdiriləcək müvəqqəti kod hissələri ilə dəyişdirilir. Aşağıdakı inyeksiya növlərini kimi göstərmək olar: proseslərin inyeksiyası, kitabxanaların inyeksiyası, yüklənmədən qabaq mühitin inyeksiyası [6].…”

Kompüter şəbəkələrində zərərli proqramların analizi üsulları

A Deep Malware Detection Method Based on General-Purpose Register Features