Malware Family Classification via Residual Prefetch Artifacts
Contributing USMA Research Unit(s)
Electrical Engineering and Computer Science
2022 IEEE 19th Annual Consumer Communications & Networking Conference (CCNC)
Automated malware classification assigns unknown malware to known families. Most research in malware classification assumes that the defender has access to the malware for analysis. Unfortunately, malware can delete itself after execution. As a result, analysts are only left with digital residue, such as network logs or remnant artifacts of malware in memory or on the file system. In this paper, a novel malware classification method based on the Windows prefetch mechanism is presented and evaluated, enabling analysts to classify malware without a corresponding executable. The approach extracts features from Windows prefetch files, a file system artifact that contains historical process information such as loaded libraries and process dependencies. Results show that classification using these features with two different algorithms garnered F-Scores between 0.80 and 0.82, offering analysts a viable option for forensic analysis.
Duby, Adam; Taylor, Teryl; and Zhuang, Yanyan, "Malware Family Classification via Residual Prefetch Artifacts" (2022). West Point Research Papers. 622.
Record links to items hosted by external providers may require fee for full-text.