VADViT：用于恶意进程检测和可解释威胁归因的视觉转换器驱动的内存取证

IF 3.7 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2025-08-30 DOI:10.1016/j.jisa.2025.104200

Yasin Dehfouli , Arash Habibi Lashkari

{"title":"VADViT：用于恶意进程检测和可解释威胁归因的视觉转换器驱动的内存取证","authors":"Yasin Dehfouli , Arash Habibi Lashkari","doi":"10.1016/j.jisa.2025.104200","DOIUrl":null,"url":null,"abstract":"<div><div>Modern malware’s increasing complexity limits traditional signature- and heuristic-based detection, necessitating advanced memory forensic techniques. Machine learning methods have been explored, but many rely on outdated feature sets and require significant domain knowledge for feature extraction. Also, handling large-scale memory data — especially in image-based approaches — poses challenges in efficiency and forensic explainability. We propose VADViT, a vision transformer-based model for detecting malicious processes by analyzing Virtual Address Descriptor (VAD) memory regions to address these limitations. VADViT transforms these regions into fused Markov, entropy, and intensity images, enabling effective classification using a Vision Transformer (ViT) with self-attention mechanisms. We also introduce BCCC-MalMem-SnapLog-2025, a new dataset that captures memory dumps at regular intervals and logs PIDs, enabling precise VAD extraction without relying on dynamic analysis. VADViT achieves 99% accuracy in binary classification and a 92% macro-averaged F1 score in multi-class detection. Attention-based sorting of VAD regions further improves forensic efficiency by narrowing the analysis scope to the most relevant memory areas.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"94 ","pages":"Article 104200"},"PeriodicalIF":3.7000,"publicationDate":"2025-08-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"VADViT: Vision transformer-driven memory forensics for malicious process detection and explainable threat attribution\",\"authors\":\"Yasin Dehfouli , Arash Habibi Lashkari\",\"doi\":\"10.1016/j.jisa.2025.104200\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Modern malware’s increasing complexity limits traditional signature- and heuristic-based detection, necessitating advanced memory forensic techniques. Machine learning methods have been explored, but many rely on outdated feature sets and require significant domain knowledge for feature extraction. Also, handling large-scale memory data — especially in image-based approaches — poses challenges in efficiency and forensic explainability. We propose VADViT, a vision transformer-based model for detecting malicious processes by analyzing Virtual Address Descriptor (VAD) memory regions to address these limitations. VADViT transforms these regions into fused Markov, entropy, and intensity images, enabling effective classification using a Vision Transformer (ViT) with self-attention mechanisms. We also introduce BCCC-MalMem-SnapLog-2025, a new dataset that captures memory dumps at regular intervals and logs PIDs, enabling precise VAD extraction without relying on dynamic analysis. VADViT achieves 99% accuracy in binary classification and a 92% macro-averaged F1 score in multi-class detection. Attention-based sorting of VAD regions further improves forensic efficiency by narrowing the analysis scope to the most relevant memory areas.</div></div>\",\"PeriodicalId\":48638,\"journal\":{\"name\":\"Journal of Information Security and Applications\",\"volume\":\"94 \",\"pages\":\"Article 104200\"},\"PeriodicalIF\":3.7000,\"publicationDate\":\"2025-08-30\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Information Security and Applications\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2214212625002376\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625002376","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

现代恶意软件日益增加的复杂性限制了传统的基于签名和启发式的检测，需要先进的内存取证技术。已经探索了机器学习方法，但许多方法依赖于过时的特征集，并且需要大量的领域知识来提取特征。此外，处理大规模内存数据——尤其是基于图像的方法——在效率和可解释性方面提出了挑战。我们提出了VADViT，一个基于视觉转换器的模型，通过分析虚拟地址描述符（VAD）内存区域来检测恶意进程，以解决这些限制。VADViT将这些区域转换成融合的马尔可夫、熵和强度图像，使用具有自注意机制的视觉转换器（Vision Transformer, ViT）实现有效分类。我们还引入了bcc - malmem - snaplog -2025，这是一个新的数据集，可以定期捕获内存转储并记录pid，从而无需依赖动态分析即可精确提取VAD。VADViT在二元分类中达到99%的准确率，在多类检测中达到92%的宏观平均F1分数。通过将分析范围缩小到最相关的记忆区域，基于注意力的VAD区域排序进一步提高了取证效率。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

VADViT: Vision transformer-driven memory forensics for malicious process detection and explainable threat attribution

Modern malware’s increasing complexity limits traditional signature- and heuristic-based detection, necessitating advanced memory forensic techniques. Machine learning methods have been explored, but many rely on outdated feature sets and require significant domain knowledge for feature extraction. Also, handling large-scale memory data — especially in image-based approaches — poses challenges in efficiency and forensic explainability. We propose VADViT, a vision transformer-based model for detecting malicious processes by analyzing Virtual Address Descriptor (VAD) memory regions to address these limitations. VADViT transforms these regions into fused Markov, entropy, and intensity images, enabling effective classification using a Vision Transformer (ViT) with self-attention mechanisms. We also introduce BCCC-MalMem-SnapLog-2025, a new dataset that captures memory dumps at regular intervals and logs PIDs, enabling precise VAD extraction without relying on dynamic analysis. VADViT achieves 99% accuracy in binary classification and a 92% macro-averaged F1 score in multi-class detection. Attention-based sorting of VAD regions further improves forensic efficiency by narrowing the analysis scope to the most relevant memory areas.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.