| dc.contributor.advisor | Dyrkolbotn, Geir Olav | |
| dc.contributor.advisor | Franke, Katrin | |
| dc.contributor.author | Banin, Sergii | |
| dc.date.accessioned | 2023-01-16T14:47:23Z | |
| dc.date.available | 2023-01-16T14:47:23Z | |
| dc.date.issued | 2023 | |
| dc.identifier.isbn | 978-82-326-6679-9 | |
| dc.identifier.issn | 2703-8084 | |
| dc.identifier.uri | https://hdl.handle.net/11250/3043791 | |
| dc.description.abstract | Nowadays, computers and computer systems are involved in most areas of our lives. Employees and users of manufacturing and transportation, banking and healthcare, education, and entertainment rely on computers and networks which allow for better, faster, and often remote control and access to various services. As it often happens - commodity comes with unwanted side effects. The computers can be misused by malicious actors which tend to disrupt operations, spoof, steal or destroy sensitive data or gain remote control over the victim systems. These and other malicious actions are often made using malicious software or malware. Thereby, malware detection and analysis play a significant role in the Information Security domain.
Various methods are used for malware analysis and detection. They can be roughly divided into two major groups: static and dynamic. Static methods rely on features derived from malware without it being launched: strings, section names, entropy, etc. Dynamic methods rely on dynamic or behavioral features which are extracted when malware is launched. Often, static features are easier to extract than behavioral properties. However, it is easier for malware authors to alter static features in order to thwart static malware detection. Information Security researchers have studied the applicability of different sources of behavioral features: process activity, file activity, network activity, etc. Such behavioral features can be called high-level features. Malware authors also tend to alter them: change names of processes and dropped files, change IP addresses, and so on. However, malware is always executed on the system’s hardware. Therefore, features that emerge directly from hardware can also be used as a source of behavioral features.
Such features are called hardware-based or low-level features: memory activity, executed opcodes, hardware-performance counters, etc. Since it is impossible for malware to avoid execution on the system’s hardware, in this Thesis we focus on the applicability of low-level features for malware detection.
Researchers have already shown, that such low-level features as opcodes and hardware performance counters can be used for malware detection. However, to the author’s knowledge, no one has used memory access patterns for malware detection prior to the beginning of our work. Thus, in this Thesis, we focus on the applicability of memory access patterns for malware detection and analysis. In our work, we present a methodology and experimental evaluation of malware detection and classification using memory access patterns. We show that memory access patterns can be used for malware detection and classification. Moreover, during our research we found, that it is possible to detect and classify malware based on the memory access patterns before launched malware reaches its Entry Point. This means, that we found a way to stop malware that has been already launched before it has a chance to conduct any malicious actions. We also show, how low-level features can be correlated with their high-level counterparts. While
conducting our research, we extensively used Machine Learning (ML) methods. In this Thesis, we use various methods to analyze the performance of ML models, which can be helpful for other researchers. | |
| dc.language.iso | eng | en_US |
| dc.publisher | NTNU | en_US |
| dc.relation.ispartofseries | Doctoral theses at NTNU;2023:11 | |
| dc.relation.haspart | Paper 1: Banin, Sergii; Shalaginov, Andrii; Franke, Katrin. Memory access patterns for malware detection. Norsk Informasjonssikkerhetskonferanse (NISK) 2016 ;Volum 2016. s. 96-107 | en_US |
| dc.relation.haspart | Paper 2: Banin, Sergii; Dyrkolbotn, Geir Olav. Multinomial malware classification via low-level features. Digital Investigation. The International Journal of Digital Forensics and Incident Response 2018 ;Volum 26. s. 107-117, Digital Investigation 26 (2018) S107eS117
https://doi.org/10.1016/j.diin.2018.04.019
. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/
licenses/by-nc-nd/4.0/). | en_US |
| dc.relation.haspart | Paper 3: Banin, Sergii; Dyrkolbotn, Geir Olav. Correlating High- and Low-Level Features: Increased Understanding of Malware Classification. Lecture Notes in Computer Science (LNCS) 2019 ;Volum 11689. s. 149-167
https://doi.org/10.1007/978-3-030-26834-3_9 | en_US |
| dc.relation.haspart | Paper 4: Banin, Sergii; Dyrkolbotn, Geir Olav. Detection of Running Malware Before it Becomes Malicious. Lecture Notes in Computer Science (LNCS) 2020 ;Volum 12231. s. 57-73
https://doi.org/10.1007/978-3-030-58208-1_4 | en_US |
| dc.relation.haspart | Paper 5: Banin, Sergii. Fast and Straightforward Feature Selection Method: A Case of High-Dimensional Low Sample Size Dataset in Malware Analysis. I: Malware Analysis Using Artificial Intelligence and Deep Learning. Springer, Cham. 2021 s. 455-476
https://doi.org/10.1007/978-3-030-62582-5_18 | en_US |
| dc.relation.haspart | Paper 6: Banin, Sergii; Dyrkolbotn, Geir Olav. Detection of Previously Unseen Malware using Memory Access Patterns Recorded Before the Entry Point. I: 2020 IEEE International Conference on Big Data. IEEE conference proceedings 2021 ISBN 978-1-7281-6251-5. s. 2242-2253
https://doi.org/10.1109/BigData50022.2020.9377933
- © 2021 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. | en_US |
| dc.relation.haspart | S1:
Shalaginov, Andrii; Banin, Sergii; Dehghantanha, Ali; Franke, Katrin.
Machine Learning Aided Static Malware Analysis: A Survey and Tutorial. I: Cyber Threat Intelligence.
- Part of the Advances in Information Security book series (ADIS,volume 70) Springer, Cham 2018 ISBN 978-3-319-73951-9. s. 7-45
https://doi.org/10.1007/978-3-319-73951-9_2 | |
| dc.title | Malware detection and classification using low-level features | en_US |
| dc.type | Doctoral thesis | en_US |
| dc.subject.nsi | VDP::Teknologi: 500::Informasjons- og kommunikasjonsteknologi: 550 | en_US |
