Volatility Custom Profiling for Automated Hybrid ELF Malware Detection

The increasing prevalence of Linux malware poses a severe threat to private data and expensive computer resources. Hence, there is a dire need to detect Linux malware automatically to comprehend its capabilities and behavior. In our work, we attempt to analyze the ELF binary files before, during, and after execution (or postmortem inspection) using open-source tools. We analyze the ELF binaries in a controlled sandboxed space and monitor the activities of these binaries and their child processes to assess their capabilities and behaviors. We set upINetSim, and simulate the fake internet services to increase the chances of malware behaving as intended. We also generate a customOS profileof Ubuntu 16.04. The Volatility tool employs this profile to analyze the memory dump and extract the artifacts. We modify the Limon sandbox to use only specific volatility plugins, which reduces the time for report generation. We extract features from these behavior reports and reports from memory forensics and combine them with features extracted using static analysis to build a hybrid model for ELF malware detection. Our trained hybrid model offers a good accuracy of 99.2% on a recent dataset of benign and malware samples and with a minimal false-positive rate of 0.9%. To the best of our knowledge, no one in the literature has performed the memory analysis of ELF malware using the Volatility profile customization for efficient ELF malware detection.