Malware Family Classification via Residual Prefetch Artifacts
No Thumbnail Available
Authors
Duby, Adam
Taylor, Teryl
Zhuang, Yanyan
Issue Date
2022-01-08
Type
proceedings-article
Language
Keywords
File systems , Prefetching , Forensics , Feature extraction , Malware , Libraries , Classification algorithms
Alternative Title
Abstract
Automated malware classification assigns unknown malware to known families. Most research in malware classification assumes that the defender has access to the malware for analysis. Unfortunately, malware can delete itself after execution. As a result, analysts are only left with digital residue, such as network logs or remnant artifacts of malware in memory or on the file system. In this paper, a novel malware classification method based on the Windows prefetch mechanism is presented and evaluated, enabling analysts to classify malware without a corresponding executable. The approach extracts features from Windows prefetch files, a file system artifact that contains historical process information such as loaded libraries and process dependencies. Results show that classification using these features with two different algorithms garnered F-Scores between 0.80 and 0.82, offering analysts a viable option for forensic analysis.
Description
Citation
A. Duby, T. Taylor and Y. Zhuang, "Malware Family Classification via Residual Prefetch Artifacts," 2022 IEEE 19th Annual Consumer Communications & Networking Conference (CCNC), Las Vegas, NV, USA, 2022, pp. 256-259, doi: 10.1109/CCNC49033.2022.9700530.
Publisher
IEEE