A New Approach to Malware Detection by Comparative Analysis of Data Structures in a Memory Image

Physical memory forensics has grown in popularityin recent years. Since malware typically operate in user space, itis important to reconstruct and track their process behavior.This paper focuses on detecting malware through a comparisonof the information in the user space memory data structures. Inorder to expedite information extraction and ensure accuracy,the data in multiple memory management structures in the userspace and the kernel are used concurrently. In the proposedmethod, using descriptions of memory structures, we extractmalware artifacts related to registry changes as well as, calls tolibrary files and operating system functions. The extractedfeatures are then evaluated, and samples are classified accordingto the selected attributes. The best results include a 98%detection rate and false positive rate of 16%, which indicates theeffectiveness of the proposed behavior extraction method.