Malware Analysis and Detection Pipeline (MAPD)
Mohammad Mussadiq Jalalzai
Unknown
- 0 Collaborators
Project status: Under Development
Intel Technologies
Other
Overview / Usage
Malware are becoming stealthier and more complex, and thus more difficult to find and analyze. In response to this, different memory forensic and analysis tools and their plugins have been developed. These, however, generate large amounts of data to be analyzed, which in turn also increases the chances of human error during analysis. Due to the difficulty of analyzing memory images for forensic evidence, and the possibility of missing potentially crucial information, we have constructed a pipeline for the creation, processing, and analysis and classification of memory images. First, memory images are created via snapshot of a virtual machine. Then, different features are extracted using memory forensic tools. The data is then pre-processed, and finally analyzed and classified using machine learning algorithms.
Methodology / Approach
MAPD consists of Four main parts, each having a distinct objective, and each feeding into the next.
Data Extraction Uses Script to call different volatility plugins
Psxview
APIhook
Msg hook
Event hook
DLList
Malfind
feature-set extraction and Pre-Processing:
Pre-Processing Data
Features are combined in single file with specific format
Field values are converted into binary numbers
Malware Detection
Using Decision trees and Neural networks