Proposed Model for Detecting Malware on Workstations

Abstract

The trend of network attacks through end-users are widely used by attackers today. One of them is the attack by distributing malware into users' computers to steal data or escalate to higher privileges. The technique of attack by distributing malware is a dangerous attack method that is difficult to detect and prevent. Therefore, the task of detecting the sign of malware and alerting it for the user or the system is very necessary today. Current studies and recommendations for detecting malware are often based on two main methods that are using a set of signs and analyzing abnormal behavior based on machine learning or deep learning. In this paper, we will propose a method to detect malware on users' computers using an Event ID profile analysis technique. Event IDs are signs and behaviors of malware that are tracked and collected on the operating system kernel of the workstation. The difference between our research and other published methods is the way to collect behaviors of the malware. We don't collect them through virtualization systems, but through direct processes in the operating system kernel. Therefore, even though malware uses hidden techniques, its actions are recorded by the operating system kernel and based on those processes, we use the Event ID analysis technique to conclude about the existence of malware in the system.