[Security-meetings] Invitation to My CCS'18 Paper Presentation Rehearsal

Wei Song weisong.alvin at gmail.com
Tue Oct 2 14:20:03 PDT 2018 

Dear all,

I would like to invite you to attend my ACM CCS'18 paper presentation
rehearsal on *2018-10-05, this Friday, 2:00 - 3:30 pm *at* WCH 203*.

The title of my paper is: "DeepMem: Learning Graph Neural Network Models
for Fast and Robust Memory Forensic Analysis". You can find the abstract of
this paper at the end of this email.

Your suggestions and comments are very valuable to me. Looking forward to
seeing you.

Best regards,
Wei Song


*ABSTRACT*
Kernel data structure detection is an important task in memory forensics
that aims at identifying semantically important kernel data structures from
raw memory dumps. It is primarily used to collect evidence of malicious or
criminal behaviors. Existing approaches have several limitations: 1)
list-traversal approaches are vulnerable to DKOM attacks, 2) robust
signature-based approaches are not scalable or efficient, because it needs
to search the entire memory snapshot for one kind of objects using one
signature, and 3) both list-traversal and signature-based approaches all
heavily rely on domain knowledge of operating system. Based on the
limitations, we propose DeepMem, a graph-based deep learning approach to
automatically generate abstract representations for kernel objects, with
which we could recognize the objects from raw memory dumps in a fast and
robust way. Specifically, we implement 1) a novel memory graph model that
reconstructs the content and topology information of memory dumps, 2) a
graph neural network architecture to embed the nodes in the memory graph,
and 3) an object detection method that cross-validates the evidence
collected from different parts of objects. Experiments show that DeepMem
achieves high precision and recall rate in identify kernel objects from raw
memory dumps. Also, the detection strategy is fast and scalable by using
the intermediate memory graph representation. Moreover, DeepMem is robust
against attack scenarios, like pool tag manipulation and DKOM process
hiding.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://fenris.cs.ucr.edu/pipermail/security-meetings/attachments/20181002/90f5241b/attachment.html>

More information about the Security-meetings mailing list