Research And Implementation Of Linux Memory Forensic Analysis Technology Based On Deep Learning

As computer technology becomes increasingly intertwined with various aspects of daily life,people are beginning to consider how to combat illegal activities targeting these scenarios.Currently,Linux has been widely used on the server side due to its open-source and stable characteristics.However,various network attack methods targeting the Linux platform continue to emerge,causing significant impact on individuals,businesses,government agencies,and other devices.In addition,the trend of memory-based attacks is becoming more and more evident,so it is necessary to research memory forensics technology for the Linux platform.Currently,traditional forensics software mostly relies on the file system and cannot effectively analyze memory-based attacks.The methods for analyzing memory forensics still involve the extraction and analysis of physical memory,but the mechanism of segmented paging memory management may cause some memory data to be unable to be extracted.Therefore,this paper analyzes the memory forensics technology for the Linux platform,focusing on the analysis of the extracted process virtual memory,reconstructing binary files,and using deep learning for binary comparison to determine if there are malicious processes in the system,thus assisting forensic personnel in their work.The main contributions of this paper are as follows:(1)Implementation of an information extraction framework for a forensics system that can obtain relevant information during Linux system operation,and the extraction of process virtual memory space data;(2)Using deep learning for binary comparison experiments,extracting features from assembly instruction sequences,generating embedding vectors through the Transformer network architecture of neural networks,and performing binary comparisons;(3)Constructing a fast screening module based on the Locality Sensitive hash(LSH)algorithm,setting weights for various attributes of binary functions,quickly obtaining a group of similar samples for each function embedding vector in the binary file through the LSH algorithm,and evaluating each sample in the sample library through a scoring model,thus quickly obtaining a group of malicious samples similar to a given binary file.