OS kernel malware detection through data-characterization of memory analysis

Abstract

In this modern technology, malware is rapidly evolving through various stealth techniques to avoid detection. The evolvement and advanced trick of modern malware caused the code-centric approach to become less-effective and inflexible as they (modern malware) are good at hiding themselves and cover up their tracks. Furthermore, Operating System (OS) rootkits can be varying the pattern code execution that capable of confusing behavior-based malware detector. It shows that approaches such as code-centric and malware-based behavior tend to become unreliable with the evolvement of modern malware, especially rootkits. Thus, this study proposed a quite brand-new approach, which is a data-centric approach by characterizing the OS kernel malware through memory analysis. This approach tries to detect OS rootkits based on trace patterns found in the content of the memory dump. This approach combines digital forensics disciplines to gather the required dataset for analysis. The framework proposed consists of two main stages. The first stage in this framework is a Dataset of Rootkits Characterization that will create a dataset by identifying unique characteristics in memory dump content (sample) that indicates the trace of rootkits. The second stage, which to determine the Rootkits Presence that can detect rootkits based on signature created on stage one. Through this proposed approach, a set of Data Behavior Element (DBE) is generated. There are eight (8) of the Data Behavior Element (DBE) identified throughout the data extracted from the collected samples. This DBE can be used as a signature to detect the OS rootkits. Eight (8) samples are collected that consist of clean (benign) and malicious (infected), including some unknown samples that will be used for False Positive test. As for False Positive test, the result successfully indicated that the signature was capable of showing the presence of OS rootkits. This proposed approach is the proof of concept that data-centric are capable of detecting the presence of malware, especially OS rootkits, as the existing approach mostly implements a code-centric approach.