{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T10:01:06Z","timestamp":1776074466828,"version":"3.50.1"},"reference-count":58,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2026,2,11]],"date-time":"2026-02-11T00:00:00Z","timestamp":1770768000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,2,11]],"date-time":"2026-02-11T00:00:00Z","timestamp":1770768000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>The increasing sophistication of modern cyber threats, particularly file-less malware relying on \u201cliving off the land\u201d techniques, poses significant challenges to traditional detection mechanisms. Memory forensics has emerged as a critical approach to detecting such threats by analysing dynamic changes in system memory. This research introduces SPECTRE (Snapshot Processing, Emulation, Comparison, and Threat Reporting Engine), a modular Cyber incident response system designed to enhance threat detection, investigation, and visualization. By adopting Volatility\u2019s JSON format as an intermediate output, SPECTRE ensures compatibility with widely used Digital Forensics and Response (DFIR) tools, minimizing manual data transformations and enabling seamless integration into established workflows. Its emulation capabilities safely replicate realistic attack scenarios, such as credential dumping and malicious process injections, for controlled experimentation and validation. The anomaly detection module addresses critical attack vectors, including RunDLL32 abuse and malicious IP detection, while the IP forensics module enhances threat intelligence by integrating tools like Virus Total and geolocation APIs. SPECTRE\u2019s advanced visualization techniques transform raw memory data into actionable insights, aiding Red, Blue, and Purple teams in refining their strategies and responding more effectively to emerging threats. Comprehensive evaluation demonstrates SPECTRE\u2019s efficiency, with high throughput, low-latency response, robust accuracy, scalable performance, and resource-conscious design, making it well-suited for both large-scale and constrained forensic environments. Bridging gaps between memory and network forensics, SPECTRE offers a scalable, robust platform for advancing threat detection, team training, and forensic research in combating sophisticated cyber threats.<\/jats:p>","DOI":"10.1007\/s10207-026-01212-6","type":"journal-article","created":{"date-parts":[[2026,2,11]],"date-time":"2026-02-11T07:17:20Z","timestamp":1770794240000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["SPECTRE: a hybrid and adaptive cyber threats detection and response in volatile memory"],"prefix":"10.1007","volume":"25","author":[{"given":"Arslan Tariq","family":"Syed","sequence":"first","affiliation":[]},{"given":"Mohamed Chahine","family":"Ghanem","sequence":"additional","affiliation":[]},{"given":"Elhadj","family":"Benkhalifa","sequence":"additional","affiliation":[]},{"given":"Fauzia Abro","family":"Idrees","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2026,2,11]]},"reference":[{"key":"1212_CR1","volume-title":"Practical Memory Forensics","author":"S Ostrovskaya","year":"2022","unstructured":"Ostrovskaya, S., Skulkin, O.: Practical Memory Forensics. Packt Publishing Ltd (2022)"},{"key":"1212_CR2","unstructured":"Trellix. What is fileless malware? https:\/\/www.trellix.com\/security-awareness\/ransomware\/what-is-fileless-malware\/, (2023) [Accessed 13 September 2024"},{"key":"1212_CR3","unstructured":"G. Cottingham. How do you compare memory snapshots to detect malware persistence and stealth? https:\/\/www.linkedin.com\/advice\/1\/how-do-you-compare-memory-snapshots-detect-malware, (2023) Retrieved September 13, 2024"},{"issue":"3","key":"1212_CR4","doi-asserted-by":"publisher","first-page":"149","DOI":"10.1080\/23742917.2022.2100036","volume":"6","author":"MD Firoozjaei","year":"2022","unstructured":"Firoozjaei, M.D., Lashkari, A.H., Ghorbani, A.A.: Memory forensics tools: a comparative analysis. J. Cyber Secur. Technol. 6(3), 149\u2013173 (2022)","journal-title":"J. Cyber Secur. Technol."},{"issue":"4","key":"1212_CR5","doi-asserted-by":"publisher","first-page":"808","DOI":"10.3390\/jcp3040036","volume":"3","author":"MC Ghanem","year":"2023","unstructured":"Ghanem, M.C., Mulvihill, P., Ouazzane, K., Djemai, R., Dunsin, D.: D2wfp: a novel protocol for forensically identifying, extracting, and analysing deep and dark web browsing activities. J. Cybersecur. Priv. 3(4), 808\u2013829 (2023)","journal-title":"J. Cybersecur. Priv."},{"issue":"17","key":"1212_CR6","doi-asserted-by":"publisher","first-page":"8604","DOI":"10.3390\/app12178604","volume":"12","author":"M Dener","year":"2022","unstructured":"Dener, M., Ok, G., Orman, A.: Malware detection using memory analysis data in big data environment. Appl. Sci. 12(17), 8604 (2022)","journal-title":"Appl. Sci."},{"issue":"6","key":"1212_CR7","volume":"214","author":"I Kara","year":"2022","unstructured":"Kara, I.: Fileless malware threats: recent advances, analysis approach through memory forensics and research challenges. Expert Syst. Appl. 214(6), 119133 (2022)","journal-title":"Expert Syst. Appl."},{"issue":"1","key":"1212_CR8","doi-asserted-by":"publisher","first-page":"101898","DOI":"10.1016\/j.jksuci.2023.101898","volume":"36","author":"T Lei","year":"2024","unstructured":"Lei, T., Xue, J., Wang, Y., Baker, T., Niu, Z.: An empirical study of problems and evaluation of IoT malware classification label sources. J. King Saud Univ. Comput. Inf. Sci. 36(1), 101898\u2013101898 (2024)","journal-title":"J. King Saud Univ. Comput. Inf. Sci."},{"key":"1212_CR9","unstructured":"Konov, K.: Shifting malware tactics & use of non-executable .txt & .log files, (2024) Accessed 24 September 2024"},{"key":"1212_CR10","unstructured":"Manev, P.: Hunting for malware masquerading as an image file, (2022) Accessed 24 September 2024"},{"key":"1212_CR11","doi-asserted-by":"publisher","first-page":"23","DOI":"10.1016\/j.diin.2016.12.004","volume":"20","author":"A Case","year":"2017","unstructured":"Case, A., Richard, G.G.: Memory forensics: The path forward. Digit. Investig. 20, 23\u201333 (2017)","journal-title":"Digit. Investig."},{"key":"1212_CR12","doi-asserted-by":"crossref","unstructured":"Nyholm, H., Monteith, K., Lyles, S., Gallegos, M., DeSantis, M., Donaldson, J., Taylor, C.: The evolution of volatile memory forensics, (2022)","DOI":"10.3390\/jcp2030028"},{"issue":"2","key":"1212_CR13","first-page":"2301","volume":"67","author":"R Sihwail","year":"2021","unstructured":"Sihwail, R., Omar, K., Zainol Ariffin, K.A.: An effective memory analysis for malware detection and classification. Comput. Mater. Contin. 67(2), 2301\u20132320 (2021)","journal-title":"Comput. Mater. Contin."},{"key":"1212_CR14","unstructured":"Nwagwughiagwu, S., Ajayi, R., Talluri, T.C.: Using memory forensics to detect malware processes (2024)"},{"key":"1212_CR15","doi-asserted-by":"crossref","unstructured":"Lashkari, A.H., Li, B., Carrier, T.L., Kaur, G.: Volmemlyzer: Volatile memory analyzer for malware classification using feature engineering. IEEE Xplore, (2021)","DOI":"10.1109\/RDAAPS48126.2021.9452028"},{"issue":"1","key":"1212_CR16","doi-asserted-by":"publisher","first-page":"58","DOI":"10.4018\/IJDCF.2020010104","volume":"12","author":"A Almutairi","year":"2020","unstructured":"Almutairi, A., Satari, B.S., Rivas, C., Stanciu, C.F., Yamani, M., Zohoorsaadat, Z., Mokhov, S.A.: Evaluation of autopsy and volatility for cybercrime investigation: a forensic lucid case study. Int. J. Digit. Crime Foren. 12(1), 58\u201389 (2020)","journal-title":"Int. J. Digit. Crime Foren."},{"issue":"2","key":"1212_CR17","first-page":"90","volume":"5","author":"M Parekh","year":"2020","unstructured":"Parekh, M., Jani, S.: Memory forensic: acquisition and analysis of memory and its tools comparison. Int. J. Eng. Technol. Manage. Res. 5(2), 90\u201395 (2020)","journal-title":"Int. J. Eng. Technol. Manage. Res."},{"key":"1212_CR18","doi-asserted-by":"crossref","unstructured":"Singh, A.K., Taterh, S., Mitra, U.: An efficient tactic to analyzing and evaluation of malware dump file using volatility tool. ResearchGate (2023)","DOI":"10.1007\/s42979-023-01844-8"},{"key":"1212_CR19","unstructured":"Garg, I., Wudaru, N.R., Ramakrishna, P.: Study on json, its uses and applications in engineering organizations. ResearchGate, (2024)"},{"key":"1212_CR20","unstructured":"ahlashkari.VolMemLyzer\/VolMemLyzer-V2.py at main \u00b7 ahlashkari\/VolMemLyzer. https:\/\/github.com\/ahlashkari\/VolMemLyzer\/blob\/main\/VolMemLyzer-V2.py, May (2024) Accessed: September 1"},{"key":"1212_CR21","volume":"9","author":"DB Oh","year":"2024","unstructured":"Oh, D.B., Kim, D., Kim, H.K., Kim, D.: Volgpt: evaluation on triaging ransomware process in memory forensics with large language model. Forensic Sci. Int. Digit. Invest. 9, 301756 (2024)","journal-title":"Forensic Sci. Int. Digit. Invest."},{"issue":"1","key":"1212_CR22","doi-asserted-by":"publisher","first-page":"7","DOI":"10.18100\/ijamec.526813","volume":"8","author":"A Efe","year":"2020","unstructured":"Efe, A., Hussin, S.: Malware visualization techniques. Int. J. Appl. Math. Electron. Comput. 8(1), 7\u201320 (2020)","journal-title":"Int. J. Appl. Math. Electron. Comput."},{"key":"1212_CR23","doi-asserted-by":"crossref","unstructured":"Dunsin, D., Ghanem, M.C., Ouazzane, K., Vassilev,V.: Reinforcement learning for an efficient and effective malware investigation during cyber incident response (2024) arXiv preprint arXiv:2408.01999","DOI":"10.1016\/j.hcc.2025.100299"},{"key":"1212_CR24","doi-asserted-by":"crossref","unstructured":"Dunsin, D., Ghanem, M.C., Ouazzane, K., Vassilev, V.: A novel reinforcement learning model for post-incident malware investigations (2024) arXiv preprint arXiv:2410.15028","DOI":"10.1109\/SNAMS64316.2024.10883810"},{"key":"1212_CR25","doi-asserted-by":"publisher","first-page":"129840","DOI":"10.1109\/ACCESS.2023.3332834","volume":"11","author":"MC Ghanem","year":"2023","unstructured":"Ghanem, M.C., Chen, T.M., Ferrag, M.A., Kettouche, M.E.: Esascf: expertise extraction, generalization and reply framework for optimized automation of network security compliance. IEEE Access 11, 129840\u2013129853 (2023)","journal-title":"IEEE Access"},{"issue":"4","key":"1212_CR26","doi-asserted-by":"publisher","first-page":"125","DOI":"10.14445\/22312803\/IJCTT-V71I4P116","volume":"71","author":"D Srivastava","year":"2023","unstructured":"Srivastava, D.: An introduction to data visualization tools and techniques in various domains. Int. J. Comput. Trends Technol. 71(4), 125\u2013130 (2023)","journal-title":"Int. J. Comput. Trends Technol."},{"key":"1212_CR27","unstructured":"El Emam, K., Mosquera, L., Hoptroff, R.: Practical Synthetic Data Generation. O\u2019Reilly Media, (2020)"},{"key":"1212_CR28","doi-asserted-by":"crossref","unstructured":"Farzaan, M.A.M, Ghanem, M.C., El-Hajjar, A., Ratnayake, D.N.: Ai-powered system for efficient and effective cyber incident detection and response in cloud environments. IEEE Trans. Mach. Learn. Commun. Netw. (2025)","DOI":"10.1109\/TMLCN.2025.3564912"},{"key":"1212_CR29","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4842-7223-7","volume-title":"Python for MATLAB Development","author":"A Danial","year":"2022","unstructured":"Danial, A.: Python for MATLAB Development. Apress (2022)"},{"key":"1212_CR30","doi-asserted-by":"crossref","unstructured":"Beauchemin, D., Khoury, R.: Risc: Generating realistic synthetic bilingual insurance. In: Proceedings of the Canadian Conference on Artificial Intelligence (2023)","DOI":"10.21428\/594757db.132dae7d"},{"key":"1212_CR31","unstructured":"PassMark\u2122 Software. Volatility workbench - a gui for volatility memory forensics. https:\/\/www.osforensics.com\/tools\/volatility-workbench.html, (2024). Accessed 9 September 2024"},{"issue":"1","key":"1212_CR32","doi-asserted-by":"publisher","first-page":"11065","DOI":"10.1109\/ACCESS.2022.3142508","volume":"10","author":"AR Javed","year":"2022","unstructured":"Javed, A.R., Ahmed, W., Alazab, M., Jalil, Z., Kifayat, K., Gadekallu, T.R.: A comprehensive survey on computer forensics. IEEE Access 10(1), 11065\u201311089 (2022)","journal-title":"IEEE Access"},{"key":"1212_CR33","unstructured":"Volatility Foundation. Volatility 3 basics \u2014 volatility 3 2.7.1 documentation, (2024) Accessed 30 September 2024"},{"key":"1212_CR34","unstructured":"ISO. Iso\/iec 21778:2017 information technology\u2014the json data interchange syntax, (2023) Accessed 2 November 2024"},{"issue":"1","key":"1212_CR35","doi-asserted-by":"publisher","first-page":"9","DOI":"10.23939\/acps2024.01.009","volume":"9","author":"E Maltsev","year":"2024","unstructured":"Maltsev, E., Muliarevych, O.: Beyond json: evaluating serialization formats. Adv. Cyber-Phys. Syst. 9(1), 9\u201315 (2024)","journal-title":"Adv. Cyber-Phys. Syst."},{"key":"1212_CR36","unstructured":"Buonom, V., Petrovic, P.: Enhance inter-service communication in supersonic k-native rest-based java microservice architectures (2021) https:\/\/hkr.diva-portal.org\/smash\/record.jsf?pid=diva2%3A1576712&dswid=6414"},{"key":"1212_CR37","unstructured":"Shvaika, D.I., Shvaika, A.I., Artemchuk,V.O.: Data serialization protocols in iot: problems and solutions using the thingsboard platform as an example, ResearchGate (2024a)"},{"key":"1212_CR38","doi-asserted-by":"publisher","DOI":"10.55056\/jec.745","author":"DI Shvaika","year":"2024","unstructured":"Shvaika, D.I., Shvaika, A.I., Artemchuk, V.O.: Advancing iot interoperability: dynamic data serialization using thingsboard. J. Edge Comput. (2024). https:\/\/doi.org\/10.55056\/jec.745","journal-title":"J. Edge Comput."},{"key":"1212_CR39","unstructured":"Google LLC. Overview | protocol buffers documentation. https:\/\/protobuf.dev\/overview\/, (2024) Accessed 2 November 2024"},{"key":"1212_CR40","unstructured":"Berg, J., Redi, D.M.: Benchmarking the request throughput of conventional API calls and GRPC: A comparative study of rest and GRPC. https:\/\/urn.kb.se\/resolve?urn=urn%3Anbn%3Ase%3Akth%3Adiva-334990, (2023) Accessed 2 November 2024"},{"key":"1212_CR41","doi-asserted-by":"crossref","unstructured":"Gerrans, J., Sherratt, R.S.: Comparing xml and json characteristics as formats for data serialisation within ultra-low power embedded systems. IEEE Embedded Syst. Lett. (2024)","DOI":"10.1109\/LES.2024.3450576"},{"key":"1212_CR42","volume-title":"Digital Forensics with Kali Linux","author":"SVN Parasram","year":"2023","unstructured":"Parasram, S.V.N.: Digital Forensics with Kali Linux, 3rd edn. Packt Publishing Ltd (2023)","edition":"3"},{"key":"1212_CR43","unstructured":"VolatilityFoundation. netstat.py. https:\/\/github.com\/volatilityfoundation\/volatility3\/blob\/develop\/volatility3\/framework\/plugins\/windows\/netstat.py, (2024a) Accessed 31 October 2024"},{"key":"1212_CR44","unstructured":"VolatilityFoundation. netscan.py. https:\/\/github.com\/volatilityfoundation\/volatility3\/blob\/develop\/volatility3\/framework\/plugins\/windows\/netscan.py, (2024b) Accessed 31 October 2024"},{"key":"1212_CR45","doi-asserted-by":"crossref","unstructured":"Luchs, M., Doerr, C.: The curious case of port 0. IEEE (2019)","DOI":"10.23919\/IFIPNetworking.2019.8816853"},{"key":"1212_CR46","doi-asserted-by":"crossref","unstructured":"Kopp, D., Dietzel, C., Hohlfeld, O.: Ddos never dies? an ixp perspective on ddos amplification attacks. passive and active measurement. In: International Conference on Passive and Active Network Measurement, pp. 284\u2013301 (2021)","DOI":"10.1007\/978-3-030-72582-2_17"},{"key":"1212_CR47","doi-asserted-by":"publisher","first-page":"100445","DOI":"10.1016\/j.eij.2024.100445","volume":"25","author":"M Aljabri","year":"2024","unstructured":"Aljabri, M., Alhaidari, F., Albuainain, A., Alrashidi, S., Alansari, J., Alqahtani, W., Alshaya, J.: Ransomware detection based on machine learning using memory features. Egypt. Inform. J. 25, 100445\u2013100445 (2024)","journal-title":"Egypt. Inform. J."},{"key":"1212_CR48","unstructured":"Lavanya, A., Sindhu, S., Vijayalakshmi, P.: Effective visualization tool for lsass credential dumping. Foren. Inform. J. (2023)"},{"key":"1212_CR49","unstructured":"Cybereason Blue Team. Rundll32: The infamous proxy for executing malicious code.https:\/\/www.cybereason.com\/blog\/rundll32-the-infamous-proxy-for-executing-malicious-code, (2022) Accessed 10 October 2024"},{"key":"1212_CR50","unstructured":"Red Canary. Rundll32 - red canary threat detection report. https:\/\/redcanary.com\/threat-detection-report\/techniques\/rundll32\/, 2024. Accessed 10 October 2024. Microsoft Threat Intelligence. Detecting and preventing lsass credential dumping attacks, (2022) Accessed 11 October 2024"},{"key":"1212_CR51","unstructured":"Microsoft Threat Intelligence. Detecting and preventing lsass credential dumping attacks, (2022) Accessed 11 October 2024"},{"key":"1212_CR52","unstructured":"Russinovich, M., Richards, A.: Procdump - sysinternals. https:\/\/learn.microsoft.com\/en-us\/sysinternals\/downloads\/procdump, (2022) Accessed 11 October 2024"},{"key":"1212_CR53","unstructured":"MITRE ATT&CK. Os credential dumping: Lsass memory. https:\/\/attack.mitre.org\/techniques\/T1003\/001\/, (2023) Accessed 11 October 2024"},{"key":"1212_CR54","doi-asserted-by":"crossref","unstructured":"Darwich, O., Rimlinger, H., Dreyfus, M., Gouel, M., Vermeulen, K.: Replication: Towards a publicly available internet scale ip geolocation dataset. HAL (Le Centre pour la Communication Scientifique Directe), pp. 1\u201315, (2023)","DOI":"10.1145\/3618257.3624801"},{"key":"1212_CR55","doi-asserted-by":"crossref","unstructured":"Corneo, L., Di Francesco, M.: From whois to RDAP: Are IP lookup services getting any better? IEEE, (2024)","DOI":"10.1109\/NOMS59830.2024.10575906"},{"key":"1212_CR56","first-page":"49","volume":"50","author":"C Yucel","year":"2021","unstructured":"Yucel, C., Lockett, A., Chalkias, I., Mallis, D., Katos, V.: Mait: malware analysis and intelligence tool. Inf. Secur. 50, 49\u201365 (2021)","journal-title":"Inf. Secur."},{"key":"1212_CR57","unstructured":"Ulf Frisk. Memprocfs: Memory process file system. https:\/\/github.com\/ufrisk\/MemProcFS. Accessed: 2024\u201312\u201326"},{"key":"1212_CR58","unstructured":"Ulf Frisk. Memprocfs wiki: Fs_findevil. https:\/\/github.com\/ufrisk\/MemProcFS\/wiki\/FS_FindEvil. Accessed: 2024\u201312\u201326"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-026-01212-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-026-01212-6","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-026-01212-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T09:21:56Z","timestamp":1776072116000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-026-01212-6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,2,11]]},"references-count":58,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2026,4]]}},"alternative-id":["1212"],"URL":"https:\/\/doi.org\/10.1007\/s10207-026-01212-6","relation":{},"ISSN":["1615-5270"],"issn-type":[{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,2,11]]},"assertion":[{"value":"21 January 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"21 January 2026","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"11 February 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors confirm that they have no competing interests or personal relationships that could have influenced the work presented in this paper.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}},{"value":"This research was determined not to require ethical approval.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical approval"}}],"article-number":"52"}}