Memory analysis is important in malware detection because it may capture a wide range of traits and behaviors. As aspects of technology evolve, so do the strategies used by malicious who aim to compromise the security and integrity of digital systems. This study investigates the classification of cyberattacks into malicious and benign. A specific malware memory dataset, MalMemAnalogy-2022, was created to test and evaluate this framework. In this chapter, a set of machine learning algorithms was used, including support vector machine (SVM), K nearest neighbor (KNN), and random forest (RF). To ensure promising performance, especially in identifying important features, the random forest method was used to select the most important features, which achieves the best results and avoids features of little importance. The random forest algorithm achieved 99.9% accuracy, precision, recall, and f1-score. The present approach can detect and mitigate malicious cyber-attacks significantly improving the security framework for end-users by detecting memory malware using machine learning.
Top1. Introduction
Malicious actors constantly innovate in the ever-changing world of cybersecurity to circumvent standard protection methods and jeopardize the integrity of digital systems. One such invention is disguised malware that makes use of the volatile domain of computer memory (Xu, 2017). Traditional cybersecurity procedures are largely concerned with identifying and blocking attacks that leave identifiable traces on storage devices. However, a new generation of skilled attackers has evolved, adopting techniques that disguise malicious code within a system's memory area, making it evade detection by conventional means (Li, 2019). explores the exciting domain of obfuscated malware employing memory, in which attackers exploit a computing system's volatile memory to mask their harmful operations. Unlike classical malware, which leaves traces on storage media, this type of danger operates invisibly inside the dynamic and temporary constraints of RAM (Random Access Memory) (Shah, 2022).
As a result, it presents a daunting challenge to security professionals and researchers entrusted with protecting digital ecosystems. The complexities of obfuscated malware employing memory lay not only in its ability to lurk within a system's active processes but also in the purposeful obfuscation of its code to avoid detection by antivirus programs (Nath, 2014). Attackers exploit vulnerabilities and deploy complex evasion strategies by leveraging the flexible nature of memory, making it more difficult for cybersecurity experts to successfully identify, assess, and mitigate these threats (M. Alkhalili, 2021).
However, to provide insight into the techniques used by cyber attackers to circumvent standard security measures, the complexity underlying obfuscated malware in memory must be unraveled. Also understand of the growing threat landscape by examining real-world incidents, attack pathways, and evasion methods. In addition, we will look at the countermeasures and detection tactics that may be used to protect systems from the covert operations of obfuscated malware employing memory (Sihwail R. O., 2021).
Malware is classified into numerous types, including Worms, Viruses, Bots, Botnets, Trojan Horses, Ransomware, Spyware, Rootkits, and others. Because malware families have several functionalities within each category, such as infiltrating the system, gaining access to information, preventing access for authorized users, or committing other cybercrimes, the best solution to detect them should focus on both categories and families to prevent and stop them in the future (Zhang S. H., 2023). Based on memory analysis, there are numerous ways to detect obfuscated malware. However, the complexity and time consumption of most of the works are significant, making them unsuitable for real-world application (Khalid, 2023). This is the impetus for proposing a quick, efficient, and simple-to-implement approach in this paper for obfuscated malware detection based on the most effective attributes obtained by memory analysis.
Machine learning algorithms play a pivotal role in detecting cyber-attacks through different sets of data, which contributes to reducing human interference in computer systems (Mat, 2021). Supervised learning methods are used to distinguish between malicious and benign attacks. Some of the algorithms such as Support Vector Machine (SVM), K-Nearest Neighbors (KNN), (Singh, 2022) Random Forest, and other algorithms are commonly used in detecting malicious attacks (Jerlin, 2018).
The main contributions in this chapter are highlighted: