Memory forensic techniques have been mainly used so far to detect anomalies in computer devices for post-mortem analysis. Recent innovations in this area shower how such tools have the potential to become novel solutions for online analysis and detection of stealthy attacks. However, their applicability in the field on mobile device is limited by the heterogeneity of operating systems available for such devices. In this project we propose to investigate the viability of using Deep Neural Networks as a mean to quickly and automatically identify variations in the memory structures of variations of the Android operating system. The goal is to provide a mean to quickly pinpoint the presence of important data structures in memory snapshots to later analyze their content and detect possible anomalies. Recent research in the area of binary analysis shows how deep neural networks are able to easily identify recurrent patterns in binary code and use this information to spot similar data structures.
Current memory forensics tools strongly base their functioning on the knowledge about the target operating systems used by the devices that need to be analyzed. The static nature of such knowledge, usually embedded in the tools as a form of a immutable model, render such tools mostly useless when applied to even small variants of supported platforms. This problem today strongly hampers the possibility to use such tools in online settings to detect potential anomalies generated by malicious sthealty processes. At the same time it also negatively affect the everyday work of revere engineers that lack adequate support for new platforms.
The research proposed in this project aims at solving this problem by providing new representative models for target OSs that, based on RNNs, can easily generalize the details of specific data structures, allowing to correctly identify and locate them in memory snapshots even if they are associated to similar, but not perfectly identical, versions of a same operating system.
The success of this initiative would immediately provide reverse engineer with an impressively flexible tools that would continue to work even with the continuous evolution of the target platforms.
Possibly more importantly, the outcome models are typically expensive to train, but very cheap to apply at runtime and could thus enable the application of memory forensic analysis methodologies for the runtime discovery of stealthy infections that are today extremely complex to detect.
To the best of our knowledge this would represent the first tool for memory forensic analysis based on the usage of machine learning techniques.