International Journal of Computer Networks and Communications Security

VOL. 8, NO. 5, May 2020, 37–45 C C

Available online at: [Link]
E-ISSN 2308-9830 (Online) / ISSN 2410-0595 (Print)
N S

An Efficient Approach of Threat Hunting Using Memory

Forensics

Danish Javeed1, Muhammad Taimoor Khan2, Ijaz Ahmad3, Tahir Iqbal4, Umar Mohammed
Badamasi5, Cosmas Obiora Ndubuisi6 and Aliyu Umar7

1, 4
Northeastern University, Shenyang, Liaoning province, China
2
Riphah Institute of Science and Technology, Islamabad, Pakistan
3, 5, 6, 7
Changchun University of Science and Technology, China

1
thedanishkhn@[Link]

ABSTRACT

The capacity and occurrence of new cyber-attacks have shattered in recent years. Such measures have very
complicated workflows and comprise multiple illegal actors and organizations. Threat hunting demonstrates
the process of proactively searching through networks for threats based on zero-day attacks by repeating the
hunting process again and again. Unlike threat intelligence, it uses different automated security tools to
collect logs in order to provide a pattern for making new intelligence-based tools by following those logs.
According to our research findings about “threat hunting tools” there’s a major flaw that the designed tools
are limited to the collection of logs. It works completely on logs for generating new patterns avoiding
system’s main memory. Codes written directly to memory fail this process to provide proactive hunting. To
overcome this major challenge, we are proposing two distinct methods, either by generating malicious code
alerts or by binding memory forensics processes with threat hunting tools to make active hunting possible.
Keywords: Information Security, Memory Forensics, Threat Hunting, Logs, Threat Intelligence, Automated
Tools.

1 INTRODUCTION The application of cyber security could be helpful

in order to forestall cyber-attacks, info breaches
Proactive Threat Hunting is the practice of and data scam and it can help in chance
proactively searching around the networks or administration. At that point where an organization
datasets for the detection and responding to has a very strong feeling of network security and a
progressive cyber threats that escape outdated rule- feasible incidence reaction design, it’s better
or signature-based security panels. Threat hunting prepared to forestall and diminish these attacks.
incorporates the use of threat intelligence, For example, end Client insurance data protection
analytics, and automated security tools with and gatekeepers against bad luck or break-in while
experience, human intelligence and some skills. similarly investigating PCs for pernicious code.
Cyber security comprises innovations, procedures Cybercrime includes a PC and a network.
and controls which are planned to guarantee Sometimes, the PC may have been utilized as a
frameworks, systems and info from cyber-attacks. part of request to perpetrate the wrongdoing, and in
Feasible cyber security condenses the risk of cyber- different cases, the PC may have been the objective
attacks, and guards’ associations and folks from the of the wrongdoing. Offenses that are committed
Illegitimate misuse of frameworks, systems and against individuals or meetings of people with an
developments. The bigger part of cyber-attacks is illegal thought course to persistently hurt the
automated and erratic, abusing known notoriety of the fatality or effect physical or mental
vulnerabilities. Instead of concentrating on specific harm, or misfortune, to the victim directly or in an
associations, your association might be cracked at indirect way, developing current media
the present-day and you won't be aware of it. transmission networks, for example, Internet
(networks including yet not constrained to Chat
 38
D. Javeed et. al / International Journal of Computer Networks and Communications Security, 8 (5), May 2020

rooms, mails, see sheets and meetings) and cell identification, and other security instruments. Other
phones. Cybercrime may intimidate a man or a than checking the network at the hierarchical level,
country's safety and money associated welfare. they likewise look at endpoint information. They
Threat hunting is a pre-emptive and monotonous accumulate occasion logs from whatever number
technique to identifying malicious activities. On places as could reasonably be expected, as their
the Descending Gage of Cyber Security, hunting work requires an adequate measure of security
falls in the dynamic defense group as it is information.
performed principally by a human specialist. Threat hunting is a proactive way to deal with
Though threat hunters have to depend on deeply on distinguishing foes as opposed to responsively
mechanization and machine support, the procedure sitting tight for an alarm to go off. Most
itself can’t be completely automatic nor can any associations are doing threat hunting to a few
invention accomplish hunting for an expert. One of degrees today. Their very own comprehension
the human’s important aids to any hunting is the hunting development will encourage control
early commencement of what sort of threat the associations that need to develop these abilities. By
analyst would want to hunt and in what way the then, associations need to engage threat
analyst may discover that type of malevolent investigators with the correct preparing, datasets
movement in the System. We naturally state to this and mechanized stages to move toward becoming
early formation as the hunt’s hypothesis, however examination driven safeguards. Threat hunting is
it’s certainly just a declaration about the hunter’s aimed at discovering abnormal activities that
testable thoughts of what threats might be in the otherwise can result in grave damage to your
system and in what way to find those threat. There company. Understanding of normal activities in
are two main components to produce any of your environment is a prerequisite to
hunting hypotheses. comprehending activities that are not normal. If
First, an analyst’s aptitude to make hypotheses is you understand normal operational activities, then
derived from the observations. An observation anything abnormal should stand out and be noticed.
might be as simple as observing a specific incident A good threat-hunting practice requires threat
that “just doesn’t seem right” or something more hunters think like an attacker. Normally, the task of
complex, such as a assumption about current threat threat hunters is to chase adversaries proactively
actor movement in the system grounded on an and put an end to the chance of intrusions. If the
amalgamation of previous knowledge with the attack has been taken place, however, they need to
actor and exterior threat intelligence. The 2nd mitigate its impact in order to reduce damage.
thought to understand is that hypotheses must have However, always looking for the signs of intrusion
to be testable i.e. it must be something that you is not a very good approach. Rather, threat hunters
have a slight chance of finding in the data to which should work to anticipate an attacker’s next move.
you have access. Good hunts rely on the hunter’s OODA is an abbreviation of Observe, Orient,
talent to distinguish what data and tools are Decide and Act. Military personnel apply OODA
necessary to test the hypotheses. To completely test when they carry out combat operations. Likewise,
hypotheses, it also demands the correct analysis threat hunters use OODA during cyber warfare. In
tools and techniques that can concurrently take the context of threat hunting, OODA works as:
benefit of info from the system as well as Observe: A first phase that involves routine data
adversaries. A good threat-hunting platform collection from endpoints, Orient: Understanding
supports analysts in creating hypotheses and the collected data thoroughly and combining this
decreases fences to testing those hypotheses by information with other collected information to
providing ready access to the data and tools help understand its meaning. After that, analyzing
required to accomplish the tests. Threat hunting is whether the sign of Command & Control (C&C)
appropriately centered on threats. Furthermore, to over traffic occurs or any sign of attack is detected,
be a threat, an enemy must have three things: the Decide: Once you have analyzed the information,
expectation, ability and chance to do hurt. Threat then you need to identify the course of action. If
hunters center their inquiry on enemies who have the incident occurs, threat hunters will execute the
those three qualities and who are as of now inside incident response strategy, Act: The last phase
the networks and frameworks of the threat seekers' involves the execution of the plan to put an end to
association, where they have expert to gather the intrusion and enhance the company’s security
information and convey countermeasures. Cyber posture. Further measures are taken to prevent the
threat seekers work with a wide range of security same type of attack in the future.
observing arrangements, for example, firewalls,
antivirus programming, network security checking,
information misfortune prevention, network
interruption recognition, insider threat
 39
D. Javeed et. al / International Journal of Computer Networks and Communications Security, 8 (5), May 2020

2 RELATED WORK is still high i-r 90days approx. Threat hunters must
focus on going after, or hunting, the humans by
This paper discusses that threat from insiders is a simply shifting through logs and changes may be
problem which is not going away, and all of the operational, but it does not lend to a proactive
implications shows that it is getting worse day by pursuit of intrusion within or against an
day. An effective insider threat justification organization. Asking a possible hunting provider
approach will help diminish risk, as well as the right questions is critical to choosing the best
financial, lawful and in addition the potential partner. Not all hunting providers are shaped alike.
destruction to the association. [4] This paper Cyber threat hunting is not simply deploying an
describes expending analytics and machine endpoint solution and assuming it will solve all
learning; specialists generate and work from your problems. Every cyber threat hunting provider
starting point that helps recognize fresh and should have four primary capabilities that include:
irregular patterns for quicker recognition and Deep direct experience with advanced adversaries
remediation of iden-tified and unidentified threats. and varied tactics, sweeping visibility into
[14] his paper Give us a complete overview of TC threatened environments, access to ongoing, active
and also the extensibility of the platform to enable research driven by fled engagements, the ability to
users to adapt and create automation for their correlate data from many vantage points and
processes, rather than forcing them to adapt their cohesively analyze it. This paper describes the two
processes to ThreatConnect’s paradigm. [3]. this model overlaps and both of them can meet
paper lab-els two important components for dissimilar requirements that are well clarified in the
producing hunting hypotheses: They are mainly following two subsequent subsections. The Cyber
grounded on observations, and they must be Threat Intelligence model is the foundation of the
testable. First, an analyst’s aptitude to generate assessment course which is accomplished in the
hypotheses is obtained from observations. An paper. [12] This white paper describes how
observation might be as artless as observing a Wilhoit’s mindset, skills and approach to threat
specific event that “just doesn’t seem right” or hunting research are starting to find their way into
somewhat more complex, such as an actor activity mainstream Security Operations Centers (SOCs),
is running in the environment and we just assume it while assessing the long-term significance of this
and this assumption is based on the past experience development for enterprise security and beyond.
with the actor and some external threat “Hunting can also help identify low-level
intelligence. The second concept is that once there vulnerabilities and high-level architectural issues,
is a hypothesis it must be testable. That is, there since hunters are finding ways attackers attempt to
should be something about your hypothesis that and successfully compromise the organization.”
you may have at least a slight chance of finding it [13] it has been examined that how a security
in the data to which you have access. This paper establishment can improve their SIEM with a
gives a complete survey and key results (statistics) cyber-security platform in order to take control of
SANS 2017 Threat Hunting Survey show that, for the chaos, gain a completer empathetic of threats,
numerous organizations, it is still fresh and poorly remove incorrect positives, and form a proactive,
defend from a course and organizational intelligence-driven defense.
perspective. Unluckily, there are still numerous Most enterprises use their SIEMs to collect log
organizations that are still reacting to incidents data and correlate security events across multiple
which already cause the damage instead of systems (intrusion detection devices, firewalls,
proactively looking for those threats inside the etc.), their internal security logs, and event data,
system. But there is one thing which should be kept and, as such, SIEMs provide a number of benefits.
in mind that threat hunting cannot be completely This whitepaper pursues in order to help the
automated. [6]. the business context is almost organization to decide whether their organization is
organization knowledge and its technical context is ready to incorporate TH into their security or not
the footprint of malicious activities inside the [09]. A novel approach has been introduced in
organization. This paper aims that how a technical order to find out the executable pages which are up
information and business information highlight the most important to any of the investigator [1]. In
threat information. Most Threat feed consist of order to capture packets on the vitms’s machine a
IOC. [7] To compound the issue the threats which software named wireshark has been used during the
exist inside within the organization creates a big process of attack. After that the network capture
problem for the passive defenders. And that is the has been saved as a pcap file. After that using that
reason that Passive defense strategies are no longer file, the communication in between the machines
feasible for hunting the attackers. One of the major and the victim has been performed as an inspection
breaches of confidential information was carried in order to confirm whether the invader can be
out by an insider in the US. The detection delta rate
 40
D. Javeed et. al / International Journal of Computer Networks and Communications Security, 8 (5), May 2020

detected or not as well as some other signs of the

malicious activity can be found or not [5].

Table 1: Limitation of Existing Work

[Link]. Identification Recommendation Limitation

Give us complete overview of hiding techniques

which prevents executable pages as well as No proactive threat
[1] complete examination of page table entries. No recommendations hunting
Work on post
Threats,
Memory forensics in the context of designing a Stealthy volatile attacks Proactive threat
forensic approach which will help to detect such which many a time reside intelligence is
[2] advance malware threats, analyzation of sample only in memory or absent, no ram
memory image infected by a malware exclusively run from the processes.
machine memory.

Give us a complete overview of TC and also the

extensibility of the platform to enable users to No RAM involved
[3] adapt and create automation for their processes, Threat connect Tool for hunting
rather than forcing them to adapt their processes to
ThreatConnect’s paradigm.

Threat from insiders is a problem which is not

going away, and all of the implications show that it
is getting worse day by day. An effective insider Automation using Kill l No memory analysis
[4] threat justification approach will help diminish chain Process
risk, as well as financial, lawful and in
addition the potential destruction to the association

[5] Hunt for a specific virus, Gh0st RAT. Using the Wireshark Limited or no main
Forensic analysis of the memory using the software. memory analysis
Volatility software.

[6] Threat Hunting Survey shows that, for numerous Statistical analysis of
organizations, it is still fresh and poorly defends threat intelligence
from a course and organizational perspective. platforms.
Unluckily, there are still numerous organizations No recommendations No proactive threat
that are still reacting to incidents damage instead of hunting
proactively looking for those threats inside the
system. Threat hunting cannot be completely
automated.

[7] Business context is almost organization knowledge Different CTI tool Limited or no main
and its technical context is the footprint of like SEIM, slunk, memory analysis of
malicious activities inside the organization toolkit, scanner, JSDidier, business system
network. Most Threat feed consist of IOC. volatility and Wireshark
etc. for network
[8] Memory image analysis. RAM acquisition tools No recommendation Root cause of
like Memory Reader Belkasoft are used. attacks are missing

[9] It emphases on methods for mixing and acting Use “kill-chain process” Work on post
upon TI—information that should be vital to like algorithms threats
organizations of all sizes. The main key points of
this paper are Defining TI, sourcing TI and making
TI actionable.
 41
D. Javeed et. al / International Journal of Computer Networks and Communications Security, 8 (5), May 2020

[10] Conducted digital forensics, assisting investigators Four phases fusion How these phases
to identify crime scenes. framework, processes in works are absent.
digital forensics. No proper
implementation is
covered.
[11] Analyzation of complex malwares by integrating Proposal of efficient and Information of
static and memory forensics techniques. robust framework for the malware types is
analyzation process absent.

[12] The two model overlaps and both of them can meet No Absent proactive
dissimilar requirements that are well clarified in the recommendation threat
following two subsequent subsections. The Cyber intelligence
Threat Intelligence model is the foundation of the
assessment course which is accomplished in the
paper

[13] Wilhoit’s mindset, skills and approach to threat Domain Tools’ Iris and Memory only
hunting research are starting to find their way into wilhoit Malwares left
mainstream Security Operations Centers (SOCs), Vulnerable to fail
while assessing the long-term significance of this proactive hunting
development for enterprise security and beyond.

[14] Using analytics and machine learning, specialists Logs collection using Ram processes
generate and work from baselines that help security tools are not included
recognize new and abnormal patterns for faster
detection and remediation of known and unknown
threats.

3 IMPLEMENTATION

The implementation phase has been divided in to

two parts i.e. case 1 and case 2. In the first case a
malware has been injected in to system in order to
infect the system which won’t be detected by the
system main memory or the antivirus in the system
in the VMware. In the second case the system stack
has been overloaded by using the buffer flow Fig. 1. Malware Injection
technique and the host system will be on VMware
and for this purpose Linux has been used and for 3.1.2 Acquiring memory dumps
the compilation python is used.
In this phase the memory dumps have been taken
3.1 Case 1: in an external drive in order to do the prosed work.
All of the memory dumps have been taken in an
3.1.1 Injection of Malware external drive in order to not interrupt the current
process in the existing system. For the purpose of
A malware is been injected in to the system by the collection of the memory dumps, red line tool
running it in to a hidden software by simply has been used. After taking the memory dumps the
clicking on it as shown in the below figure which is next process is to acquire the memory dumps by
a simple .exe file that contains malicious code using red line tool (a tool used for forensic
which is been ran after opening this file and start analysis) which has been used to show all of the
its own process in to the system main memory. The current process of the infected system main
aim of running this file is that it run in to system memory for the purpose of verification of the
memory without leaving any artifacts for the existence of the malware injected by our host
existing security solutions and measures and it system.
bypass all of the security measure of the operating
system and it cannot be detected which in clearly a
flaw in our existing systems as shown in the figure
in the next column:
 42
D. Javeed et. al / International Journal of Computer Networks and Communications Security, 8 (5), May 2020

3.1.4 Verification of malware in the system

The final stage of case 1 is to verify the existence

of the malicious file in to the system main memory.
In the early phase a malicious code has been
injected in to the system by using an exe file by
simply clicking on it and all of the code inside that
file has been ran in to the system main memory
without leaving any artifact in the system which is
Fig. 2. Acquiring memory dumps
a real threat to our system. Now in this phase it has
For this part of the research the dumps/file of the been verified and shown in the figure that the file
infected machine which has been saved in the was running smoothly in to the system memory
external drive for the purpose of verification of the and our system was unable to detect it and point it
malicious activity in the infected system which as a malicious activity. Neither it has been caught
hasn’t been detected by the infected system main by the antivirus as an abnormal activity. Now we
memory or the antivirus in the system. The can search the malware which is in a running
investigation of the data has been performed by the process in the system memory with the same name
red line tool. The investigation is a host based on as the system file “atm-malware” it merged itself
an external investigation lead. with the other system files just as it is a normal
activity in the running process of the system as
3.1.3 System information of the infected machine shown in the figure. Without applying the
technique of the memory forensics no other
After the second phase of the research which is security tool or antivirus can detect it and prove it
investigation of the infected system. After that as a malicious activity. The below figure proves its
phase all of the information of the infected existence in the current system.
machine has been shown in the fig 3.4 which
contains the machine information, operating
system information, the user information and last
but not least the bios information of the system. In
the processes on the analyzation of the data a total
of 2GB of the ram has been taken in order to save
the processing time as the greater the ram size will
be the more time it will take in the process of
taking the memory dumps and the investigation of
those dumps. Furthermore the operating system is
also shown in the blow figure that which OS has Fig. 4. Malware Verification
been used in the infected system as well as the
version of the bios. All of this information has been As shown in the above figure it has been verified
shown in the fig 3.4 as follow: that the file already was in a running process in the
system and the system main memory failed to
detect it as an abnormal activity which is a real
flaw to our system. As it leaves a backdoor for the
adversaries which can give a real harm to our
systems. By using such files or code they can
damage our system. All of the information of the
file and the running process time has also been
shown in the figure and it proves how our system
are on risk for such attacks. The next step of this
Fig. 3. System Information research contains the practical demonstration of
getting access to a system by using code/ c
program using Linux.
Hence as it is already stated that this figure
contains all of the information of the infected 3.2 Case 2:
system that contains the system information etc. all
of the information has been shown in the figure. A system’s stack will be overloaded by adding
Furthermore, it has been categorized as application malicious code to run within authorized application
process as well as services programs.
 43
D. Javeed et. al / International Journal of Computer Networks and Communications Security, 8 (5), May 2020

in the victim’s RAM. When the code runs

successfully it will make backdoor for the attacker
to gain access to the target system without leaving
any log information.
It refers to ‘smash the stack ‘attack. On various C
executions there is a possibility of the corruption of
execution stack in some cases if you writing past
the end of an array affirmed auto in an unchanging
manner. The functionality of this code is set up to
smashing the stack, and can cause return from the
routine to jump to an unidentified address. This can Fig. 6. Compilation of file
create a few of the most insidious data-dependent
bugs known to mankind. By doing this, attacker Step 3
can cause program to run conferring to his will
instead of the legitimate execution. Attacker may Now as the creation of .c file and the compilation
also inject evil code in to the program to perform has already been done in the above two steps now
their desired evil actions. it’s time to execute the program. So, for a normal
execution a very simple line of code has been used
3.2.1 Practical Demonstration in order to smash the stack. Once it is happened the
next step is all about the disassembly of the binary
Step 1 which has already been mentioned in the above
algorithm part and the execution of my secret
A file has been created using Linux in the first step function after the stack is overflowed. The
of this practical which is named as vuln.c. the file execution of the program after creation and the
must be a .c formatted file in order to open in it in c compilation is given in the below figure:
program as show in the below figure. All of the
lines of the above code in the algorithm is written
in to this file and later on ran in the terminal of
Linux for the execution of this practical program.
in this step the creation of the file has been done.
Which can be seen in the fig 3.7 below:

Fig. 7. Execution of program

Step 4

After the successful execution of the program it’s

time for the disassembly of the binaries. The
disassembly of the binary is very necessary in such
process in order to know the exact location of the
Fig. 5. Creation of .c file secret function which has been written by us. the
location of that secret function which we designed
to call after the buffer overflow or smashing the
Step 2 stack. The code for this is objdump –d sts . the
below is the figure of the disassembly of the binary
In this step the compilation of the written program which is clearly shown in the figure.
has been executed. By using this line of code i.e.
gcc vuln.c-o vuln -fno-stack-protector. As shown
in the below figure it has been executed
successfully. In order to execute this code, it needs
gcc which should be already installed in to the host
machine.
 44
D. Javeed et. al / International Journal of Computer Networks and Communications Security, 8 (5), May 2020

Fig. 9. Piping the payload

Fig. 8. Disassembly of binary

After the successful execution of the step 4 it is 4 CONCLUSION

very necessary to write down the address of our
secret function so later on it will be required to Threat hunting is a newly introduced and a hot
perform the successful attack on the system. After research topic in the upcoming field of the
the successful execution of all of the above steps cybersecurity. In other words, it is called as a new
the last step is to design the payload. Now as we born baby in IT. After doing my research on such
already know that after the execution that 28 bytes domain I came to know about a very major flaw
are reserved for the buffer. The %rbp will be stored which is quoted as “No file-less malware detection
in the next 4 bytes. Hence the return address will in the main memory but only malware analysis is
be stored in the next 4 bytes. The return address included in threat hunting tools and procedure” and
here is the address that %eip have to jump after the without addressing this main issue all of the threat
compilation of the secret function. So, it is very hunting software applications or all of its
simply explained that how the designed payload intelligent tools made by using tool generated the
will work here. The first 32 bytes, 32 means 28+4 threat pattern could be failed completely.
would be any of the random characters and the By doing the above experiments it was not hard to
address of our secret function will be in the decide that if a malware specifically a file less
upcoming 4 bytes. malware reside is the main memory of our systems
which is not detectable by the system or detection
Step 5 applications. It makes our system vulnerable to the
adversaries as well as it is accessible to the third
The step 5 is the last phase of this demonstration as party which is a real threat to our systems and the
well as this research work, as all of the processes adversary can gain a root access to our systems
has been done in the above stages of this practical without our knowledge and can steal all of our
work now the last step is to pipe all of the designed confidential data or information. So, by the above
payload in to the sts binary. The code for the experimental procedures it has already proven that
successful execution of piping the payload is a zero-day attack cannot be detected without using
Python -c 'print "P"*32 + "\x9c\x84\x04\x08"' |. the mechanism of threat hunting as well as the
/sts. The main reason for writing address in such a human interaction: as the proactive threat hunting
way is the machine endianness, whether it is big or is not possible without human interactions.
little endian. After the successful execution of this To overcome this issue, I have suggested the two
program it is been displayed in the figure below methods, if involved in the threat hunting
very clearly that the program has got entrance in to techniques or in its tools. These will help
a secret function. And the reason for it that the generating logs of the memory, only malwares
stack has been smashed or in other words it has entries by generating the alerts of RAM. By
been overflowed. After such execution the stack addressing this, the threat hunting can be
has been successfully smashed and because of it proactively imagined successful. Furthermore, if
the desired code written by us has been deep learning/ machine learning is very effective
successfully executed. Which has been shown in for the threat detection as well as the zero attacks.
the figure below: There are huge data sets of benign and malicious
traffics available, through which I will train my
own model for the detection of such attacks so, as
my future work I will involve deep learning in
threat hunting in order to avoid the zero-day
attacks.
 45
D. Javeed et. al / International Journal of Computer Networks and Communications Security, 8 (5), May 2020

5 REFERENCES [14] Closing the Skills Gap with Analytics and

Machine Learning by ahmad tantawy October
[1] Frank Block, Andreas Dewald “Windows 2017.
Memory Forensics: Detecting [15] SANS Threat Hunting & IR Summit 2018.
(Un)Intentionally Hidden Injected Code by [16] Salameh, Jamal N. Bani, "A New Technique
Examining Page Table Entries”, ELSEVIER, for Sub-Key Generation in Block Ciphers,"
DFRWS 2019 USA. World Applied Sciences Journal 19, no. 11 ,
[2] Priya B Gadgil, Sangeeta Nagpure pp. 1630-1639, 2012.
“Hunting advanced volatile threats using [17] Viegas, E. K., Santin, A. O., & Oliveira, L. S.
memory forensics”International journal of (2017). Toward a reliable anomaly-based
advance research , ideas and innovations in intrusion detection in real-world environmnts.
technology (Volume 4, Issue 4). Computer Networks, 127, 200-216.
[3] By Tony palmer, senior validation analyst; [18] E. Borgia, The Internet of Things vision: Key
Alex Arcilla, Validation Analyst; and features, applications and open issues,
Domenic Amato, Associate Validation Computer Communications 54 (2014) 1–31.
Analyst. February 2018, Threat Connect. [19] Kävrestad, J., Guide to Digital Forensics: A
[4] SANSWhitepaper,WrittenbyEricCole,PhD. Concise and Practical Introduction, Springer
[5] Jonathan Graham, Cheryl Hinds, Sandi International Publishing, pp. 3-8, 2107.
Samuel” Hunting Malware: An example using [20] Priya B Gadgil, Sangeeta Nagpure “Analysis
Gh0st”International Conference on Of Advanced Volatile Threats Using Memory
Computational Science and Computational Forensics” Mahatma Education Society‟s
Intelligence 2017. Transactions and Journals‟ Conference
[6] The Hunter Strikes Back: A SANS Survey Proceedings ISBN 978-93-82626- 27-5”.
Written by Rob Lee and Robert M. Lee April [21] Dolly Uppal, Vishakha Mehra , Vinod Verma
2017. Basic survey on Malware Analysis, Tools and
[7] The Importance Of Business Information in Techniques” nternational Journal on
Cyber Threat Intelligence University of Computational Sciences & Applications
Innsbruck, Department of Computer Science, (IJCSA) Vol.4, No.1, February 2014.
Innsbruck, Austria. [22] HaddadPajouh, Hamed, et al. "A deep
[8] Mr. Vivek Ravindra Sali, Mrs. [Link] Recurrent Neural Network based approach for
“RAM Forensics: The Analysis and Extraction Internet of Things malware threat hunting."
of Malicious processes from memory Image Future Generation Computer Systems 85
using GUI based Memory Forensic Toolkit “ (2018): 88-96.
2018. Fourth International Conference on [23] Liu, Qiang, et al. "A survey on security threats
Computing Communication Control and and defensive techniques of machine learning:
Automation(ICCUBEA). A data driven view." IEEE access 6 (2018):
[9] Threat intelligence: What it is, and how to use 12103-12117.
it effectively Bromiley, M. (2016). [24] Teoh, T. T., et al. "Applying RNN and J48
[10] Da-yu kao, Yi-ting chao, Fuching tsai, Chia- Deep Learning in Android Cyber Security
yiang huang, “Digital Evidence Analytics Space for Threat Analysis." 2018 International
Applied in Cybercrime Investigations” 2018 Conference on Smart Computing and
IEEE Conference on Applications, Electronic Enterprise (ICSCEE). IEEE, 2018.
Information and Network Security (AINS). [25] Arel, Itamar. "The threat of a reward-driven
[11] Mr. Chathuranga Rathnayaka, Dr. Aruna adversarial artificial general intelligence."
Jamdagni “An Efficient Approach for Singularity Hypotheses. Springer, Berlin,
Advanced Malware Analysis using Memory Heidelberg, 2012. 43-60.
Forensic Technique” 2017 IEEE [26] Homayoun, Sajad, et al. "DRTHIS: Deep
Trustcom/BigDataSE/ICESS. ransomware threat hunting and intelligence
[12] M avroeidis, V., & Bromander, S. (2017). system at the fog layer." Future Generation
Cyber Threat Intelligence Model: An Computer Systems 90 (2019): 94-104.
Evaluation of Taxonomies, Sharing Standards, [27] Darabian, Hamid, et al. "A multiview learning
and Ontologies within Cyber Threat method for malware threat hunting: windows,
Intelligence. Proceedings of the IEEE. IoT and android as case studies." World Wide
[13] The rise of threat hunting and why it mattersIn Web (2020): 1-20.
early 2017, written by DomainTools’ senior
security researcher Kyle Wilhoit.
 © 2020. This work is published under
[Link] “License”). Notwithstanding
the ProQuest Terms and Conditions, you may use this content in accordance
with the terms of the License.