As cyber attacks grow more complex and sophisticated, new types of malware become more dangerous and challenging to detect. In particular, fileless malware injects malicious code into the physical memory directly without leaving attack traces on disk files. This type of attack is well concealed, and it is difficult to find the malicious code in the static files. For malicious processes in memory, signature-based detection methods are becoming increasingly ineffective. Facing these challenges, this paper proposes a malware detection approach based on convolutional neural network and memory forensics. As the malware has many symmetric features, the saved training model can detect malicious code with symmetric features. The method includes collecting executable static malicious and benign samples, running the collected samples in a sandbox, and building a dataset of portable executables in memory through memory forensics. When a process is running, not all the program content is loaded into memory, so binary fragments are utilized for malware analysis instead of the entire portable executable (PE) files. PE file fragments are selected with different lengths and locations. We conducted several experiments on the produced dataset to test our model. The PE file with 4096 bytes of header fragment has the highest accuracy. We achieved a prediction accuracy of up to 97.48%. Moreover, an example of fileless attack is illustrated at the end of the paper. The results show that the proposed method can detect malicious codes effectively, especially the fileless attack. Its accuracy is better than that of common machine learning methods.
Read full abstract