{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,5]],"date-time":"2026-06-05T04:53:16Z","timestamp":1780635196157,"version":"3.54.1"},"reference-count":36,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2023,1,5]],"date-time":"2023-01-05T00:00:00Z","timestamp":1672876800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"SAUDI ARAMCO Cybersecurity Chair, Imam Abdulrahman Bin Faisal University"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"In recent years, massive development in the malware industry changed the entire landscape for malware development. Therefore, cybercriminals became more sophisticated by advancing their development techniques from file-based to fileless malware. As file-based malware depends on files to spread itself, on the other hand, fileless malware does not require a traditional file system and uses benign processes to carry out its malicious intent. Therefore, it evades conventional detection techniques and remains stealthy. This paper briefly explains fileless malware, its life cycle, and its infection chain. Moreover, it proposes a detection technique based on feature analysis using machine learning for fileless malware detection. The virtual machine acquired the memory dumps upon executing the malicious and non-malicious samples. Then the necessary features are extracted using the Volatility memory forensics tool, which is then analyzed using machine learning classification algorithms. After that, the best algorithm is selected based on the k-fold cross-validation score. Experimental evaluation has shown that Random Forest outperforms other machine learning classifiers (Decision Tree, Support Vector Machine, Logistic Regression, K-Nearest Neighbor, XGBoost, and Gradient Boosting). It achieved an overall accuracy of 93.33% with a True Positive Rate (TPR) of 87.5% at zeroFalse Positive Rate (FPR) for fileless malware collected from five widely used datasets (VirusShare, AnyRun, PolySwarm, HatchingTriage, and JoESadbox).<\/jats:p>","DOI":"10.3390\/s23020612","type":"journal-article","created":{"date-parts":[[2023,1,5]],"date-time":"2023-01-05T04:51:31Z","timestamp":1672894291000},"page":"612","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":49,"title":["An Insight into the Machine-Learning-Based Fileless Malware Detection"],"prefix":"10.3390","volume":"23","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7979-0620","authenticated-orcid":false,"given":"Osama","family":"Khalid","sequence":"first","affiliation":[{"name":"FAST School of Computing, National University of Computer and Emerging Sciences (NUCES-FAST), Islamabad 44000, Pakistan"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3925-621X","authenticated-orcid":false,"given":"Subhan","family":"Ullah","sequence":"additional","affiliation":[{"name":"FAST School of Computing, National University of Computer and Emerging Sciences (NUCES-FAST), Islamabad 44000, Pakistan"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8105-6791","authenticated-orcid":false,"given":"Tahir","family":"Ahmad","sequence":"additional","affiliation":[{"name":"Center for Cybersecurity, Brunno Kessler Foundation, 38123 Trento, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7136-3480","authenticated-orcid":false,"given":"Saqib","family":"Saeed","sequence":"additional","affiliation":[{"name":"SAUDI ARAMCO Cybersecurity Chair, Department of Computer Information Systems, College of Computer Science and Information Technology, Imam Abdulrahman Bin Faisal University, P.O. Box 1982, Dammam 31441, Saudi Arabia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7624-8924","authenticated-orcid":false,"given":"Dina A.","family":"Alabbad","sequence":"additional","affiliation":[{"name":"SAUDI ARAMCO Cybersecurity Chair, Department of Computer Engineering, College of Computer Science and Information Technology, Imam Abdulrahman Bin Faisal University, P.O. Box 1982, Dammam 31441, Saudi Arabia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3223-4234","authenticated-orcid":false,"given":"Mudassar","family":"Aslam","sequence":"additional","affiliation":[{"name":"FAST School of Computing, National University of Computer and Emerging Sciences (NUCES-FAST), Islamabad 44000, Pakistan"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2723-2410","authenticated-orcid":false,"given":"Attaullah","family":"Buriro","sequence":"additional","affiliation":[{"name":"Faculty of Computer Science, Free University Bozen-Bolzano, 39100 Bolzano, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4758-7895","authenticated-orcid":false,"given":"Rizwan","family":"Ahmad","sequence":"additional","affiliation":[{"name":"School of Electrical Engineering and Computer Science, National University of Sciences and Technology (NUST), Islamabad 44000, Pakistan"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2023,1,5]]},"reference":[{"key":"ref_1","first-page":"20","article-title":"A study on malware and malware detection techniques","volume":"8","author":"Tahir","year":"2018","journal-title":"Int. J. Educ. Manag. Eng."},{"key":"ref_2","first-page":"704","article-title":"Cybercriminal networks, social ties and online forums: Social ties versus digital ties within phishing and malware networks","volume":"57","author":"Leukfeldt","year":"2017","journal-title":"Br. J. Criminol."},{"key":"ref_3","first-page":"326","article-title":"Evolution of malware threats and techniques: A review","volume":"12","author":"Alenezi","year":"2020","journal-title":"Int. J. Commun. Netw. Inf. Secur."},{"key":"ref_4","unstructured":"Smelcer, J. (2017). Rise of Fileless Malware. [Ph.D. Thesis, Utica College]."},{"key":"ref_5","unstructured":"(2021, November 11). New Ponemon Institute Study: Key Findings the 2017 State of Endpoint. Available online: https:\/\/www.ponemon.org\/news-updates\/blog\/security\/the-2017-state-of-endpoint-security-risk-report.html."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Alsmadi, T., and Alqudah, N. (2021, January 14\u201315). A Survey on malware detection techniques. Proceedings of the 2021 International Conference on Information Technology (ICIT), Amman, Jordan.","DOI":"10.1109\/ICIT52682.2021.9491765"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Afreen, A., Aslam, M., and Ahmed, S. (2020, January 12\u201313). Analysis of Fileless Malware and its Evasive Behavior. Proceedings of the 2020 International Conference on Cyber Warfare and Security (ICCWS), Norfolk, VA, USA.","DOI":"10.1109\/ICCWS48432.2020.9292376"},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"332","DOI":"10.4218\/etrij.2020-0086","article-title":"Fileless cyberattacks: Analysis and classification","volume":"43","author":"Lee","year":"2021","journal-title":"ETRI J."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Sanjay, B., Rakshith, D., Akash, R., and Hegde, D.V. (2018, January 20\u201322). An Approach to Detect Fileless Malware and Defend its Evasive mechanisms. Proceedings of the 2018 3rd International Conference on Computational Systems and Information Technology for Sustainable Solutions (CSITSS), Bengaluru, India.","DOI":"10.1109\/CSITSS.2018.8768769"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Saad, S., Mahmood, F., Briguglio, W., and Elmiligi, H. (2019, January 26\u201328). Jsless: A tale of a fileless javascript memory-resident malware. Proceedings of the International Conference on Information Security Practice and Experience, Kuala Lumpur, Malaysia.","DOI":"10.1007\/978-3-030-34339-2_7"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Borana, P., Sihag, V., Choudhary, G., Vardhan, M., and Singh, P. (2021, January 1\u20135). An Assistive Tool for Fileless Malware Detection. Proceedings of the 2021 World Automation Congress (WAC), Taipei, Taiwan.","DOI":"10.23919\/WAC50355.2021.9559449"},{"key":"ref_12","unstructured":"(2022, May 09). Volatility Foundation: An advanced Memory Forensics Framework. Available online: https:\/\/github.com\/volatilityfoundation\/volatility."},{"key":"ref_13","unstructured":"Snow, D. (2021). Investigating Fileless Malware. [Ph.D. Thesis, Utica College]."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Ganesan, S., Ravi, V., Krichen, M., Sowmya, V., Alroobaea, R., and Soman, K.P. (2021, January 10\u201312). Robust Malware Detection using Residual Attention Network. Proceedings of the 2021 IEEE International Conference on Consumer Electronics (ICCE), Las Vegas, NV, USA.","DOI":"10.1109\/ICCE50685.2021.9427623"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Urooj, U., Al-rimy, B.A.S., Zainal, A., Ghaleb, F.A., and Rassam, M.A. (2022). Ransomware Detection Using the Dynamic Analysis and Machine Learning: A Survey and Research Directions. Appl. Sci., 12.","DOI":"10.3390\/app12010172"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Kim, Y.J., Park, C.H., and Yoon, M. (2022). FILM: Filtering and Machine Learning for Malware Detection in Edge Computing. Sensors, 22.","DOI":"10.3390\/s22062150"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Alkahtani, H., and Aldhyani, T.H.H. (2022). Artificial Intelligence Algorithms for Malware Detection in Android-Operated Mobile Devices. Sensors, 22.","DOI":"10.3390\/s22062268"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Ullah, S., Ahmad, T., Buriro, A., Zara, N., and Saha, S. (2022). TrojanDetector: A Multi-Layer Hybrid Approach for Trojan Detection in Android Applications. Appl. Sci., 12.","DOI":"10.3390\/app122110755"},{"key":"ref_19","unstructured":"Ullah, A., Anwar, S., Rocha, \u00c1., and Gill, S. (2022). Malware Detection Using Machine Learning Algorithms for Windows Platform. Proceedings of International Conference on Information Technology and Applications, Springer. Lecture Notes in Networks and Systems."},{"key":"ref_20","unstructured":"(2022, November 29). MITRE: Adversarial Tactics, Techniques, and Common Knowledge. Available online: https:\/\/attack.mitre.org\/."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Dang, F., Li, Z., Liu, Y., Zhai, E., Chen, Q.A., Xu, T., Chen, Y., and Yang, J. (2019, January 17\u201321). Understanding fileless attacks on linux-based iot devices with honeycloud. Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services, Seoul, Republic of Korea.","DOI":"10.1145\/3307334.3326083"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Tekiner, E., Acar, A., Uluagac, A.S., Kirda, E., and Selcuk, A.A. (2021, January 6\u201310). SoK: Cryptojacking Malware. Proceedings of the 2021 IEEE European Symposium on Security and Privacy (EuroS&P), Vienna, Austria.","DOI":"10.1109\/EuroSP51992.2021.00019"},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Ullah, S., Ahmad, T., Ahmad, R., and Aslam, M. (2023). Prevention of Cryptojacking Attacks in Business and FinTech Applications. Handbook of Research on Cybersecurity Issues and Challenges for Business and FinTech Applications, IGI Global.","DOI":"10.4018\/978-1-6684-5284-4.ch014"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Varlioglu, S., Elsayed, N., ElSayed, Z., and Ozer, M. (2022). The Dangerous Combo: Fileless Malware and Cryptojacking. arXiv.","DOI":"10.1109\/SoutheastCon48659.2022.9764043"},{"key":"ref_25","unstructured":"Tancio, B. (2022, April 03). Hunting for Ghosts in Fileless Attacks | SANS Institute. Available online: https:\/\/www.sans.org\/white-papers\/38960\/."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Tarek, R., Chaimae, S., and Habiba, C. (2020, January 5\u20136). Runtime api signature for fileless malware detection. Proceedings of the Future of Information and Communication Conference, San Francisco, CA, USA.","DOI":"10.1007\/978-3-030-39445-5_47"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Bucevschi, A.G., Balan, G., and Prelipcean, D.B. (2019, January 4\u20137). Preventing File-Less Attacks with Machine Learning Techniques. Proceedings of the 2019 21st International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC), Timisoara, Romania.","DOI":"10.1109\/SYNASC49474.2019.00042"},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"119133","DOI":"10.1016\/j.eswa.2022.119133","article-title":"Fileless malware threats: Recent advances, analysis approach through memory forensics and research challenges","volume":"214","author":"Kara","year":"2023","journal-title":"Expert Syst. Appl."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Mohanta, A., and Saldanha, A. (2020). Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware, Springer.","DOI":"10.1007\/978-1-4842-6193-4"},{"key":"ref_30","unstructured":"Atapattu, M., and Jayawardena, B. (2021, January 18). An Approach to Detect Fileless Malware that Maintains Persistence in Windows Environment. Proceedings of the International Conference on Advances in Computing and Technology (ICACT), Kelaniya, Sri Lanka."},{"key":"ref_31","unstructured":"(2022, April 04). Malware Reports\u2014Online Malware Analysis Sandbox. Available online: https:\/\/app.any.run\/."},{"key":"ref_32","unstructured":"Abeydeera, W.P.S. (2022, April 09). Fileless Malware Detection in the Cloud Using Machine Learning Techniques\u2014TalTech Library Digital Collection. Available online: https:\/\/digikogu.taltech.ee\/en\/Item\/87cb2a3a-7ef5-43f0-89a5-ef4cb588b0d5."},{"key":"ref_33","unstructured":"(2022, April 06). VirusShare. Available online: https:\/\/virusshare.com\/."},{"key":"ref_34","unstructured":"(2022, April 10). PolySwarm\u2014Crowdsourced Threat Detection. Available online: https:\/\/polyswarm.network\/."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Randles, B.M., Pasquetto, I.V., Golshan, M.S., and Borgman, C.L. (2017, January 19\u201323). Using the Jupyter notebook as a tool for open science: An empirical study. Proceedings of the 2017 ACM\/IEEE Joint Conference on Digital Libraries (JCDL), Toronto, ON, Canada.","DOI":"10.1109\/JCDL.2017.7991618"},{"key":"ref_36","unstructured":"Yiu, T. (2022, March 12). Understanding Random Forest. How the Algorithm Works and Why It Is\u2026 | by Tony Yiu | towards Data Science. Available online: https:\/\/towardsdatascience.com\/understanding-random-forest-58381e0602d2."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/23\/2\/612\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T17:59:43Z","timestamp":1760119183000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/23\/2\/612"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,1,5]]},"references-count":36,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2023,1]]}},"alternative-id":["s23020612"],"URL":"https:\/\/doi.org\/10.3390\/s23020612","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,1,5]]}}}