Abstract
AbstractIn malware analysis, there are two problem scenarios—detection and prevention. In prevention, analysts try to quarantine the file before it gets executed in a real system. The file is further analyzed in a sandbox to observe the behavior. Hence, our work shows that our agent captures events for malware analysis. After integration with the sandbox, it produces robust and efficient models. ETW is a Windows in‐build tool with kernel‐level access. We develop an agent using ETW in C++ with proper usage details. We collect data using cuckoo sandbox and ETW agent for 11 546 samples and perform comparative frequency analysis. The performance of various machine learning classifiers is examined on the behavioral data. Random Forest classifier performs the best on the combined (cuckoo+ETW) data with an accuracy of 99.68% and FPR of 0.45%. The improved performance of combined data over cuckoo data on packed and un‐seen malware is also significantly good. In the detection, if malware somehow escapes from the deployed prevention mechanism and gets executed, the analyst tries to detect malicious actions and respond before it is too late. Our agent can tackle such issues and can function as a standalone host‐based monitoring agent to extract kernel‐level information.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
