Malware Detection Through Memory Analysis
Sarah Nassar
TL;DR
This study targets obfuscated malware detection using memory-dump features from the CIC MalMemAnalysis-2022 dataset to perform binary (benign vs malware) and multi-class (benign, ransomware, spyware, Trojan) classification. A machine learning pipeline evaluates nine algorithms with a five-fold stratified cross-validation, concluding that XGBoost provides the best trade-off between detection performance and inference speed. The binary model achieves 99.98% testing accuracy and high F1, while the multi-class model reaches 87.54% accuracy and 81.26% F1, with malware-subtype macro-F1 of 75.03%. Inference times are favorable, e.g., about 37.3 ms for 50 samples in binary and 43.2 ms in multi-class on a standard runtime; the work also analyzes feature importance and limitations of the dataset, outlining directions for future real-time detectors and family-level detection.
Abstract
This paper summarizes the research conducted for a malware detection project using the Canadian Institute for Cybersecurity's MalMemAnalysis-2022 dataset. The purpose of the project was to explore the effectiveness and efficiency of machine learning techniques for the task of binary classification (i.e., benign or malicious) as well as multi-class classification to further include three malware sub-types (i.e., benign, ransomware, spyware, or Trojan horse). The XGBoost model type was the final model selected for both tasks due to the trade-off between strong detection capability and fast inference speed. The binary classifier achieved a testing subset accuracy and F1 score of 99.98\%, while the multi-class version reached an accuracy of 87.54\% and an F1 score of 81.26\%, with an average F1 score over the malware sub-types of 75.03\%. In addition to the high modelling performance, XGBoost is also efficient in terms of classification speed. It takes about 37.3 milliseconds to classify 50 samples in sequential order in the binary setting and about 43.2 milliseconds in the multi-class setting. The results from this research project help advance the efforts made towards developing accurate and real-time obfuscated malware detectors for the goal of improving online privacy and safety. *This project was completed as part of ELEC 877 (AI for Cybersecurity) in the Winter 2024 term.
