Skip to main content
SpringerLink
Log in

Volatility Custom Profiling for Automated Hybrid ELF Malware Detection

  • Conference paper
  • First Online:
Digital Forensics and Cyber Crime (ICDF2C 2022)

Included in the following conference series:

  • 427 Accesses

Abstract

The increasing prevalence of Linux malware poses a severe threat to private data and expensive computer resources. Hence, there is a dire need to detect Linux malware automatically to comprehend its capabilities and behavior. In our work, we attempt to analyze the ELF binary files before, during, and after execution (or postmortem inspection) using open-source tools. We analyze the ELF binaries in a controlled sandboxed space and monitor the activities of these binaries and their child processes to assess their capabilities and behaviors. We set up INetSim, and simulate the fake internet services to increase the chances of malware behaving as intended. We also generate a custom OS profile of Ubuntu 16.04. The Volatility tool employs this profile to analyze the memory dump and extract the artifacts. We modify the Limon sandbox to use only specific volatility plugins, which reduces the time for report generation. We extract features from these behavior reports and reports from memory forensics and combine them with features extracted using static analysis to build a hybrid model for ELF malware detection. Our trained hybrid model offers a good accuracy of 99.2% on a recent dataset of benign and malware samples and with a minimal false-positive rate of 0.9%. To the best of our knowledge, no one in the literature has performed the memory analysis of ELF malware using the Volatility profile customization for efficient ELF malware detection.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Inetsim: Internet services simulation suite. https://www.inetsim.org/downloads.html

  2. Malware and virus samples. https://www.virussamples.com/

  3. Malware statistics by virustotal. https://www.virustotal.com/gui/stats

  4. readelf: A tool for accessing elf headers. https://sourceware.org/binutils/docs/binutils/readelf.html

  5. Virustotal api responses. https://developers.virustotal.com/v2.0/reference/api-responses

  6. The volatility foundation - open source memory forensics. https://www.volatilityfoundation.org/#%21releases/component_7140

  7. Linux malware (2022). https://en.wikipedia.org/wiki/Linux_malware#cite_note-Yeargin-2

  8. Virusshare (2022). https://virusshare.com/

  9. Andrade, C.A.B.D., Mello, C.G.D., Duarte, J.C.: Malware automatic analysis. In: 2013 BRICS Congress on Computational Intelligence and 11th Brazilian Congress on Computational Intelligence, pp. 681–686 (2013). https://doi.org/10.1109/BRICS-CCI-CBIC.2013.119

  10. Asmitha, K.A., Vinod, P.: Linux malware detection using non-parametric statistical methods. In: 2014 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 356–361 (2014). https://doi.org/10.1109/ICACCI.2014.6968611

  11. Bai, J., Yang, Y., Mu, S.G., Ma, Y.: Malware detection through mining symbol table of Linux executables. Inf. Technol. J. 12, 380–384 (2013)

    Article  Google Scholar 

  12. Dogru, N., Subasi, A.: Traffic accident detection using random forest classifier. In: 2018 15th Learning and Technology Conference (L &T), pp. 40–45. IEEE (2018)

    Google Scholar 

  13. Gunnarsdottir, K.M., Gamaldo, C.E., Salas, R.M., Ewen, J.B., Allen, R.P., Sarma, S.V.: A novel sleep stage scoring system: Combining expert-based rules with a decision tree classifier. In: 2018 40th Annual International Conference of the IEEE Engineering in Medicine and Biology Society (EMBC), pp. 3240–3243. IEEE (2018)

    Google Scholar 

  14. Maćkiewicz, A., Ratajczak, W.: Principal components analysis (PCA). Comput. Geosci. 19(3), 303–342 (1993)

    Article  Google Scholar 

  15. Mosli, R., Li, R., Yuan, B., Pan, Y.: A behavior-based approach for malware detection. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics XIII, pp. 187–201. Springer International Publishing, Cham (2017). https://doi.org/10.1007/978-3-319-67208-3_11

    Chapter  Google Scholar 

  16. Noble, W.S.: What is a support vector machine? Nat. Biotechnol. 24(12), 1565–1567 (2006)

    Article  Google Scholar 

  17. Sihwail, R., Omar, K., Arifin, K.A.Z.: An effective memory analysis for malware detection and classification. Comput. Materi. Continua 67(2), 2301–2320 (2021). https://doi.org/10.32604/cmc.2021.014510, http://www.techscience.com/cmc/v67n2/41330

  18. Rathnayaka, C., Jamdagni, A.: An efficient approach for advanced malware analysis using memory forensic technique. In: 2017 IEEE Trustcom/BigDataSE/ICESS, pp. 1145–1150 (2017)

    Google Scholar 

  19. Shahzad, F., Farooq, M.: Elf-miner: using structural knowledge and data mining for detecting Linux malicious executables. Knowl. Inf. Syst. 30, 589–612 (2012)

    Article  Google Scholar 

  20. Shahzad, F., Shahzad, M., Farooq, M.: In-execution dynamic malware analysis and detection by mining information in process control blocks of Linux OS. Inf. Sci. 231, 45–63 (2013). https://doi.org/10.1016/j.ins.2011.09.016, https://www.sciencedirect.com/science/article/pii/S0020025511004737

  21. Shalaginov, A., Øverlier, L.: A novel study on multinomial classification of x86/x64 Linux elf malware types and families through deep neural networks. In: Malware Analysis using Artificial Intelligence and Deep Learning (2020)

    Google Scholar 

  22. Volatilityfoundation: Creation of linux volatility profile. https://github.com/volatilityfoundation/volatility/wiki/Linux#creating-a-new-profile

  23. Zhang, Z., Qi, P., Wang, W.: Dynamic malware analysis with feature engineering and feature learning (2019). https://doi.org/10.48550/ARXIV.1907.07352, https://arxiv.org/abs/1907.07352

Download references

Author information

Authors and Affiliations

  1. C3i Center, Department of CSE, Indian Institute of Technology, Kanpur, Kanpur, India

    Rahul Varshney, Nitesh Kumar, Anand Handa & Sandeep Kumar Shukla

Authors
  1. Rahul Varshney
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nitesh Kumar
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Anand Handa
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sandeep Kumar Shukla
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anand Handa .

Editor information

Editors and Affiliations

  1. University at Albany, Albany, NY, USA

    Sanjay Goel

  2. University College Dublin, Dublin, Ireland

    Pavel Gladyshev

  3. Horangi Cyber Security, Singapore, Singapore

    Akatyev Nikolay

  4. Missouri University of Science and Technology, Rolla, MO, USA

    George Markowsky

  5. Rochester Institute of Technology, Rochester, NY, USA

    Daryl Johnson

Rights and permissions

Reprints and permissions

Copyright information

© 2023 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Varshney, R., Kumar, N., Handa, A., Shukla, S.K. (2023). Volatility Custom Profiling for Automated Hybrid ELF Malware Detection. In: Goel, S., Gladyshev, P., Nikolay, A., Markowsky, G., Johnson, D. (eds) Digital Forensics and Cyber Crime. ICDF2C 2022. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 508. Springer, Cham. https://doi.org/10.1007/978-3-031-36574-4_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-36574-4_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-36573-7

  • Online ISBN: 978-3-031-36574-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation