Malware detection and classification using low-level features

Nowadays, computers and computer systems are involved in most areas of our lives. Employees and users of manufacturing and transportation, banking and healthcare, education, and entertainment rely on computers and networks which allow for better, faster, and often remote control and access to various services. As it often happens - commodity comes with unwanted side effects. The computers can be misused by malicious actors which tend to disrupt operations, spoof, steal or destroy sensitive data or gain remote control over the victim systems. These and other malicious actions are often made using malicious software or malware. Thereby, malware detection and analysis play a significant role in the Information Security domain. Various methods are used for malware analysis and detection. They can be roughly divided into two major groups: static and dynamic. Static methods rely on features derived from malware without it being launched: strings, section names, entropy, etc. Dynamic methods rely on dynamic or behavioral features which are extracted when malware is launched. Often, static features are easier to extract than behavioral properties. However, it is easier for malware authors to alter static features in order to thwart static malware detection. Information Security researchers have studied the applicability of different sources of behavioral features: process activity, file activity, network activity, etc. Such behavioral features can be called high-level features. Malware authors also tend to alter them: change names of processes and dropped files, change IP addresses, and so on. However, malware is always executed on the system's hardware. Therefore, features that emerge directly from hardware can also be used as a source of behavioral features. Such features are called hardware-based or low-level features: memory activity, executed opcodes, hardware-performance counters, etc. Since it is impossible for malware to avoid execution on the system's hardware, in this Thesis we focus on the applicability of low-level features for malware detection. Researchers have already shown, that such low-level features as opcodes and hardware performance counters can be used for malware detection. However, to the author's knowledge, no one has used memory access patterns for malware detection prior to the beginning of our work. Thus, in this Thesis, we focus on the applicability of memory access patterns for malware detection and analysis. In our work, we present a methodology and experimental evaluation of malware detection and classification using memory access patterns. We show that memory access patterns can be used for malware detection and classification. Moreover, during our research we found, that it is possible to detect and classify malware based on the memory access patterns before launched malware reaches its Entry Point. This means, that we found a way to stop malware that has been already launched before it has a chance to conduct any malicious actions. We also show, how low-level features can be correlated with their high-level counterparts. While conducting our research, we extensively used Machine Learning (ML) methods. In this Thesis, we use various methods to analyze the performance of ML models, which can be helpful for other researchers.