* update 2024-10-23 06:20:08

arXiv_db/Malware/2024.md

@@ -3102,3 +3102,27 @@
 
 </details>
 
+<details>
+
+<summary>2024-10-19 07:59:10 - A Novel Reinforcement Learning Model for Post-Incident Malware Investigations</summary>
+
+- *Dipo Dunsin, Mohamed Chahine Ghanem, Karim Ouazzane, Vassil Vassilev*
+
+- `2410.15028v1` - [abs](http://arxiv.org/abs/2410.15028v1) - [pdf](http://arxiv.org/pdf/2410.15028v1)
+
+> This Research proposes a Novel Reinforcement Learning (RL) model to optimise malware forensics investigation during cyber incident response. It aims to improve forensic investigation efficiency by reducing false negatives and adapting current practices to evolving malware signatures. The proposed RL framework leverages techniques such as Q-learning and the Markov Decision Process (MDP) to train the system to identify malware patterns in live memory dumps, thereby automating forensic tasks. The RL model is based on a detailed malware workflow diagram that guides the analysis of malware artefacts using static and behavioural techniques as well as machine learning algorithms. Furthermore, it seeks to address challenges in the UK justice system by ensuring the accuracy of forensic evidence. We conduct testing and evaluation in controlled environments, using datasets created with Windows operating systems to simulate malware infections. The experimental results demonstrate that RL improves malware detection rates compared to conventional methods, with the RL model's performance varying depending on the complexity and learning rate of the environment. The study concludes that while RL offers promising potential for automating malware forensics, its efficacy across diverse malware types requires ongoing refinement of reward systems and feature extraction methods.
+
+</details>
+
+<details>
+
+<summary>2024-10-19 16:07:50 - Quo Vadis: Hybrid Machine Learning Meta-Model based on Contextual and Behavioral Malware Representations</summary>
+
+- *Dmitrijs Trizna*
+
+- `2208.12248v2` - [abs](http://arxiv.org/abs/2208.12248v2) - [pdf](http://arxiv.org/pdf/2208.12248v2)
+
+> We propose a hybrid machine learning architecture that simultaneously employs multiple deep learning models analyzing contextual and behavioral characteristics of Windows portable executable, producing a final prediction based on a decision from the meta-model. The detection heuristic in contemporary machine learning Windows malware classifiers is typically based on the static properties of the sample since dynamic analysis through virtualization is challenging for vast quantities of samples. To surpass this limitation, we employ a Windows kernel emulation that allows the acquisition of behavioral patterns across large corpora with minimal temporal and computational costs. We partner with a security vendor for a collection of more than 100k int-the-wild samples that resemble the contemporary threat landscape, containing raw PE files and filepaths of applications at the moment of execution. The acquired dataset is at least ten folds larger than reported in related works on behavioral malware analysis. Files in the training dataset are labeled by a professional threat intelligence team, utilizing manual and automated reverse engineering tools. We estimate the hybrid classifier's operational utility by collecting an out-of-sample test set three months later from the acquisition of the training set. We report an improved detection rate, above the capabilities of the current state-of-the-art model, especially under low false-positive requirements. Additionally, we uncover a meta-model's ability to identify malicious activity in validation and test sets even if none of the individual models express enough confidence to mark the sample as malevolent. We conclude that the meta-model can learn patterns typical to malicious samples from representation combinations produced by different analysis techniques. We publicly release pre-trained models and anonymized dataset of emulation reports.
+
+</details>
+