Authors: Jonathan Adkins
DFRWS USA 2026
Abstract
In recent years investigating computer and network breaches has become increasingly challenging due to stealth-oriented malware and “living off the land” techniques. Traditional signature-based detection methods often fail to identify malware threats because they mimic legitimate OS behavior and they operate within telemetry ranges that are associated with routine background activity. This research proposes Graph-Assisted Telemetry Observation and Response (GATOR). GATOR is a multi-layered incident response forensic pipeline designed to identify stealthy malware that is hidden within Windows operating system telemetry datasets. Using our proposed method, malware is identified using machine learning, graph analysis, and analyst-guided workflows facilitated by a comprehensive dashboard.
Our proposed method integrates multiple digital forensic artifacts that are commonly used during Windows incident response investigations. These artifacts include the System Resource Usage Monitor (SRUM), Windows event logs, the Amcache registry hive, the master file table ($MFT), and prefetch files. The first layer of the GATOR pipeline performs telemetry ingestion. During this phase, the artifact data is aggregated, normalized, and cross correlated so that the datset is “artifact aware,” meaning the identification of evidence is cross-referenced via labeled columns which state where the evidence originated. IP address information is extracted from Windows event log payload data fields. Layer 1 creates a unified, normalized investigative dataset that is suitable for behavioral analysis. The emphasis is placed on the preservation of temporal relationships between forensic objects such as event ID numbers, IP addresses, and executable names.
Layer two of our approach introduces a behavioral anomaly scoring system that is specifically engineered to identify stealth-oriented malware that operates in routine telemetry zones. Rather than relying purely on statistical deviation scores, GATOR identifies a statistical “sweet spot.” This is a telemetry transitional zone that is located between benign, routine operating system activity and anomalous activity. The pipeline uses the following ensemble of machine learnng algorithms to calculate a wealth of different behavioral scores: Isolation Forest, Autoencoders, and Hidden Markov Models. Some of the scores that are calculated relate to network behavior, temporal execution patterns, and reverse shell behavior. Additional heuristics are used to identify malware that is masquerading as routine processes and anomalous parent-child relationships.
Layer three of GATOR transforms the enriched data into graph-based structures and temporal episodes that can be queried for timeline analysis. The pipeline uses dimensionality reduction and HDBSCAN clustering to identify behavioral neighborhoods and communities. Objects such as event ID numbers, IP addresses, and LOLbins that are associated with malware are shown as neighborhood graphs. Using these graphs an analyst can view which objects are clustered together during a particular episode. This way a user can see what objects co-occurred at a particular time, which may help identify activity such as privilege escalation or persistence.
This research contributes to the growing field of AI-assisted digital forensics by proposing the integration of machine learning outputs with human analyst-centric forensic inference and reasoning. Rather than replace the analyst, GATOR is designed to augment existing workflows by allowing the analyst to review data surfaced by machine learning algorithms and giving him or her the tools to visually recreate the timeline of an attack.