Abstract
The increasing prevalence of Linux malware poses a severe threat to private data and expensive computer resources. Hence, there is a dire need to detect Linux malware automatically to comprehend its capabilities and behavior. In our work, we attempt to analyze the ELF binary files before, during, and after execution (or postmortem inspection) using open-source tools. We analyze the ELF binaries in a controlled sandboxed space and monitor the activities of these binaries and their child processes to assess their capabilities and behaviors. We set up INetSim, and simulate the fake internet services to increase the chances of malware behaving as intended. We also generate a custom OS profile of Ubuntu 16.04. The Volatility tool employs this profile to analyze the memory dump and extract the artifacts. We modify the Limon sandbox to use only specific volatility plugins, which reduces the time for report generation. We extract features from these behavior reports and reports from memory forensics and combine them with features extracted using static analysis to build a hybrid model for ELF malware detection. Our trained hybrid model offers a good accuracy of 99.2% on a recent dataset of benign and malware samples and with a minimal false-positive rate of 0.9%. To the best of our knowledge, no one in the literature has performed the memory analysis of ELF malware using the Volatility profile customization for efficient ELF malware detection.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Inetsim: Internet services simulation suite. https://www.inetsim.org/downloads.html
Malware and virus samples. https://www.virussamples.com/
Malware statistics by virustotal. https://www.virustotal.com/gui/stats
readelf: A tool for accessing elf headers. https://sourceware.org/binutils/docs/binutils/readelf.html
Virustotal api responses. https://developers.virustotal.com/v2.0/reference/api-responses
The volatility foundation - open source memory forensics. https://www.volatilityfoundation.org/#%21releases/component_7140
Linux malware (2022). https://en.wikipedia.org/wiki/Linux_malware#cite_note-Yeargin-2
Virusshare (2022). https://virusshare.com/
Andrade, C.A.B.D., Mello, C.G.D., Duarte, J.C.: Malware automatic analysis. In: 2013 BRICS Congress on Computational Intelligence and 11th Brazilian Congress on Computational Intelligence, pp. 681–686 (2013). https://doi.org/10.1109/BRICS-CCI-CBIC.2013.119
Asmitha, K.A., Vinod, P.: Linux malware detection using non-parametric statistical methods. In: 2014 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 356–361 (2014). https://doi.org/10.1109/ICACCI.2014.6968611
Bai, J., Yang, Y., Mu, S.G., Ma, Y.: Malware detection through mining symbol table of Linux executables. Inf. Technol. J. 12, 380–384 (2013)
Dogru, N., Subasi, A.: Traffic accident detection using random forest classifier. In: 2018 15th Learning and Technology Conference (L &T), pp. 40–45. IEEE (2018)
Gunnarsdottir, K.M., Gamaldo, C.E., Salas, R.M., Ewen, J.B., Allen, R.P., Sarma, S.V.: A novel sleep stage scoring system: Combining expert-based rules with a decision tree classifier. In: 2018 40th Annual International Conference of the IEEE Engineering in Medicine and Biology Society (EMBC), pp. 3240–3243. IEEE (2018)
Maćkiewicz, A., Ratajczak, W.: Principal components analysis (PCA). Comput. Geosci. 19(3), 303–342 (1993)
Mosli, R., Li, R., Yuan, B., Pan, Y.: A behavior-based approach for malware detection. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics XIII, pp. 187–201. Springer International Publishing, Cham (2017). https://doi.org/10.1007/978-3-319-67208-3_11
Noble, W.S.: What is a support vector machine? Nat. Biotechnol. 24(12), 1565–1567 (2006)
Sihwail, R., Omar, K., Arifin, K.A.Z.: An effective memory analysis for malware detection and classification. Comput. Materi. Continua 67(2), 2301–2320 (2021). https://doi.org/10.32604/cmc.2021.014510, http://www.techscience.com/cmc/v67n2/41330
Rathnayaka, C., Jamdagni, A.: An efficient approach for advanced malware analysis using memory forensic technique. In: 2017 IEEE Trustcom/BigDataSE/ICESS, pp. 1145–1150 (2017)
Shahzad, F., Farooq, M.: Elf-miner: using structural knowledge and data mining for detecting Linux malicious executables. Knowl. Inf. Syst. 30, 589–612 (2012)
Shahzad, F., Shahzad, M., Farooq, M.: In-execution dynamic malware analysis and detection by mining information in process control blocks of Linux OS. Inf. Sci. 231, 45–63 (2013). https://doi.org/10.1016/j.ins.2011.09.016, https://www.sciencedirect.com/science/article/pii/S0020025511004737
Shalaginov, A., Øverlier, L.: A novel study on multinomial classification of x86/x64 Linux elf malware types and families through deep neural networks. In: Malware Analysis using Artificial Intelligence and Deep Learning (2020)
Volatilityfoundation: Creation of linux volatility profile. https://github.com/volatilityfoundation/volatility/wiki/Linux#creating-a-new-profile
Zhang, Z., Qi, P., Wang, W.: Dynamic malware analysis with feature engineering and feature learning (2019). https://doi.org/10.48550/ARXIV.1907.07352, https://arxiv.org/abs/1907.07352
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Varshney, R., Kumar, N., Handa, A., Shukla, S.K. (2023). Volatility Custom Profiling for Automated Hybrid ELF Malware Detection. In: Goel, S., Gladyshev, P., Nikolay, A., Markowsky, G., Johnson, D. (eds) Digital Forensics and Cyber Crime. ICDF2C 2022. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 508. Springer, Cham. https://doi.org/10.1007/978-3-031-36574-4_16
Download citation
DOI: https://doi.org/10.1007/978-3-031-36574-4_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-36573-7
Online ISBN: 978-3-031-36574-4
eBook Packages: Computer ScienceComputer Science (R0)