Few-Shot Learning With Prototypical Networks for Improved Memory Forensics

IF 3.4 3区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Muhammad Fahad Malik;Ammara Gul;Ayesha Saadia;Faeiz M. Alserhani
{"title":"Few-Shot Learning With Prototypical Networks for Improved Memory Forensics","authors":"Muhammad Fahad Malik;Ammara Gul;Ayesha Saadia;Faeiz M. Alserhani","doi":"10.1109/ACCESS.2025.3565802","DOIUrl":null,"url":null,"abstract":"Securing computer systems requires effective methods for malware detection. Memory forensics analyzes memory dumps to identify malicious activity, but faces challenges including large and complex datasets, constantly evolving malware threats, and limited labeled data for training algorithms among others. This research introduces a novel approach for malware detection using memory forensics and prototypical networks. As the first application of prototypical networks to the Dumpware10 dataset (to the best of authors knowledge), our findings highlight the potential of few-shot learning for memory forensics-based malware detection, opening new avenues for research in this domain. Prototypical networks are a type of few-shot learning algorithm that excels at classifying new categories with minimal examples. Utilizing the publicly available Dumpware10 dataset, which includes 10 malware classes and one benign class, we preprocess memory dumps using denoising and A-Hash functions to reduce noise and redundancy. The prototypical network is trained on the first four malware classes and the benign class. It’s then tested on a dataset with one additional class (first five malware classes and the benign class). We progressively increase the number of test classes to eleven. Within each training episode, five training images are used as support samples, with all remaining images designated as query samples. Our goal isn’t to predict exact class labels, but to assess the similarity between query images and prototypes using a distance metric. If the label of a prototype matches the query image and the distance falls below a threshold, it’s considered a true positive. This approach achieves an average accuracy of 92% with eleven classes, the highest across all scenarios and comparable to previous work using machine and deep learning algorithms on this dataset.","PeriodicalId":13079,"journal":{"name":"IEEE Access","volume":"13 ","pages":"79397-79409"},"PeriodicalIF":3.4000,"publicationDate":"2025-04-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10980249","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Access","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10980249/","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Securing computer systems requires effective methods for malware detection. Memory forensics analyzes memory dumps to identify malicious activity, but faces challenges including large and complex datasets, constantly evolving malware threats, and limited labeled data for training algorithms among others. This research introduces a novel approach for malware detection using memory forensics and prototypical networks. As the first application of prototypical networks to the Dumpware10 dataset (to the best of authors knowledge), our findings highlight the potential of few-shot learning for memory forensics-based malware detection, opening new avenues for research in this domain. Prototypical networks are a type of few-shot learning algorithm that excels at classifying new categories with minimal examples. Utilizing the publicly available Dumpware10 dataset, which includes 10 malware classes and one benign class, we preprocess memory dumps using denoising and A-Hash functions to reduce noise and redundancy. The prototypical network is trained on the first four malware classes and the benign class. It’s then tested on a dataset with one additional class (first five malware classes and the benign class). We progressively increase the number of test classes to eleven. Within each training episode, five training images are used as support samples, with all remaining images designated as query samples. Our goal isn’t to predict exact class labels, but to assess the similarity between query images and prototypes using a distance metric. If the label of a prototype matches the query image and the distance falls below a threshold, it’s considered a true positive. This approach achieves an average accuracy of 92% with eleven classes, the highest across all scenarios and comparable to previous work using machine and deep learning algorithms on this dataset.
使用原型网络进行少量学习以改进记忆取证
保护计算机系统需要有效的方法来检测恶意软件。内存取证分析内存转储以识别恶意活动,但面临的挑战包括大型和复杂的数据集,不断发展的恶意软件威胁,以及用于训练算法的有限标记数据等。本研究介绍了一种利用内存取证和原型网络进行恶意软件检测的新方法。作为首次将原型网络应用于Dumpware10数据集(据作者所知),我们的研究结果突出了基于记忆取证的恶意软件检测的少量学习的潜力,为该领域的研究开辟了新的途径。原型网络是一种少量学习算法,擅长用最少的例子对新类别进行分类。利用公开可用的Dumpware10数据集,其中包括10个恶意软件类和一个良性类,我们使用去噪和a -哈希函数预处理内存转储,以减少噪声和冗余。原型网络在前四类恶意软件和良性类上进行训练。然后在一个数据集上测试一个额外的类(前五个恶意软件类和良性类)。我们逐步将测试班级的数量增加到11个。在每个训练集中,使用5个训练图像作为支持样本,其余所有图像作为查询样本。我们的目标不是预测准确的类标签,而是使用距离度量来评估查询图像和原型之间的相似性。如果原型的标签与查询图像匹配,并且距离低于阈值,则认为它是真正的。该方法在11个类别中实现了92%的平均准确率,在所有场景中是最高的,与之前在该数据集上使用机器和深度学习算法的工作相当。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
IEEE Access
IEEE Access COMPUTER SCIENCE, INFORMATION SYSTEMSENGIN-ENGINEERING, ELECTRICAL & ELECTRONIC
CiteScore
9.80
自引率
7.70%
发文量
6673
审稿时长
6 weeks
期刊介绍: IEEE Access® is a multidisciplinary, open access (OA), applications-oriented, all-electronic archival journal that continuously presents the results of original research or development across all of IEEE''s fields of interest. IEEE Access will publish articles that are of high interest to readers, original, technically correct, and clearly presented. Supported by author publication charges (APC), its hallmarks are a rapid peer review and publication process with open access to all readers. Unlike IEEE''s traditional Transactions or Journals, reviews are "binary", in that reviewers will either Accept or Reject an article in the form it is submitted in order to achieve rapid turnaround. Especially encouraged are submissions on: Multidisciplinary topics, or applications-oriented articles and negative results that do not fit within the scope of IEEE''s traditional journals. Practical articles discussing new experiments or measurement techniques, interesting solutions to engineering. Development of new or improved fabrication or manufacturing techniques. Reviews or survey articles of new or evolving fields oriented to assist others in understanding the new area.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信