Enterprise Malware Detection using Digital Forensic Artifacts and Machine Learning

Abstract

Malware detection is a complex task. Numerous log aggregation solutions and intrusion detection systems can help find anomalies within a host or a network and detect intrusions, but they require precise calibration, skilled analysts, and cutting-edge technology. In addition, processing host-based data is challenging, as every log, event, and configuration can be analyzed. In order to obtain trusted information about a host state, the analysis of a computer’s memory can be performed, but obtaining the data from acquisition and performing the analysis can be challenging. To address this limitation, this paper proposes to collect artifacts within a network environment. This approach involves remotely gathering memory-based and disk-based artifacts from a simulated enterprise network using Velociraptor. The data was then processed using three machine learning algorithms to detect the malware samples against regular user activity generated with a user simulation tool for added realism. With this method, Random Forest and Support Vector Machine achieved a perfect classification of 41 malware samples.