Memory Forensics-Based Malware Detection Using Computer Vision and Machine Learning
Malware has recently grown exponentially in recent years and poses a serious threat to individual users, corporations, banks, and government agencies. This can be seen from the growth of Advanced Persistent Threats (APTs) that make use of advance and sophisticated malware. With the wide availability...
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2022-08-01
|
| Series: | Electronics |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2079-9292/11/16/2579 |
| _version_ | 1797432210944425984 |
|---|---|
| author | Syed Shakir Hameed Shah Abd Rahim Ahmad Norziana Jamil Atta ur Rehman Khan |
| author_facet | Syed Shakir Hameed Shah Abd Rahim Ahmad Norziana Jamil Atta ur Rehman Khan |
| author_sort | Syed Shakir Hameed Shah |
| collection | DOAJ |
| description | Malware has recently grown exponentially in recent years and poses a serious threat to individual users, corporations, banks, and government agencies. This can be seen from the growth of Advanced Persistent Threats (APTs) that make use of advance and sophisticated malware. With the wide availability of computer-automated tools such as constructors, email flooders, and spoofers. Thus, it is now easy for users who are not technically inclined to create variations in existing malware. Researchers have developed various defense techniques in response to these threats, such as static and dynamic malware analyses. These techniques are ineffective at detecting new malware in the main memory of the computer and otherwise require considerable effort and domain-specific expertise. Moreover, recent techniques of malware detection require a long time for training and occupy a large amount of memory due to their reliance on multiple factors. In this paper, we propose a computer vision-based technique for detecting malware that resides in the main computer memory in which our technique is faster or memory efficient. It works by taking portable executables in a virtual environment to extract memory dump files from the volatile memory and transform them into a particular image format. The computer vision-based contrast-limited adaptive histogram equalization and the wavelet transform are used to improve the contrast of neighboring pixel and to reduce the entropy. We then use the support vector machine, random forest, decision tree, and XGBOOST machine learning classifiers to train the model on the transformed images with dimensions of 112 × 112 and 56 × 56. The proposed technique was able to detect and classify malware with an accuracy rate of 97.01%. Its precision, recall, and F1-score were 97.36%, 95.65%, and 96.36%, respectively. Our finding shows that our technique in preparing dataset with more efficient features to be trained by the Machine Learning classifiers has resulted in significant performance in terms of accuracy, precision, recall, F1-score, speed and memory consumption. The performance has superseded most of the existing techniques in its unique approach. |
| first_indexed | 2024-03-09T09:58:03Z |
| format | Article |
| id | doaj.art-1ba09c16ed9140cdb3e4e4bc46c2f4f5 |
| institution | Directory Open Access Journal |
| issn | 2079-9292 |
| language | English |
| last_indexed | 2024-03-09T09:58:03Z |
| publishDate | 2022-08-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Electronics |
| spelling | doaj.art-1ba09c16ed9140cdb3e4e4bc46c2f4f52023-12-01T23:38:31ZengMDPI AGElectronics2079-92922022-08-011116257910.3390/electronics11162579Memory Forensics-Based Malware Detection Using Computer Vision and Machine LearningSyed Shakir Hameed Shah0Abd Rahim Ahmad1Norziana Jamil2Atta ur Rehman Khan3Institute of Energy Infrastructure, College of Computing and Informatics, University Tenaga Nasional, Kajang 4300, Selangor, MalaysiaInstitute of Energy Infrastructure, College of Computing and Informatics, University Tenaga Nasional, Kajang 4300, Selangor, MalaysiaInstitute of Energy Infrastructure, College of Computing and Informatics, University Tenaga Nasional, Kajang 4300, Selangor, MalaysiaCollege of Engineering and IT, Ajman University, Ajman 346, United Arab EmiratesMalware has recently grown exponentially in recent years and poses a serious threat to individual users, corporations, banks, and government agencies. This can be seen from the growth of Advanced Persistent Threats (APTs) that make use of advance and sophisticated malware. With the wide availability of computer-automated tools such as constructors, email flooders, and spoofers. Thus, it is now easy for users who are not technically inclined to create variations in existing malware. Researchers have developed various defense techniques in response to these threats, such as static and dynamic malware analyses. These techniques are ineffective at detecting new malware in the main memory of the computer and otherwise require considerable effort and domain-specific expertise. Moreover, recent techniques of malware detection require a long time for training and occupy a large amount of memory due to their reliance on multiple factors. In this paper, we propose a computer vision-based technique for detecting malware that resides in the main computer memory in which our technique is faster or memory efficient. It works by taking portable executables in a virtual environment to extract memory dump files from the volatile memory and transform them into a particular image format. The computer vision-based contrast-limited adaptive histogram equalization and the wavelet transform are used to improve the contrast of neighboring pixel and to reduce the entropy. We then use the support vector machine, random forest, decision tree, and XGBOOST machine learning classifiers to train the model on the transformed images with dimensions of 112 × 112 and 56 × 56. The proposed technique was able to detect and classify malware with an accuracy rate of 97.01%. Its precision, recall, and F1-score were 97.36%, 95.65%, and 96.36%, respectively. Our finding shows that our technique in preparing dataset with more efficient features to be trained by the Machine Learning classifiers has resulted in significant performance in terms of accuracy, precision, recall, F1-score, speed and memory consumption. The performance has superseded most of the existing techniques in its unique approach.https://www.mdpi.com/2079-9292/11/16/2579malware detectionmachine learningsecuritystatic analysisdynamic analysismemory forensics |
| spellingShingle | Syed Shakir Hameed Shah Abd Rahim Ahmad Norziana Jamil Atta ur Rehman Khan Memory Forensics-Based Malware Detection Using Computer Vision and Machine Learning Electronics malware detection machine learning security static analysis dynamic analysis memory forensics |
| title | Memory Forensics-Based Malware Detection Using Computer Vision and Machine Learning |
| title_full | Memory Forensics-Based Malware Detection Using Computer Vision and Machine Learning |
| title_fullStr | Memory Forensics-Based Malware Detection Using Computer Vision and Machine Learning |
| title_full_unstemmed | Memory Forensics-Based Malware Detection Using Computer Vision and Machine Learning |
| title_short | Memory Forensics-Based Malware Detection Using Computer Vision and Machine Learning |
| title_sort | memory forensics based malware detection using computer vision and machine learning |
| topic | malware detection machine learning security static analysis dynamic analysis memory forensics |
| url | https://www.mdpi.com/2079-9292/11/16/2579 |
| work_keys_str_mv | AT syedshakirhameedshah memoryforensicsbasedmalwaredetectionusingcomputervisionandmachinelearning AT abdrahimahmad memoryforensicsbasedmalwaredetectionusingcomputervisionandmachinelearning AT norzianajamil memoryforensicsbasedmalwaredetectionusingcomputervisionandmachinelearning AT attaurrehmankhan memoryforensicsbasedmalwaredetectionusingcomputervisionandmachinelearning |