Malware Family Classification via Residual Prefetch Artifacts

Contributing USMA Research Unit(s)

Electrical Engineering and Computer Science

Publication Date

Winter 1-8-2022

Publication Title

2022 IEEE 19th Annual Consumer Communications & Networking Conference (CCNC)

Document Type

Conference Proceeding


Automated malware classification assigns unknown malware to known families. Most research in malware classification assumes that the defender has access to the malware for analysis. Unfortunately, malware can delete itself after execution. As a result, analysts are only left with digital residue, such as network logs or remnant artifacts of malware in memory or on the file system. In this paper, a novel malware classification method based on the Windows prefetch mechanism is presented and evaluated, enabling analysts to classify malware without a corresponding executable. The approach extracts features from Windows prefetch files, a file system artifact that contains historical process information such as loaded libraries and process dependencies. Results show that classification using these features with two different algorithms garnered F-Scores between 0.80 and 0.82, offering analysts a viable option for forensic analysis.

First Page


Record links to items hosted by external providers may require fee for full-text.