Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump Using CUDA-enabled GPU Hardware

📝 Abstract

This paper focuses on the anticipatory enhancement of methods of detecting stealth software. Cyber security detection tools are insufficiently powerful to reveal the most recent cyber-attacks which use malware. In this paper, we will present first an idea of the highest stealth malware, as this is the most complicated scenario for detection because it combines both existing anti-forensic techniques together with their potential improvements. Second, we present new detection methods, which are resilient to this hidden prototype. To help solve this detection challenge, we have analyzed Windows memory content using a new method of Shannon Entropy calculation; methods of digital photogrammetry; the Zipf Mandelbrot law, as well as by disassembling the memory content and analyzing the output. Finally, we present an idea and architecture of the software tool, which uses CUDA enabled GPU hardware to speed-up memory forensics. All three ideas are currently a work in progress.

💡 Analysis

This paper focuses on the anticipatory enhancement of methods of detecting stealth software. Cyber security detection tools are insufficiently powerful to reveal the most recent cyber-attacks which use malware. In this paper, we will present first an idea of the highest stealth malware, as this is the most complicated scenario for detection because it combines both existing anti-forensic techniques together with their potential improvements. Second, we present new detection methods, which are resilient to this hidden prototype. To help solve this detection challenge, we have analyzed Windows memory content using a new method of Shannon Entropy calculation; methods of digital photogrammetry; the Zipf Mandelbrot law, as well as by disassembling the memory content and analyzing the output. Finally, we present an idea and architecture of the software tool, which uses CUDA enabled GPU hardware to speed-up memory forensics. All three ideas are currently a work in progress.

📄 Content

The 11th ADFSL Conference on Digital Forensics, Security and Law

1

ACCELERATION OF STATISTICAL DETECTION OF
ZERO-DAY MALWARE IN THE MEMORY DUMP
USING CUDA-ENABLED GPU HARDWARE
Igor Korkin
Iwan Nesterow
Independent Researchers
Moscow, Russia
{igor.korkin, i.nesterow}@gmail.com ABSTRACT This paper focuses on the anticipatory enhancement of methods of detecting stealth software. Cyber security detection tools are insufficiently powerful to reveal the most recent cyber-attacks which use malware. In this paper, we will present first an idea of the highest stealth malware, as this is the most complicated scenario for detection because it combines both existing anti-forensic techniques together with their potential improvements. Second, we present new detection methods, which are resilient to this hidden prototype. To help solve this detection challenge, we have analyzed Windows memory content using a new method of Shannon Entropy calculation; methods of digital photogrammetry; the Zipf–Mandelbrot law, as well as by disassembling the memory content and analyzing the output. Finally, we present an idea and architecture of the software tool, which uses CUDA-enabled GPU hardware to speed-up memory forensics. All three ideas are currently a work in progress. Keywords: rootkit detection, anti-forensics, memory analysis, scattered fragments, anticipatory enhancement, CUDA.

1. INTRODUCTION
   According to the major antivirus companies, there is presently a significant rise in cyber-attacks, using hidden or rootkit malware (McAfee Labs, 2015a; Wangen, 2015; Symantec, 2015). Three tendencies in malware evolution have become apparent presenting corresponding cyber-security challenges. The first one is the custom-made malware attacks. Applying zero-day or unknown malware makes investigation of cyber security incidents significantly more difficult (Jochheim, 2012). Second, malware uses various anti-forensic techniques, evasion approaches, and rootkit mechanisms, which substantially impair their detection. Finally, investigating this malware has to meet very tight deadlines.
   Well-targeted malware attacks. Recent cyber security breaches appear to suggest that a wide range of cyber-attacks are well-targeted. Nowadays cyber intrusions are rising at an unprecedented pace. The modern malware such as BlackEnergy malware infiltrated the systems that control critical infrastructure, including oil and gas pipelines, water distribution systems and the power grid. The economic impact of such attacks will be colossal, for example, a cyber-attack on the 50 power plants in the USA could cause $1T in economic damage (Jeff, 2015). US Nuclear Regulatory Commission experienced an 18% increase in computer security incidents in the Nuclear Power Plants. These incidents include unauthorized access; malicious code; and other access attempts (Dingbaum, 2016). These cyber–attacks are already happening. Israel’s Minister of Infrastructure, Energy and Water said that the country’s Public Utility Authority had been targeted by malware. He believes that the terrorist organizations such as Daesh, Hezbollah, Hamas and Al Qaeda have realized this attack (Ragan, 2016). In addition, U.K. government believes that ISIS is planning major cyber-attacks against airlines, hospitals and nuclear power plants (Gilbert, 2015). The recent hackers attack on Kaspersky Lab, which was the first cyber-attack on Antivirus Company and car cyber hijacking look paltry and unimportant. The Stuxnet-like malware’s tendency was reinforced by a cyber-attack on the The 11th ADFSL Conference on Digital Forensics, Security and Law

2

Kaspersky Lab (Kaspersky Lab, 2015). In this case, the malware focused on stealing technologies and snooping on ongoing investigations. The CEO said the following: “the cost of developing and maintaining such a malicious framework is colossal. The thinking behind it is a generation ahead of anything we’d seen earlier – it uses a number of tricks that make it really difficult to detect and neutralize. It looks like the people behind Duqu 2.0 were fully confident that it would be impossible to have their clandestine activity exposed” (Kaspersky, 2015). This vulnerability of a respected antivirus company reflects a highly sophisticated level of cyber-attacks. It presents a considerable challenge for zero-day detection for both Windows and Unix-based operating systems (Farrukh, & Muddassar, 2012).
Anti-forensic techniques. Malware applies a variety of anti-forensic and rootkit techniques to overcome detection or makes it much more difficult. Currently the abnormal rise of anti- forensic techniques and digital investigators cannot match this challenge (SANS Institute, 2015a). According to Alissa Torres, founder of Sibertor Forensics and former member of the Mandiant Computer Incident Response Team (MCIRT), “Attackers know how foren

This content is AI-processed based on ArXiv data.