Development of a deep stacked ensemble with process based volatile memory forensics for platform independent malware detection and classification

Abstract

Malware has become more complicated in its purpose and abilities over time, demanding continuous progress in detection and defense technologies. Malware designers use anti-analysis obfuscation techniques, including packing and encryption, to evade detection and hinder the analysis process. Current malware detection methods have shortcomings; thus, an alternative dynamic platform-independent scheme is proposed to extract harmful hardware impressions. This scheme includes extracting and converting a file from process memory dumps into an image. A combined structural and statistical image textural analysis is performed by designing a hybrid local and global feature descriptor. The hybrid feature descriptor helps to improve the data training ability of the proposed deep-stacked ensemble model by reducing input dimensions. A deep-stacked ensemble model is developed by combining prediction outputs from weak learners (CNNs) and feeding them into a meta-learner (MLP) as learning input. An explainable artificial intelligence-based approach is employed to interpret and validate the final results of the proposed scheme. Evaluations are conducted using three datasets: the publicly available Dumpware10 dataset, which contains 3686 samples from 10 different malware families; the publicly available CIC-MalMem-2022 dataset, which includes 2,916 samples from 15 different obfuscated malware families; and a real-world dataset, which contains 2375 samples of both malware and benign android apps. Experimental outcomes show that the proposed scheme achieved 99.1 % accuracy in analyzing Windows malware memory dumps, 94.3 % accuracy in analyzing Android malware memory dumps, and 99.8 % accuracy in analyzing Windows obfuscated malware memory dumps. The final results indicate that our vision-based system provides an excellent defense against malicious programs.