Detecting obfuscated malware using memory feature engineering
University of New Brunswick
Memory analysis is critical in detecting malicious processes. This is because memory records process execution, including those which are malicious. This information can be used as a timeline to find out if a process in memory is malicious. While there is much research in the field, there are also some major obstacles in malware detection, such as detection rate and advanced malware obfuscation. The rate of malware has been rapidly increasing as well as its complexity to avoid detection. This new complex malware is called advanced malware. Advanced malware uses obfuscation and other techniques to stay hidden. This presents a strong need for an efficient framework that focuses on the detection of obfuscated and hidden malware. In this research, the advancement of the VolMemLyzer, as one of the most updated memory feature extractors for learning systems, has been extended to focus on hidden and obfuscated malware used with a stacked ensemble machine learning model to create a framework of efficiently detecting malware. Also, a specific malware memory dataset was created to test this framework, focusing on simulating real-world obfuscated malware as close as possible. The results show that the proposed solution can detect obfuscated and hidden malware using memory feature engineering extremely fast with an Accuracy and F1-Score of 99.00% and 99.02%, respectively.