In recent years, deep learning has advanced, leading to its widespread application in fields such as image recognition and speech recognition. Meanwhile, in the field of information security, damage caused by malware remains a serious problem. Traditional malware detection methods, such as pattern matching, face the challenge of being unable to detect it for which no pattern file exists. This paper proposes a method to improve malware detection accuracy by focusing on program memory access logs and devising a technique to circumvent the effects of memory address space layout randomization (ASLR). The proposed method creates grayscale images based on program memory access logs and performs classification using a CNN. For performance evaluation, ten types of normal programs and ten types of malware were used, trained and classified using MobileNetV2. Our proposed method attained considerably good performance: precision 0.9975, recall 0.9947, precision 1.0000, and F1 score 0.9973, confirming the feasibility of highly accurate malware detection. Furthermore, by using simplified grayscale images for the image processing step, this method reduces computational cost, enabling classification with high real-time performance.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Proposal of Malware Detection Method Based on Memory Access Log that Is Not Affected by ASLR

  • Shota Takahashi,
  • Eiichiro Kodama,
  • Bhed Bahadur Bista,
  • Jiahong Wang,
  • Toyoo Takata

摘要

In recent years, deep learning has advanced, leading to its widespread application in fields such as image recognition and speech recognition. Meanwhile, in the field of information security, damage caused by malware remains a serious problem. Traditional malware detection methods, such as pattern matching, face the challenge of being unable to detect it for which no pattern file exists. This paper proposes a method to improve malware detection accuracy by focusing on program memory access logs and devising a technique to circumvent the effects of memory address space layout randomization (ASLR). The proposed method creates grayscale images based on program memory access logs and performs classification using a CNN. For performance evaluation, ten types of normal programs and ten types of malware were used, trained and classified using MobileNetV2. Our proposed method attained considerably good performance: precision 0.9975, recall 0.9947, precision 1.0000, and F1 score 0.9973, confirming the feasibility of highly accurate malware detection. Furthermore, by using simplified grayscale images for the image processing step, this method reduces computational cost, enabling classification with high real-time performance.