LayerLock: Multi-Layer Machine Learning based File-less Malware Detector

Abstract

File-less malware, a rapidly emerging threat, is a great challenge for malware detection systems because most of these detection systems use the pre-identified signatures to classify the malware. File-less malware does not generate executable files containing malicious code, thereby not generating any signature similar to file-based malware; hence, they cannot be detected and removed. File-less malware utilizes the pre-existing benign utilities of a system for execution, including PowerShell, Windows Management Instrumentation (WMI) and JavaScript. With the rapid advancements in malware landscape, researchers have shifted to developing innovative detection systems, incorporating machine learning in malware detection to benefit from its exceptional behavior towards pattern recognition and classification. This research aims to propose a solution that not only detects file less malware exploiting PowerShell, but also classify sophisticated file-less malware API sequences using machine learning. This research proposes a two-layer solution that offers two types of analysis including basic and advanced. The first layer monitors the processes and detects malicious processes chains, while second layer perform API analysis using ensemble classifiers. The proposed solution shows remarkable performance against file-less malware.