MalDicom: A Memory Forensic Framework for Detecting Malicious Payload in DICOM Files

TL;DR

This paper introduces MalDicom, a forensic framework that detects malicious payloads in DICOM files by analyzing memory dumps with machine learning, highlighting vulnerabilities and malware infiltration risks in medical imaging systems.

Contribution

The paper presents a novel memory forensic approach using machine learning to detect malware in DICOM files, addressing security vulnerabilities in medical imaging data.

Findings

Achieved up to 75% accuracy with Random Forest classifier.

Identified key features influencing malware detection using Shapley values.

Demonstrated malware infiltration through DICOM preamble vulnerabilities.

Abstract

Digital Imaging and Communication System (DICOM) is widely used throughout the public health sector for portability in medical imaging. However, these DICOM files have vulnerabilities present in the preamble section. Successful exploitation of these vulnerabilities can allow attackers to embed executable codes in the 128-Byte preamble of DICOM files. Embedding the malicious executable will not interfere with the readability or functionality of DICOM imagery. However, it will affect the underline system silently upon viewing these files. This paper shows the infiltration of Windows malware executables into DICOM files. On viewing the files, the malicious DICOM will get executed and eventually infect the entire hospital network through the radiologist's workstation. The code injection process of executing malware in DICOM files affects the hospital networks and workstations' memory. Memory forensics for the infected radiologist's workstation is crucial as it can detect which malware disrupts the hospital environment, and future detection methods can be deployed. In this paper, we consider the machine learning (ML) algorithms to conduct memory forensics on three memory dump categories: Trojan, Spyware, and Ransomware, taken from the CIC-MalMem-2022 dataset. We obtain the highest accuracy of 75% with the Random Forest model. For estimating the feature importance for ML model prediction, we leveraged the concept of Shapley values.