2021 17th International Conference on Computational Intelligence and Security (CIS)
OS-independent Malware Detection: Applying Machine Learning and
Computer Vision in Memory Forensics
Anh-Duy Tran, Ngoc-Huy Vo, Quang-Khai Tran, Hai-Dang Nguyen, Minh-Triet Tran
Faculty of Information Technology, University of Science, VNU-HCM
2021 17th International Conference on Computational Intelligence and Security (CIS) | 978-1-6654-9489-2/21/$31.00 ©2021 IEEE | DOI: 10.1109/CIS54983.2021.00134
Vietnam National University, Ho Chi Minh City, Vietnam
{taduy,nhdang94,tmtriet}@hcmus.edu.vn,{1712504,1712514}@student.hcmus.edu.vn
Abstract—Malware detection is an essential task to protect
computing systems, and it is crucial to detect potential mali-
cious code in memory. Thus, we utilize the memory forensics
approach to build an OS-independent malware detection sys-
tem. To accomplish this goal, we integrate fundamental ma-
chine learning techniques with memory forensics for building a
classification tool and apply computer vision for preprocessing
data. Our system needs a huge data set from both benign
and malicious memory dumps for building a machine learning
model. Therefore, we also build a MemGen system to simulate
any scenario for computers and dump benign or malicious
memory snapshots. We use the MemGen system to create a
new dataset that includes types of 2750 samples of 8 different
newest malware and benign memory dumps. The results are
obtained by applying the machine learning algorithms SVM
based on RBF kernel, Random Forest, and Decision Tree on
the generated dataset by MemGen that has an accuracy of
93.42%, 93.75%, 92.83% respectively. Moreover, we test the
trained models to recognize unknown malware and obtained
quite impressive results with accuracy up to 87.44%, 84.78%,
80% on average for Random Forest, Decision Tree, and SVM
algorithms, on a dataset of 900 malware samples from 3 types
of malware: OskiStealer, RedLineStealer, and SnapKeylogger.
Keywords-memory forensics; malware detection; machine
learning; computer vision;
I. I NTRODUCTION
Memory forensics is a process of extracting evidence or
artifacts in the memory images (or memory dump) when its
computer is compromised. Memory images contain critical
evidence that stands as important clues when analyzing the
compromised system. Extracting the evidence is the key
phase in digital forensics. A memory image captures the
current state of the system. It contains useful information
such as the running processes, network connections, opening
files, etc., which help identify illegal behavior and recon-
struct the crime scenarios [1], [2]. The main memory in
most systems is volatile, which means it will lose all the data
when the machine is switched off. Therefore, using the “pull
and plug” tactic does not work in this situation [3]. Instead,
the memory images (snapshots or dumps) were taken before
shutting down the system will help tackle this problem.
Investigating those snapshots in the later stage contributes
to the primary role in capturing criminal activities. We can
identify instances of the data structure [4] from the memory
978-1-6654-9489-2/21/$31.00 ©2021 IEEE
DOI 10.1109/CIS54983.2021.00134
uthorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on July 26,2023 at 18:57:49 UTC from IEEE Xplore. Restrictions appl
images, inspecting malicious processes [5], kernel integrity
checking [6], and virtual machine introspection [7]. There
are two main phases in memory forensics: memory acqui-
sition and memory analysis [1]. In the memory acquisition
phase, we utilize the hardware or software approaches to
capture and take a snapshot of the memory of the running
system, forming a memory image. Then, many techniques
are applied in the memory analysis phase to extract the
desired artifacts in the memory images.
Most of the current forensics tools and introspections
employ specific knowledge such as kernel source and infor-
mation of the system to reconstruct a profile which contains
the information of a memory image structure. Based on
that knowledge, forensics tools can be used to analyze the
memory quickly and precisely. However, in many cases, we
cannot have that information, for example, the closed source
OSs. Moreover, with an impressive development of IoT
devices, Android smartphones, and upcoming Fuchsia, many
versions of OS exist. Their memory images also play an
essential role in the realm of modern digital forensics for in-
vestigating compromised devices and smartphones. In these
cases, sophisticated reverse engineering efforts are needed,
and it takes several months to create the development and
maintenance tools for each OS or device.
One of the goals of memory forensics is to inspect
malicious processes, which means we can leverage that goal
for detecting malware in working or compromised machines.
Detecting malware in the systems is an essential task in
cybersecurity, and there are many approaches for helping to
accomplish that target, such as signature-based or heuristic-
based. However, almost all these methods cannot be applied
to detect new kinds of malware or could not work in every
operating system. Therefore, it is crucial to building a system
that can recognize the behavior and presence of malware on
the computer for the current context, especially the ability
to adapt to recognize new malware or variants of existing
malware.
Today, malware is developed using many sophisticated
techniques such as encryption or packing to hide the pres-
ence of malware on the computer or even fileless malware to
reduce the need to store malware on storage. No matter what
technology is supported, all its behavior and activities will be
616
 visible and exposed in memory when malware is executed.
Therefore, dealing with malware with memory forensics
becomes more feasible and practical. However, the biggest
challenge when working with memory forensics is building a
profile for each operating system that we extract its memory.
Therefore, with the help of combining machine learning and
memory forensics, we can build a system capable of malware
detection and bypass the need of the profiles. Moreover, that
system can be applied to many Windows OSs and detect new
kinds of malware or its variants.
In this paper, we propose our novel solution for the
processing of building OS-independent Malware Detector.
Our main contributions are as follows:
• We develop a MemGen system that can simulate the
virtual environments with provided activities, run the
newest malware samples inside virtual machines and
then capture its memory for both benign and malicious
machines (Section III). Our process memory dump data
set can be used for further memory analysis research,
or the researchers can build up their data set from that.
• We preprocess data by converting memory dumps to
PNG images using computer vision techniques (Section
IV).
• We build machine learning model for detecting malware
in memory without knowledge of OS and conduct our
experiments (Section V).
II. R ELATED W ORK
Started from Digital Forensics Research Workshop
(DFRWS, 2008), memory forensics has been a juicy and
attractive part of the digital investigation field. Since then,
many research works have focused on building the profile
and analyzing the memory dumps of both Windows and
Linux, mostly in Windows, because it has much fewer
variant versions than Linux. A memory profile is considered
a skeleton of a memory dump, and the tools can use profiles
to map or segment binary data into desired objects.
Much research has been conducted to build malware
detection and analysis using memory forensics to achieve
that goal. Mosli et al. [5] extract the registry activity,
imported libraries, and API function calls from memory
dumps to build a dataset for a machine learning model
to detect unknown malware. Another research by Case et
al. [8] focuses on detecting keystroke loggers by upgrading
the Hooktracer, which is a Volatility plugin. Bajpai et al.’s
research [9] retrieve cryptographic keys during encryption
in the ransomware process memory to help recover en-
crypted data. Hue et al. [10] utilize the virtual machine
introspection mechanism to inspect the low-level state of
the targeted machine (virtual machine), then reconstructs
the guest OS data structures to identifies the lack of the
critical processes and the target hidden process. In those
approaches, researchers should have strong knowledge in
loading a process to memory, the structure of the operating
617
uthorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on July 26,2023 at 18:57:49 UTC from IEEE Xplore. Restrictions appl
system, virtual machine, and it is hard to apply in analyzing
other operating systems. Bozkir et al. [11], Petrik et al.
[12] proposed a system that integrates machine learning to
memory forensics to build malware detection. This approach
can reduce the need for computer security knowledge, but
it did not create a framework for producing datasets.
III. M EMORY D UMP G ENERATION S YSTEM - M EM G EN
Our approach for building a malware detection system by
using memory forensics is leveraged the power of machine
learning techniques. The very first problem for machine
learning methodology is the dataset. Every machine learning
system cannot be built if it does not have a dataset for
training. Moreover, the dataset in memory forensics is the
memory dump (memory image or memory snapshot) itself
and is extremely big in modern computers. The memory
dump also captures the randomness of the computer status.
Therefore, we come up with a memory dump generation sys-
tem - MemGen. MemGen comprises many parts that help
simulate a virtual machine with a specific operating system,
run typical applications inside, deploy targeted malware, and
capture its memory as an image file. Hence, every researcher
can use the MemGen system to create a dataset with the
newest malware when they use our system, or they can use
MemGen to generate memory dump with any scenario they
want to simulate in the virtual machine for further processing
research in the memory forensics area.
To build a malware detection system, we have to create
two separate datasets: the first one is captured from benign
machine memory, and the second one is captured from
compromised machine memory with malware is running
inside. Both benign and compromised machines have to
simulate the typical applications and run common activities
that normal users can start or perform. Figure 1 depicts the
processing flow of the MemGen system, and it performs the
simulation through 3 main steps:
• Step 1: the Host machine create a list of tasks that
the virtual machine will run. Those tasks consist of
opening common applications, accessing some specific
websites. Optionally, the Host machine can also pick
a random malware sample that belongs to one targeted
malware family if the users want to build a dataset for
compromised machines. The task list is store in shared
storage between the Host and the Guest machines.
• Step 2: the Guest machine (virtual machine) is auto-
matically started by the Host machine, and it also runs
the script to read the task list and performs those task
lists. Besides, it can run some malware if necessary.
• Step 3: the Guest machine uses ProcDump to dump
the memory of a specific running process. There are
three memory extraction modes that MemGen supports:
extract whole memory, extract memory of running
malicious process and extract all memory part of all
running processes in the virtual machine.

Figure 1. The workflow of the memory dump generation system - MemGen
To configure MemGen, we use a host machine running
Ubuntu version 20.04, and installed a guest machine that
runs the version 20H2 of Windows 10. Besides, we used
an external hard drive to be able to share the to-do activity
list, the malware code to execute, the list of malware, and
where memory dumps are stored after execution. We can
create a memory dump sample of the malware process
executing on RAM within approximately 150 seconds. We
create a dataset with a capacity of 296GB, including 2750
samples of 8 different malware types: Loki-Bot, Agent
Tesla, FormBook, StormKitty, OskiStealer, RedlineStealer,
SnakeKeylogger which are collected from MalwareBazar
(https://bazaar.abuse.ch/) and benign memory dumps.
IV. P RE - PROCESSING
To create input data for the machine learning model, we
design a way to extract features from the raw data, which
is the memory dump in this scenario. The features represent
critical meaning of the data in a specific domain. From this
point, there are two main approaches for feature extraction
phase. If the way of generating the data is revealed or known
in advance, we can simply apply our domain knowledge to
extract features from the data. In digital memory forensics,
an expert can analyze the memory dumps where artifact
should be retrieved, and he can understand the mechanism of
that kernel objects, processes, network connection, malware,
etc., scattered in the memory dump of the compromised
system. On the other hand, an alternative way is to feed
that data in a simplistic format to a machine learning model
and allow the model to learn. In our approach, we leverage
our knowledge in computer vision and computer security to
reduce the dataset’s size and extract its feature.
Figure 2 illustrates the overall workflow of the mal-
ware detection system. In the preprocessing phase,
we utilize the bin2png tool, which is published in
618
uthorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on July 26,2023 at 18:57:49 UTC from IEEE Xplore. Restrictions appl
https://github.com/ESultanik/bin2png, to first convert binary
data (memory dump) of both benign and compromised
snapshots to PNG files without reducing data in binary files.
Visualizing the binary data helps bridge the gap between
computer vision and the sequence of bytes of the executable
files. Each pixel of an output image is composed of three
bytes of the given binary file. The three bytes represent the
values in three color channels which are red, green, and blue.
In this research, we leverage the encoding algorithm in RGB
to convert the memory dump into 300x300 pixels images,
and that method helps us to visualize more information in
every row of the output image. Hence, we can effortlessly
recognize the similarity between two images of the processes
produced by one malware or its variances. For example, the
contents of Loki and Tesla images are different from each
other because they represent the processes of two different
malware, whereas two nearly indistinguishable images vi-
sualize the processes of one malware in Figure 3. We also
modify the source code of bin2png to add a new function
that helps to resize the output image to use in the training
model.
We extract two types of features, which are HOG and
GIST, and feed them into the model during the training
process. HOG (histogram of oriented gradients) is a feature
descriptor used in computer vision and image processing to
identify an object. The essence of the HOG method is to
use information about the distribution of gradient intensities
or edge directions to describe local features in the image.
The GIST descriptor represents a low-dimensional image
that contains enough information to identify the scene in
an image. Global GIST descriptors allow a minimal size
representation of an image. In our work, we use both
extracted features from GIST and HOG to build the feature
vector.
Finally, we use UMAP to reduce the dimensions of the
input data. Due to the structural similarity between the
benign software and the malware samples, it is difficult to
separate them in the feature space with 2724 dimensions
(960 dimensions from HOG feature descriptor and 1764
dimensions from GIST feature descriptor). We use the
UMAP (Uniform Manifold Approximation and Projection)
dimension reduction with its beneficial supervised metric
learning property to overcome this limitation. With this
feature, it helps to improve the model’s performance by
including the training model and the prediction with a
lower-dimensional feature space that is more discriminatory
and separate than the original. Moreover, it also helps us
visualize the distribution of the data.
V. OS- INDEPENDENT M ALWARE D ETECTOR
To build an OS-independent malware detector, we use
the processed memory dumps data and traditional machine
learning models: Decision Tree, Random Forest, and Support
Vector Machine (SVM). Python’s libraries and packages
 Figure 2. The workflow of OS-independent Malware Detector

In general, the classification accuracy of the algorithms is

relatively good. The Decision Tree algorithm gives the best
classification results for the training set with an accuracy up
to 100%. In the meanwhile, the algorithm that gives good
results for the test set is the Random Forest algorithm, with
Figure 3. The converted images of process’s memory-dumps of Loki (left) an accuracy rate of 93.75%. In summary, all algorithms give
and Tesla 1 (middle) and Tesla 2 (right) malware relatively high results for the test set with accuracy rates
greater than 93%.
Table II shows that the coverage (recall) for malware
such as Scikit-Learn, UMAP, GIST, HOG in python are uti- is relatively high, and the highest is the Random Forest
lized for implementation. We set up a training machine with algorithm with coverage up to 99%. However, the coverage
Linux OS kernel, Intel core i7-7500U, and 8GB of RAM. for benign software is 0.78, 0.77, and 0.75 for SVM based on
The dataset used for building classification models has 6134 RBF kernel, Random Forest, and Decision Tree algorithms,
images in PNG format. We take approximately 80% of data respectively. The numbers express that the detector is able
as training set and 20% as the test set. Then, all the PNG to easily recognize malicious software while also potentially
images in both training and testing sets will be imported confuse benign software as malicious software.
in the feature vector calculation (with 2724 dimensions for In fact, new types of malware or a variant of previously
each image) using GIST and HOG descriptors, and they will
be labeled Malware if it is produced by malicious software,
and Benign if it is produced by benign software, accordingly. Table I
Next, the training set is fed into UMAP to perform ACCURACY, PRECISION , RECALL AND F 1- SCORES FOR EACH MACHINE
LEARNING MODEL
the supervised dimension reduction. The supervised metric
learning feature from UMAP creates a learned transformer
ML method Accuracy Precision Recall F1-Score
model that has learned the data with corresponding labels in SVM(rbf) 99.32 % 0.99 0.99 0.99
the training set. The feature vectors in the training set were Train Random Forest 99.43 % 0.99 0.99 0.99
Decision Tree 100 % 1 1 1
reduced in size from 2724 components to 5 components SVM(rbf) 93.42 % 0.92 0.88 0.90
per vector. This converted training set is used in the SVM Test Random Forest 93.75 % 0.94 0.88 0.90
based on RBF kernel, Random Forest, and Decision Tree Decision Tree 92.83 % 0.93 0.87 0.89
algorithms.
In the next stage, we test our trained models on the Table II
test dataset. First, we need to put the vectors in the test P RECISION , RECALL AND F 1- SCORES OF BENIGN AND MALICIOUS
PROCESS PREDICTION
set into the learned transformer model created by UMAP
previously, and it fixes the test set data correctly into its
ML method Class Precision Recall F1-Score Support
structure to compute data dimension reduction regardless of SVM(rbf) Malware 0.94 0.98 0.96 935
the labels. After this process, the vectors in the test set have Benign 0.91 0.78 0.84 265
Random Malware 0.94 0.99 0.96 935
the same size as the training set. Finally, the test set is be Forest Benign 0.94 0.77 0.84 265
imported to validate the effectiveness of the classification Decision Malware 0.93 0.98 0.96 935
models built with the previous training set. Experimental Tree Benign 0.92 0.75 0.83 265
results are described in table I and table II.

619

uthorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on July 26,2023 at 18:57:49 UTC from IEEE Xplore. Restrictions appl
 Table III ACKNOWLEDGMENT
T ESTING ON UNTRAINED MALWARE
We would like to thank Dung Nguyen for his valuable
ML method Malware Accuracy True False Total support. This research is funded by the University of Sci-
SVM(rbf) OskiStealer 90 % 270 30 300 ence, VNU-HCM, under grant number CNTT 2020-01.
RedLineStealer 86.67 % 260 40 300
SnakeKeylogger 63.33 % 190 110 300 R EFERENCES
Average Accuracy 80 %
Random OskiStealer 90.33 % 271 29 300 [1] M. H. Ligh, A. Case, J. Levy, and A. Walters, The art of
Forest RedLineStealer 94 % 282 18 300
SnakeKeylogger 78 % 234 66 300
memory forensics: detecting malware and threats in windows,
Average Accuracy 87.44 % linux, and Mac memory. John Wiley & Sons, 2014.
Decision OskiStealer 90.67 % 272 28 300
Tree RedLineStealer 90.67 % 272 28 300 [2] A. Case and G. G. Richard III, “Memory forensics: The path
SnakeKeylogger 73 % 219 82 300 forward,” Digital Investigation, vol. 20, pp. 23–33, 2017.
Average Accuracy 84.78 %

[3] G. G. Richard III and V. Roussev, “Next-generation digital

forensics,” Communications of the ACM, vol. 49, no. 2, pp.
76–80, 2006.

discovered malware evolve very quickly and are created
every day. Therefore, timely detection of zero-day attacks is
becoming more and more important. This is the reason why
we conduct an experiment to see if this model could be used
to predict new types of malware that had not been trained on
the model. We test on three new types of malware, namely
OskiStealer, RedLineStealer, and SnapKeylogger. For each
type of malware, we create 300 data samples for testing.
The test results are presented in Table III.
VI. C ONCLUSION
In this paper, we present the best of our knowledge, apply-
ing memory forensics, several data preprocessing techniques,
and machine learning algorithms to build an OS-independent
malware detector. We fundamentally convert memory dumps
to PNG images by using RGB-based encoding. Then, we
extract two type of descriptors, namely GIST and HOG,
from the images, and apply traditional machine learning
techniques to build an OS-independent malware detector to
classify malicious or benign processes, and possibly find any
unknown malware. We employ the state-of-the-art dimension
reduction technique named UMAP to improve the robustness
of the classifier. In addition, we build a system called
MemGen and utilize it to generate the dataset used in our
experiments. MemGen can either generate datasets with an
entire memory or memory dump of a specific process. In
particular, we randomly generate a list of typical applications
that run on the system beside the newest targeted malware to
simulate realistic behaviors of possible scenarios for a real
user. Moreover, we consider the memory dumps generated
by MemGen as a driving force and an essential resource for
our future research in the memory forensics field. Dataset
and source code will be made public.
As a result, we test the trained models with unknown
malware and obtain quite satisfactory results, specifically the
Random Forest algorithm achieves the highest results with
average accuracy is 87.44% and the accuracy for each type
is 90.33%, 94%, and 78% respectively for three types of
malware: OskiStealer, RedLineStealer, and SnapKeylogger.
[4] Z. Lin, J. Rhee, X. Zhang, D. Xu, and X. Jiang, “Siggraph:
Brute force scanning of kernel data structure instances using
graph-based signatures.” in Ndss, 2011.
[5] R. Mosli, R. Li, B. Yuan, and Y. Pan, “Automated malware
detection using artifacts in forensic memory images,” in 2016
IEEE Symposium on Technologies for Homeland Security
(HST). IEEE, 2016, pp. 1–6.
[6] A. Srivastava, I. Erete, and J. Giffin, “Kernel data integrity
protection via memory access control,” Georgia Institute of
Technology, Tech. Rep., 2009.
[7] C.-W. Tien, J.-W. Liao, S.-C. Chang, and S.-Y. Kuo, “Memory
forensics using virtual machine introspection for malware
analysis,” in 2017 IEEE Conference on Dependable and
Secure Computing. IEEE, 2017, pp. 518–519.
[8] A. Case, R. D. Maggio, M. Firoz-Ul-Amin, M. M. Jalalzai,
A. Ali-Gombe, M. Sun, and G. G. Richard III, “Hooktracer:
Automatic detection and analysis of keystroke loggers using
memory forensics,” Computers & Security, vol. 96, p. 101872,
2020.
[9] P. Bajpai and R. Enbody, “Memory forensics against ran-
somware,” in 2020 International Conference on Cyber Se-
curity and Protection of Digital Services (Cyber Security).
IEEE, 2020, pp. 1–8.
[10] Q. Hua and Y. Zhang, “Detecting malware and rootkit
via memory forensics,” in 2015 International Conference
on Computer Science and Mechanical Automation (CSMA).
IEEE, 2015, pp. 92–96.
[11] A. S. Bozkir, E. Tahillioglu, M. Aydos, and I. Kara, “Catch
them alive: A malware detection approach through memory
forensics, manifold learning and computer vision,” Computers
& Security, vol. 103, p. 102166, 2021.
[12] R. Petrik, B. Arik, and J. M. Smith, “Towards architecture
and os-independent malware detection via memory forensics,”
in Proceedings of the 2018 ACM SIGSAC Conference on
Computer and Communications Security, 2018, pp. 2267–
2269.

620

uthorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on July 26,2023 at 18:57:49 UTC from IEEE Xplore. Restrictions appl