A Novel Method For Classifying And Detecting Fileless Malware Based On Few-shot Learning

The explosive growth of malware poses a serious threat to Internet security,making effective detection and classification of malware critical.As malware evolves,new types of malware are no longer limited to traditional file-based execution activities but instead employ more sophisticated and versatile fileless techniques such as process hijacking,registry residency,and memory residency.While machine learning and deep learning have become increasingly sophisticated in malware detection and classification and can efficiently detect and classify malware,in the real world,fileless malware is characterized by stealthy attacks and complex forensics,making it impossible to capture a sufficient number of samples.When training samples are insufficient,machine learning and deep learning models need help to learn the actual connections in the data,thus making the models over-fitted.Because of this,this paper proposes a fileless malware classification method that combines malware visualization techniques and few-shot learning algorithms to improve fileless malware classification.Using a memory forensic tool,the way first captures the memory dumps of fileless malware processes and crops their redundant data.Then,visualization techniques are used to convert the memory dumps into colour images for easy classification by the intelligent model.Then,a fileless malware classification method based on few-shot data augmentation is proposed for fileless malware classification and detection to address the problem of imbalance in sample data across fileless malware families.Finally,to reduce the time consumption caused by data augmentation,an improved fileless malware classification method based on few-shot learning is proposed to simplify the data augmentation process.Experimental results show that the enhanced few-shot learning-based fileless malware classification method proposed in this paper achieves a maximum accuracy of 85.6% on a self-collected fileless malware dataset.The paper makes the following major contributions:(1)To address the problem of many redundant data in memory dump files of fileless malware,a new memory dump file clipping method based on memory dump files was proposed,which reduces the disk occupation rate of memory dump files and improves the efficiency of memory dump file visualization by removing redundant data in memory dump files.(2)To address the problem of memory dump file visualization,a new memory dump visualization method based on permutation entropy is proposed.By calculating the permutation entropy of a memory dump file,it is visualized as an RGB three-channel image,which allows the image to represent more features and retain the spatial features.The visualization method can improve the model classification performance more than other visualization methods through comparison experiments.(3)To address the problem of data unbalance in the fileless malware dataset,a fileless malware classification method based on few-shot data augmentation,using Fast GAN for data augmentation to expand the dataset,and designing a few-shot image classification model MAML＿PEME,which leads to a higher classification accuracy for the model.(4)To address the problem of time consumption of data augmentation methods,an improved few-shot learning-based fileless malware classification method is proposed,simplifying the data augmentation phase and proposing a novel few-shot model,MMEL,to achieve improved classification accuracy without data augmentation.