{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,17]],"date-time":"2026-03-17T18:27:48Z","timestamp":1773772068858,"version":"3.50.1"},"reference-count":38,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2023,3,19]],"date-time":"2023-03-19T00:00:00Z","timestamp":1679184000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100001809","name":"the National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62102209"],"award-info":[{"award-number":["62102209"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"the National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["ZR2020KF035"],"award-info":[{"award-number":["ZR2020KF035"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"the National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["2021CXGC010107"],"award-info":[{"award-number":["2021CXGC010107"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"name":"the Shandong Provincial Natural Science Foundation of China","award":["62102209"],"award-info":[{"award-number":["62102209"]}]},{"name":"the Shandong Provincial Natural Science Foundation of China","award":["ZR2020KF035"],"award-info":[{"award-number":["ZR2020KF035"]}]},{"name":"the Shandong Provincial Natural Science Foundation of China","award":["2021CXGC010107"],"award-info":[{"award-number":["2021CXGC010107"]}]},{"name":"the Shandong Provincial Key Research and Development Program","award":["62102209"],"award-info":[{"award-number":["62102209"]}]},{"name":"the Shandong Provincial Key Research and Development Program","award":["ZR2020KF035"],"award-info":[{"award-number":["ZR2020KF035"]}]},{"name":"the Shandong Provincial Key Research and Development Program","award":["2021CXGC010107"],"award-info":[{"award-number":["2021CXGC010107"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Symmetry"],"abstract":"<jats:p>As cyber attacks grow more complex and sophisticated, new types of malware become more dangerous and challenging to detect. In particular, fileless malware injects malicious code into the physical memory directly without leaving attack traces on disk files. This type of attack is well concealed, and it is difficult to find the malicious code in the static files. For malicious processes in memory, signature-based detection methods are becoming increasingly ineffective. Facing these challenges, this paper proposes a malware detection approach based on convolutional neural network and memory forensics. As the malware has many symmetric features, the saved training model can detect malicious code with symmetric features. The method includes collecting executable static malicious and benign samples, running the collected samples in a sandbox, and building a dataset of portable executables in memory through memory forensics. When a process is running, not all the program content is loaded into memory, so binary fragments are utilized for malware analysis instead of the entire portable executable (PE) files. PE file fragments are selected with different lengths and locations. We conducted several experiments on the produced dataset to test our model. The PE file with 4096 bytes of header fragment has the highest accuracy. We achieved a prediction accuracy of up to 97.48%. Moreover, an example of fileless attack is illustrated at the end of the paper. The results show that the proposed method can detect malicious codes effectively, especially the fileless attack. Its accuracy is better than that of common machine learning methods.<\/jats:p>","DOI":"10.3390\/sym15030758","type":"journal-article","created":{"date-parts":[[2023,3,20]],"date-time":"2023-03-20T05:46:42Z","timestamp":1679291202000},"page":"758","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":37,"title":["A Malware Detection Approach Based on Deep Learning and Memory Forensics"],"prefix":"10.3390","volume":"15","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-5017-3207","authenticated-orcid":false,"given":"Shuhui","family":"Zhang","sequence":"first","affiliation":[{"name":"Qilu University of Technology (Shandong Academy of Sciences), Shandong Computer Science Center (Na- 5 tional Supercomputer Center in Jinan), Shandong Provincial Key Laboratory of Computer Networks), Jinan 250014, China"}]},{"given":"Changdong","family":"Hu","sequence":"additional","affiliation":[{"name":"Qilu University of Technology (Shandong Academy of Sciences), Shandong Computer Science Center (Na- 5 tional Supercomputer Center in Jinan), Shandong Provincial Key Laboratory of Computer Networks), Jinan 250014, China"}]},{"given":"Lianhai","family":"Wang","sequence":"additional","affiliation":[{"name":"Qilu University of Technology (Shandong Academy of Sciences), Shandong Computer Science Center (Na- 5 tional Supercomputer Center in Jinan), Shandong Provincial Key Laboratory of Computer Networks), Jinan 250014, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3047-3020","authenticated-orcid":false,"given":"Miodrag","family":"Mihaljevic","sequence":"additional","affiliation":[{"name":"Qilu University of Technology (Shandong Academy of Sciences), Shandong Computer Science Center (Na- 5 tional Supercomputer Center in Jinan), Shandong Provincial Key Laboratory of Computer Networks), Jinan 250014, China"},{"name":"Mathematical Institute, The Serbian Academy of Sciences and Arts, 11000 Belgrade, Serbia"}]},{"given":"Shujiang","family":"Xu","sequence":"additional","affiliation":[{"name":"Qilu University of Technology (Shandong Academy of Sciences), Shandong Computer Science Center (Na- 5 tional Supercomputer Center in Jinan), Shandong Provincial Key Laboratory of Computer Networks), Jinan 250014, China"}]},{"given":"Tian","family":"Lan","sequence":"additional","affiliation":[{"name":"Qilu University of Technology (Shandong Academy of Sciences), Shandong Computer Science Center (Na- 5 tional Supercomputer Center in Jinan), Shandong Provincial Key Laboratory of Computer Networks), Jinan 250014, China"}]}],"member":"1968","published-online":{"date-parts":[[2023,3,19]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"102887","DOI":"10.1016\/j.cose.2022.102887","article-title":"A few-shot malware classification approach for unknown family recognition using malware feature visualization","volume":"122","author":"Conti","year":"2022","journal-title":"Comput. Secur."},{"key":"ref_2","unstructured":"(2022, December 23). Malware Statistics & Trends Report|AV-TEST. AV Test Malware Statistics. Available online: https:\/\/www.av-test.org\/en\/statistics\/malware."},{"key":"ref_3","first-page":"1177","article-title":"The Economics of Information Security and Privacy","volume":"52","author":"Greenstein","year":"2014","journal-title":"J. Econ. Lit."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Khalid, O., Ullah, S., Ahmad, T., Saeed, S., Alabbad, D.A., Aslam, M., Buriro, A., and Ahmad, R. (2023). An Insight into the Machine-Learning-Based Fileless Malware Detection. Sensors, 23.","DOI":"10.3390\/s23020612"},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"119133","DOI":"10.1016\/j.eswa.2022.119133","article-title":"Fileless malware threats: Recent advances, analysis approach through memory forensics and research challenges","volume":"214","author":"Kara","year":"2022","journal-title":"Expert Syst. Appl."},{"key":"ref_6","unstructured":"Pradip, D., Pradip, D., and Chakraborty, K. (2023). Advances in Number Theory and Applied Analysis, World Scientific."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Franzen, F., Holl, T., Andreas, M., Kirsch, J., and Grossklags, J. (2022, January 26\u201328). Katana: Robust, Automated, Binary-Only Forensic Analysis of Linux Memory Snapshots. Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2022), Limassol, Cyprus. 18p.","DOI":"10.1145\/3545948.3545980"},{"key":"ref_8","unstructured":"Ligh, M.H., Case, A., Levy, J., and Walters, A. (2014). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac memory, John Wiley & Sons."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"061102","DOI":"10.1016\/j.cose.2020.102166","article-title":"Catch Them Alive: A Malware Detection Approach through Memory Forensics, Manifold Learning and Computer Vision","volume":"103","author":"Bozkir","year":"2021","journal-title":"Comput. Secur."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"113156","DOI":"10.1016\/j.eswa.2019.113156","article-title":"SLDeep: Statement-level software defect prediction using deep-learning model on static code features","volume":"147","author":"Majd","year":"2020","journal-title":"Expert Syst. Appl."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Jiang, F., Cai, Q., Lin, J., Luo, B., Guan, L., and Ma, Z. (2019, January 9\u201313). TF-BIV: Transparent and Fine-Grained Binary Integrity Verification in the Cloud. Proceedings of the 35th Annual Computer Security Applications Conference, San Juan, PR, USA.","DOI":"10.1145\/3359789.3359795"},{"key":"ref_12","first-page":"1151","article-title":"Research and development of memory forensics","volume":"26","author":"Zhang","year":"2015","journal-title":"Ruan Jian Xue Bao\/J. Softw."},{"key":"ref_13","first-page":"673","article-title":"Stealth Loader: Trace-free Program Loading for Analysis Evasion","volume":"26","author":"Kawakoya","year":"2018","journal-title":"J. Inf. Process."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"300917","DOI":"10.1016\/j.fsidi.2020.300917","article-title":"On Challenges in Verifying Trusted Executable Files in Memory Forensics","volume":"32","author":"Uroz","year":"2020","journal-title":"Forensic Sci. Int. Digit. Investig."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"23","DOI":"10.1016\/j.ins.2016.07.019","article-title":"A lightweight live memory forensic approach based on hardware virtualization","volume":"379","author":"Cheng","year":"2017","journal-title":"Inf. Sci."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"301012","DOI":"10.1016\/j.fsidi.2020.301012","article-title":"Hiding process memory via anti-forensic techniques","volume":"33","author":"Palutke","year":"2020","journal-title":"Forensic Sci. Int. Digit. Investig."},{"key":"ref_17","unstructured":"Wang, L. (2014). Research on Online Forensics Model and Method Based on Physical Memory Analysis. [Ph.D. Thesis, Shandong University]."},{"key":"ref_18","unstructured":"Raff, E., Barker, J., Sylvester, J., Brandon, R., Catanzaro, B., and Nicholas, C. (2018, January 2\u20137). Malware Detection by Eating a Whole Exe. Proceedings of the Work-Shops at the Thirty-Second AAAI Conference on Artificial Intelligence, New Orleans, LA, USA."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Mar\u00edn, G., Caasas, P., and Capdehourat, G. (2021). Deepmal-deep learning models for malware traffic detection and classification. Data Sci. -Anal. Appl., 105\u2013112.","DOI":"10.1007\/978-3-658-32182-6_16"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Li, H., Zhan, D., Liu, T., and Ye, L. (2019, January 4\u20137). Using Deep-Learning-Based Memory Analysis for Malware Detection in Cloud. Proceedings of the 2019 IEEE 16th International Conference on Mobile Ad Hoc and Sensor Systems Workshops (MASSW), Monterey, CA, USA.","DOI":"10.1109\/MASSW.2019.00008"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"176728","DOI":"10.1109\/ACCESS.2020.3026052","article-title":"Malicious Code Detection Based on Code Semantic Features","volume":"8","author":"Zhang","year":"2020","journal-title":"IEEE Access"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"113022","DOI":"10.1016\/j.eswa.2019.113022","article-title":"Detecting malware evolution using support vector machines","volume":"143","author":"Wadkar","year":"2020","journal-title":"Expert Syst. Appl."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"236","DOI":"10.1016\/j.jnca.2018.10.022","article-title":"MalInsight: A systematic profiling based malware detection framework","volume":"125","author":"Han","year":"2019","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"265","DOI":"10.1007\/s11265-020-01588-1","article-title":"A Method for Windows Malware Detection Based on Deep Learning","volume":"93","author":"Huang","year":"2020","journal-title":"J. Signal Process. Syst."},{"key":"ref_25","first-page":"1454","article-title":"Malicious code classification method based on deep forest","volume":"31","author":"Lu","year":"2020","journal-title":"Ruan Jian Xue Bao\/J. Softw."},{"key":"ref_26","unstructured":"Simonyan, K., and Zisserman, A. (2014). Very deep convolutional networks for large-scale image recognition. arXiv."},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"301126","DOI":"10.1016\/j.fsidi.2021.301126","article-title":"Insider threat prediction based on unsupervised anomaly detection scheme for proactive forensic investigation","volume":"38","author":"Wei","year":"2021","journal-title":"Forensic Sci. Int. Digit. Investig."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"145768","DOI":"10.1109\/ACCESS.2020.3014891","article-title":"V-sandbox for dynamic analysis IoT botnet","volume":"8","author":"Le","year":"2020","journal-title":"IEEE Access"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Urooj, U., Al-Rimy, B.A.S., Zainal, A., Ghaleb, F.A., and Rassam, M.A. (2021). Ransomware detection using the dynamic analysis and machine learning. Appl. Sci., 12.","DOI":"10.3390\/app12010172"},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"254","DOI":"10.1016\/j.matpr.2021.05.270","article-title":"Memory forensic: Acquisition and analysis mechanism for operating systems","volume":"51","author":"Shree","year":"2022","journal-title":"Mater. Today Proc."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Jin, X., Xing, X., Elahi, H., Wang, G., and Jiang, H. (2020, January 10\u201313). A Malware Detection Approach using Malware Images and Autoencoders. Proceedings of the 2020 IEEE 17th International Conference on Mobile Ad Hoc and Sensor Systems (MASS), Virtual.","DOI":"10.1109\/MASS50613.2020.00009"},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"90102","DOI":"10.1109\/ACCESS.2021.3090998","article-title":"Classification and analysis of android malware images using feature fusion technique","volume":"9","author":"Singh","year":"2021","journal-title":"IEEE Access"},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"3979","DOI":"10.1007\/s11042-017-5104-0","article-title":"Android malware detection based on system call sequences and LSTM","volume":"78","author":"Xiao","year":"2019","journal-title":"Multimed. Tools Appl."},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"147","DOI":"10.1007\/s10614-021-10145-2","article-title":"Is deep-learning and natural language processing transcending the financial forecasting? Investigation through lens of news analytic process","volume":"60","author":"Khalil","year":"2022","journal-title":"Comput. Econ."},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"E7","DOI":"10.3171\/2022.1.FOCUS21561","article-title":"Differentiation of lumbar disc herniation and lumbar spinal stenosis using natural language processing\u2013based machine learning based on positive symptoms","volume":"52","author":"Ren","year":"2022","journal-title":"Neurosurg. Focus"},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Jayasudha, J., and Thilagu, M. (2022, January 16\u201317). A Survey on Sentimental Analysis of Student Reviews Using Natural Language Processing (NLP) and Text Mining. Proceedings of the Innovations in Intelligent Computing and Communication: First International Conference ICIICC 2022, Bhubaneswar, India.","DOI":"10.1007\/978-3-031-23233-6_27"},{"key":"ref_37","unstructured":"Biscione, V., and Bowers, J.S. (2021). Convolutional neural networks are not invariant to translation, but they can learn to be. arXiv."},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"1335","DOI":"10.32604\/iasc.2020.013861","article-title":"Experimental Evaluation of Clickbait Detection Using Machine Learning Models","volume":"26","author":"Ahmad","year":"2020","journal-title":"Intell. Autom. Soft Comput."}],"container-title":["Symmetry"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-8994\/15\/3\/758\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T18:58:48Z","timestamp":1760122728000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-8994\/15\/3\/758"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,3,19]]},"references-count":38,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2023,3]]}},"alternative-id":["sym15030758"],"URL":"https:\/\/doi.org\/10.3390\/sym15030758","relation":{},"ISSN":["2073-8994"],"issn-type":[{"value":"2073-8994","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,3,19]]}}}