{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,3]],"date-time":"2025-11-03T17:59:12Z","timestamp":1762192752971,"version":"build-2065373602"},"reference-count":35,"publisher":"MDPI AG","issue":"11","license":[{"start":{"date-parts":[[2025,11,1]],"date-time":"2025-11-01T00:00:00Z","timestamp":1761955200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100019286","name":"Ajman University, United Arab Emirates","doi-asserted-by":"publisher","award":["2023-IRG-ENIT-28"],"award-info":[{"award-number":["2023-IRG-ENIT-28"]}],"id":[{"id":"10.13039\/501100019286","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Computers"],"abstract":"<jats:p>Memory forensics is an essential cybersecurity tool that comprehensively examines volatile memory to detect the malicious activity of fileless malware that can bypass disk analysis. Image-based detection techniques provide a promising solution by visualizing memory data into images to be used and analyzed by image processing tools and machine learning methods. However, the effectiveness of image-based data for detection and classification requires high computational efforts. This paper investigates the efficacy of texture-based methods in detecting and classifying memory-resident or fileless malware using different image resolutions, identifying the best feature descriptors, classifiers, and resolutions that accurately classify malware into specific families and differentiate them from benign software. Moreover, this paper uses both local and global descriptors, where local descriptors include Oriented FAST and Rotated BRIEF (ORB), Scale-Invariant Feature Transform (SIFT), and Histogram of Oriented Gradients (HOG) and global descriptors include Discrete Wavelet Transform (DWT), GIST, and Gray Level Co-occurrence Matrix (GLCM). The results indicate that as image resolution increases, most feature descriptors yield more discriminative features but require higher computational efforts in terms of time and processing resources. To address this challenge, this paper proposes a novel approach that integrates Local Interpretable Model-agnostic Explanations (LIME) with deep learning models to automatically identify and crop the most important regions of memory images. The LIME\u2019s ROI was extracted based on ResNet50 and MobileNet models\u2019 predictions separately, the images were resized to 128 \u00d7 128, and the sampling process was performed dynamically to speed up LIME computation. The ROIs of the images are cropped to new images with sizes of (100 \u00d7 100) in two stages: the coarse stage and the fine stage. The two generated LIME-based cropped images using ResNet50 and MobileNet are fed to the lightweight neural network to evaluate the effectiveness of the LIME-based identified regions. The results demonstrate that the LIME-based MobileNet model\u2019s prediction improves the efficiency of the model by preserving important features with a classification accuracy of 85% on multi-class classification.<\/jats:p>","DOI":"10.3390\/computers14110467","type":"journal-article","created":{"date-parts":[[2025,11,3]],"date-time":"2025-11-03T17:32:01Z","timestamp":1762191121000},"page":"467","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Efficient Image-Based Memory Forensics for Fileless Malware Detection Using Texture Descriptors and LIME-Guided Deep Learning"],"prefix":"10.3390","volume":"14","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0777-1871","authenticated-orcid":false,"given":"Qussai M.","family":"Yaseen","sequence":"first","affiliation":[{"name":"Department of Information Technology, College of Engineering and Information Technology, Ajman University, Ajman 346, United Arab Emirates"},{"name":"Faculty of Computer and Information Technology, Jordan University of Science and Technology, Irbid 22110, Jordan"}]},{"given":"Esraa","family":"Oudat","sequence":"additional","affiliation":[{"name":"Faculty of Computer and Information Technology, Jordan University of Science and Technology, Irbid 22110, Jordan"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1150-2404","authenticated-orcid":false,"given":"Monther","family":"Aldwairi","sequence":"additional","affiliation":[{"name":"College of Technological Innovation, Zayed University, Abu Dhabi 144534, United Arab Emirates"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1025-7868","authenticated-orcid":false,"given":"Salam","family":"Fraihat","sequence":"additional","affiliation":[{"name":"Department of Information Technology, College of Engineering and Information Technology, Ajman University, Ajman 346, United Arab Emirates"}]}],"member":"1968","published-online":{"date-parts":[[2025,11,1]]},"reference":[{"key":"ref_1","unstructured":"AV-TEST (2024, September 05). Malware Statistics. Available online: https:\/\/www.av-test.org\/en\/statistics\/malware\/."},{"key":"ref_2","unstructured":"Hasan, S.M.R., and Dhakal, A. (2024). Obfuscated Malware Detection: Investigating Real-world Scenarios through Memory Analysis. arXiv."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Qawasmeh, E., and Al-Saleh, M.I. (2020, January 25\u201326). On Producing Events Timeline for Memory Forensics: An Experimental Study. Proceedings of the 2020 Seventh International Conference on Information Technology Trends (ITT), Abu Dhabi, United Arab Emirates.","DOI":"10.1109\/ITT51279.2020.9396748"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"23","DOI":"10.1016\/j.diin.2016.12.004","article-title":"Memory forensics: The path forward","volume":"20","author":"Case","year":"2017","journal-title":"Digit. Investig."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Nataraj, L., Karthikeyan, S., Jacob, G., and Manjunath, B.S. (2011, January 20). Malware images: Visualization and automatic classification. Proceedings of the Visualization for Computer Security, Pittsburgh, PA, USA.","DOI":"10.1145\/2016904.2016908"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"353","DOI":"10.1007\/s10586-025-05104-7","article-title":"Advanced memory forensics for malware classification with deep learning algorithms","volume":"28","author":"Odeh","year":"2025","journal-title":"Clust. Comput."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"79397","DOI":"10.1109\/ACCESS.2025.3565802","article-title":"Few-Shot Learning with Prototypical Networks for Improved Memory Forensics","volume":"13","author":"Gul","year":"2025","journal-title":"IEEE Access"},{"key":"ref_8","unstructured":"Cuckoo Sandbox Developers (2025, August 23). Cuckoo Sandbox: Automated Malware Analysis. Available online: https:\/\/cuckoosandbox.org\/."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"119133","DOI":"10.1016\/j.eswa.2022.119133","article-title":"Fileless malware threats: Recent advances, analysis approach through memory forensics and research challenges","volume":"214","author":"Kara","year":"2023","journal-title":"Expert Syst. Appl."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Pant, D., and Bista, R. (2021, January 26\u201328). Image-Based Malware Classification Using Deep Convolutional Neural Network and Transfer Learning. Proceedings of the 2021 3rd International Conference on Advanced Information Science and System (AISS 2021), Sanya, China.","DOI":"10.1145\/3503047.3503081"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Shah, S.S.H., Jamil, N., and Khan, A.u.R. (2022). Memory Visualization-Based Malware Detection Technique. Sensors, 22.","DOI":"10.3390\/s22197611"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"123","DOI":"10.1016\/j.cose.2018.11.001","article-title":"Survey of machine learning techniques for malware analysis","volume":"81","author":"Ucci","year":"2019","journal-title":"Comput. Secur."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1186\/s13673-018-0125-x","article-title":"A state-of-the-art survey of malware detection approaches using data mining techniques","volume":"8","author":"Souri","year":"2018","journal-title":"Hum.-Cent. Comput. Inf. Sci."},{"key":"ref_14","first-page":"301564","article-title":"cRGBMem: At the intersection of memory forensics and machine learning","volume":"45","author":"Sudhakaran","year":"2023","journal-title":"Forensic Sci. Int. Digit. Investig."},{"key":"ref_15","first-page":"81","article-title":"DexRay: A Simple, Yet Effective Deep Learning Approach to Android Malware Detection Based on Image Representation of Bytecode","volume":"1482","author":"Daoudi","year":"2021","journal-title":"Commun. Comput. Inf. Sci."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Yaseen, Q.M. (2023). The Effect of the Ransomware Dataset Age on the Detection Accuracy of Machine Learning Models. Information, 14.","DOI":"10.3390\/info14030193"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"763","DOI":"10.1016\/j.procs.2023.03.101","article-title":"A Comparative Analysis of Machine Learning Algorithms for Android Malware Detection","volume":"220","author":"AlOmari","year":"2023","journal-title":"Procedia Comput. Sci."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"AlJarrah, M.N., Yaseen, Q.M., and Mustafa, A.M. (2022). A Context-Aware Android Malware Detection Approach Using Machine Learning. Information, 13.","DOI":"10.3390\/info13120563"},{"key":"ref_19","first-page":"185586","article-title":"An Efficient Random Forest Classifier for Detecting Malicious Docker Images in Docker Hub Repository","volume":"12","author":"Aldiabat","year":"2024","journal-title":"IEEE Access"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"15471","DOI":"10.1109\/ACCESS.2023.3244656","article-title":"A Novel Machine Learning Approach for Android Malware Detection Based on the Co-Existence of Features","volume":"11","author":"Odat","year":"2023","journal-title":"IEEE Access"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"8439","DOI":"10.1109\/TIP.2021.3114989","article-title":"Robust Texture-Aware Computer-Generated Image Forensic: Benchmark and Algorithm","volume":"30","author":"Bai","year":"2021","journal-title":"IEEE Trans. Image Process."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"100478","DOI":"10.1016\/j.eij.2024.100478","article-title":"MalRed: An innovative approach for detecting malware using the red channel analysis of color images","volume":"26","author":"Jamil","year":"2024","journal-title":"Egypt. Inform. J."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"21","DOI":"10.1186\/s42400-023-00157-w","article-title":"MRm-DLDet: A memory-resident malware detection framework based on memory forensics and deep neural network","volume":"6","author":"Liu","year":"2023","journal-title":"Cybersecurity"},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1186\/s42400-019-0043-x","article-title":"An emerging threat Fileless malware: A survey and research challenges","volume":"3","author":"Sudhakar","year":"2020","journal-title":"Cybersecurity"},{"key":"ref_25","first-page":"2301","article-title":"An Effective Memory Analysis for Malware Detection and Classification","volume":"67","author":"Sihwail","year":"2021","journal-title":"Comput. Mater. Contin."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Peterson, G., and Shenoi, S. (2017). A Behavior-Based Approach for Malware Detection. Advances in Digital Forensics XIII, Springer.","DOI":"10.1007\/978-3-319-67208-3"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Lashkari, A.H., Li, B., Carrier, T.L., and Kaur, G. (2021, January 18\u201319). VolMemLyzer: Volatile Memory Analyzer for Malware Classification Using Feature Engineering. Proceedings of the 2021 Reconciling Data Analytics, Automation, Privacy, and Security: A Big Data Challenge (RDAAPS), Hamilton, ON, Canada.","DOI":"10.1109\/RDAAPS48126.2021.9452028"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Dener, M., Ok, G., and Orman, A. (2022). Malware Detection Using Memory Analysis Data in Big Data Environment. Appl. Sci., 12.","DOI":"10.3390\/app12178604"},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"30","DOI":"10.1016\/j.diin.2018.09.006","article-title":"A malware classification method based on memory dump grayscale image","volume":"27","author":"Dai","year":"2018","journal-title":"Digit. Investig."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"102166","DOI":"10.1016\/j.cose.2020.102166","article-title":"Catch them alive: A malware detection approach through memory forensics, manifold learning and computer vision","volume":"103","author":"Bozkir","year":"2021","journal-title":"Comput. Secur."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Zhang, S., Hu, C., Wang, L., Mihaljevic, M.J., Xu, S., and Lan, T. (2023). A Malware Detection Approach Based on Deep Learning and Memory Forensics. Symmetry, 15.","DOI":"10.3390\/sym15030758"},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Kosmidis, K., and Kalloniatis, C. (2017, January 28\u201330). Machine Learning and Images for Malware Detection and Classification. Proceedings of the 21st Pan-Hellenic Conference on Informatics, PCI\u201917, New York, NY, USA.","DOI":"10.1145\/3139367.3139400"},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Ribeiro, M.T., Singh, S., and Guestrin, C. (2016, January 13\u201317). \u201cWhy Should I Trust You?\u201d: Explaining the Predictions of Any Classifier. Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD\u201916, New York, NY, USA.","DOI":"10.1145\/2939672.2939778"},{"key":"ref_34","unstructured":"Cbhua (2025, August 20). GitHub-cbhua\/binary-to-png: A Useful Tool for Extracting Images from Binary Files. Available online: https:\/\/github.com\/cbhua\/binary-to-png."},{"key":"ref_35","unstructured":"Bradski, G., and Kaehler, A. (2008). Learning OpenCV\u2014Computer Vision with the OpenCV Library: Software That Sees, O\u2019Reilly."}],"container-title":["Computers"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-431X\/14\/11\/467\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,3]],"date-time":"2025-11-03T17:46:23Z","timestamp":1762191983000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-431X\/14\/11\/467"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,1]]},"references-count":35,"journal-issue":{"issue":"11","published-online":{"date-parts":[[2025,11]]}},"alternative-id":["computers14110467"],"URL":"https:\/\/doi.org\/10.3390\/computers14110467","relation":{},"ISSN":["2073-431X"],"issn-type":[{"value":"2073-431X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,11,1]]}}}