Towards Architecture and OS-Independent Malware Detection via Memory Forensics

With the increasing reliance of human society on computer systems in daily life, cybercrime is also on the rise. Malware is increasingly used by cybercriminals to attack, compromise, and steal sensitive information, and more critically, to demand ransom from users of infected systems. Existing antivirus solutions often fall short in detecting and alerting users to attacks carried out by newly developed or evolving malware strains. This highlights the need for a more robust and proactive strategy for malware detection. This paper presents a hybrid approach for advanced malware detection, integrating the identification of suspicious code executing in main memory with the analysis of malware-related events in Windows Event Logs. Experiments were conducted using a code injection technique on Windows 7 and Windows 10 systems, and the corresponding memory images and Event Logs were analyzed to validate the effectiveness of the proposed approach. Training and testing were performed on both code-based and event-based datasets to evaluate detection accuracy. For the detection of suspicious code, we employed the Canadian Institute for Cybersecurity-Malware in Memory 2023 (CIC-MalMem 2023) dataset. For event-based analysis, we utilized the EVTX-ATTACK-SAMPLES and the Windows Event Log dataset. Experimental results using the Random Forest (RF)classifier demonstrate a detection accuracy of 99% based on suspicious code and 95% based on Event Log data.