Autor: |
Rana, Shubham, Kumar, Nitesh, Handa, Anand, Shukla, Sandeep K. |
Předmět: |
|
Zdroj: |
Security & Privacy; Nov2022, Vol. 5 Issue 6, p1-32, 32p |
Abstrakt: |
In malware analysis, there are two problem scenarios—detection and prevention. In prevention, analysts try to quarantine the file before it gets executed in a real system. The file is further analyzed in a sandbox to observe the behavior. Hence, our work shows that our agent captures events for malware analysis. After integration with the sandbox, it produces robust and efficient models. ETW is a Windows in‐build tool with kernel‐level access. We develop an agent using ETW in C++ with proper usage details. We collect data using cuckoo sandbox and ETW agent for 11 546 samples and perform comparative frequency analysis. The performance of various machine learning classifiers is examined on the behavioral data. Random Forest classifier performs the best on the combined (cuckoo+ETW) data with an accuracy of 99.68% and FPR of 0.45%. The improved performance of combined data over cuckoo data on packed and un‐seen malware is also significantly good. In the detection, if malware somehow escapes from the deployed prevention mechanism and gets executed, the analyst tries to detect malicious actions and respond before it is too late. Our agent can tackle such issues and can function as a standalone host‐based monitoring agent to extract kernel‐level information. [ABSTRACT FROM AUTHOR] |
Databáze: |
Complementary Index |
Externí odkaz: |
|
Nepřihlášeným uživatelům se plný text nezobrazuje |
K zobrazení výsledku je třeba se přihlásit.
|