Unveiling the veiled: An early stage detection of fileless malware

Abstract

The threat actors continuously evolve their tactics and techniques in a novel form to evade traditional security solutions. Fileless malware attacks are one such advancement, which operates directly within system memory, leaving no footprint on the disk, so became challenging to detect. Meanwhile, the current state-of-the-art approaches detect fileless attacks at the final (post-infection) stage, although, detecting attacks at an early-stage is crucial to prevent potential damage and data breaches. In this work, we propose an early-stage detection system named Argus to detect fileless malware at early-stage. Argus extracts key features from acquired memory dumps of suspicious processes in real-time and generates explained features. It then correlates the explained features with the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework to identify fileless malware attacks before their operational stage. The experimental results show that Argus could successfully identify, 4356 fileless malware samples (out of 5026 samples) during the operational stage. Specifically, 2978 samples are detected in the pre-operational phase, while 1378 samples are detected in the operational phase.