Memory Analysis for Malware Detection: A Comprehensive Survey Using the OSCAR Methodology

IF 28 1区计算机科学 Q1 COMPUTER SCIENCE, THEORY & METHODS

ACM Computing Surveys Pub Date : 2025-08-28 DOI:10.1145/3764580

Yasin Dehfouli, Arash Habibi Lashkari

{"title":"Memory Analysis for Malware Detection: A Comprehensive Survey Using the OSCAR Methodology","authors":"Yasin Dehfouli, Arash Habibi Lashkari","doi":"10.1145/3764580","DOIUrl":null,"url":null,"abstract":"The steady growth of malware over the years has now sharply escalated, with a 30% surge in global cyberattacks in 2024. This rise demands advanced detection, as traditional methods often miss sophisticated or fileless malware. Memory analysis detects traces left by any malware in volatile memory, revealing runtime behaviors, privilege escalation attempts, and active processes. An examination of prior research shows that existing surveys on memory analysis have significant gaps, as none provide a comprehensive overview of the field. To address these gaps, this survey systematically proposes key research questions and addresses them using the OSCAR (Obtain, Strategize, Collect, Analyze, Report) methodology. Memory acquisition techniques and tools have been discussed with the most diverse taxonomy provided to the best of our knowledge. Furthermore, forensic methods, tools, and studies are categorized into four distinct approaches, with a comprehensive taxonomy at the end. We also evaluated and ranked memory dump datasets using our proposed scoring system. Finally, the survey covers malware detection methods, examining both machine learning and traditional approaches and their accuracy, benefits, drawbacks, and challenges. This survey aims to provide a comprehensive and up-to-date overview of the field of memory analysis, with a focus on detecting malicious activities.","PeriodicalId":50926,"journal":{"name":"ACM Computing Surveys","volume":"29 1","pages":""},"PeriodicalIF":28.0000,"publicationDate":"2025-08-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Computing Surveys","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1145/3764580","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 0

Abstract

The steady growth of malware over the years has now sharply escalated, with a 30% surge in global cyberattacks in 2024. This rise demands advanced detection, as traditional methods often miss sophisticated or fileless malware. Memory analysis detects traces left by any malware in volatile memory, revealing runtime behaviors, privilege escalation attempts, and active processes. An examination of prior research shows that existing surveys on memory analysis have significant gaps, as none provide a comprehensive overview of the field. To address these gaps, this survey systematically proposes key research questions and addresses them using the OSCAR (Obtain, Strategize, Collect, Analyze, Report) methodology. Memory acquisition techniques and tools have been discussed with the most diverse taxonomy provided to the best of our knowledge. Furthermore, forensic methods, tools, and studies are categorized into four distinct approaches, with a comprehensive taxonomy at the end. We also evaluated and ranked memory dump datasets using our proposed scoring system. Finally, the survey covers malware detection methods, examining both machine learning and traditional approaches and their accuracy, benefits, drawbacks, and challenges. This survey aims to provide a comprehensive and up-to-date overview of the field of memory analysis, with a focus on detecting malicious activities.

查看原文本刊更多论文

恶意软件检测的内存分析：使用OSCAR方法的综合调查

多年来，恶意软件的稳步增长现在已经急剧升级，2024年全球网络攻击激增30%。这种增长需要先进的检测，因为传统的方法经常会遗漏复杂的或无文件的恶意软件。内存分析检测易失性内存中任何恶意软件留下的痕迹，揭示运行时行为、特权升级尝试和活动进程。对先前研究的检查表明，现有的关于记忆分析的调查存在显着的差距，因为没有一个提供对该领域的全面概述。为了解决这些差距，本调查系统地提出了关键的研究问题，并使用OSCAR（获取，战略，收集，分析，报告）方法来解决这些问题。记忆获取技术和工具已经讨论与最多样化的分类提供了最好的我们的知识。此外，法医方法、工具和研究被分为四种不同的方法，最后有一个全面的分类。我们还使用我们提出的评分系统对内存转储数据集进行了评估和排名。最后，调查涵盖了恶意软件检测方法，检查机器学习和传统方法及其准确性，优点，缺点和挑战。本调查旨在提供内存分析领域的全面和最新概述，重点是检测恶意活动。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Computing Surveys 工程技术-计算机：理论方法

CiteScore

33.20

自引率

0.60%

发文量

372

审稿时长

12 months

期刊介绍： ACM Computing Surveys is an academic journal that focuses on publishing surveys and tutorials on various areas of computing research and practice. The journal aims to provide comprehensive and easily understandable articles that guide readers through the literature and help them understand topics outside their specialties. In terms of impact, CSUR has a high reputation with a 2022 Impact Factor of 16.6. It is ranked 3rd out of 111 journals in the field of Computer Science Theory & Methods. ACM Computing Surveys is indexed and abstracted in various services, including AI2 Semantic Scholar, Baidu, Clarivate/ISI: JCR, CNKI, DeepDyve, DTU, EBSCO: EDS/HOST, and IET Inspec, among others.