Machine Learning Approaches to Malware Detection in RAM
Abstract
Relevance. In the current context of constantly growing cyber threats, the problem of detecting malicious software that can operate covertly in RAM using fileless attack techniques has become particularly relevant. Traditional antivirus solutions based primarily on signature-based approaches prove ineffective against modern advanced persistent threats (APT) and new modified threats. This makes it essential to develop innovative approaches to malware detection based on behavioral pattern analysis in RAM using machine learning methods.
Goal. Development and testing of an automated malware detection system through RAM dump analysis using machine learning methods, as well as comparative evaluation of the effectiveness of various classification algorithms for multi-class threat type detection.
Research methods: comparative analysis of machine learning algorithms, static analysis of memory dumps, multi-class classification, experimental validation on the Obfuscated-MalMem2022 dataset containing over 58,000 records with 58 Windows process features. Models were evaluated using accuracy, precision, recall, and F1-score metrics with weighted averaging.
Results. A fully functional technological pipeline was created for automated processing and classification of RAM dumps, including modules for data preprocessing, feature engineering, machine learning, and results evaluation. A comparative analysis of 13 machine learning algorithms was conducted, including classical methods (Random Forest, Gradient Boosting, Decision Tree, k-NN, SVM) and neural network architectures (Wide & Deep Network, CNN). It was established that the Random Forest algorithm demonstrates the best results for the multi-class malware classification task with an accuracy of 85.49% and F1-score of 85.52% at a training time of 1.3 seconds. The developed system is implemented in Python using scikit-learn libraries (for classical ML models), TensorFlow/Keras (for neural networks), and pandas (for data processing).
Conclusions. The study confirmed the high effectiveness of classical machine learning methods, particularly ensemble algorithms, for malware detection in RAM dumps. The developed Random Forest-based model provides an optimal balance between classification accuracy (85.52% F1-score), training speed (1.3 s), and computational efficiency, demonstrating significant advantages over neural networks in this context. The developed system has high practical significance and can be integrated into forensic platforms, cybersecurity incident monitoring systems, and expert systems for automated threat detection and accelerated incident analysis. The research results confirm the feasibility of using machine learning methods to create defense systems against modern cyber threats that operate exclusively in RAM.
Downloads
References
/References
O. Haiduk, V. Zvieryev, "Analysis of cyber threats in the context of rapid development of information technologies", Cybersecurity: education, science, technology, vol. 3, no. 23, pp. 225–236, 2024. [in Ukrainian]. URL: https://csecurity.kubg.edu.ua/index.php/journal/article/view/552.
M. Aljabri, et al., "Ransomware detection based on machine learning using memory features", Egyptian Informatics Journal, vol. 25, p. 100445, 2024. DOI: 10.1016/j.eij.2024.100445.
Canadian Institute for Cybersecurity, "Malware memory analysis". URL: https://www.unb.ca/cic/datasets/malmem-2022.html.
K. A. Dhanya, et al., "Detection of network attacks using machine learning and deep learning models", Procedia Computer Science, vol. 218, pp. 57–66, 2023. DOI: 10.1016/j.procs.2022.12.401.
A. Géron, Hands-On Machine Learning with Scikit-Learn, Keras, and TensorFlow: Concepts, Tools, and Techniques to Build Intelligent Systems. O'Reilly Media, Incorporated, 2022, 483 p.
H. Riggs, et al., "Impact, vulnerabilities, and mitigation strategies for cyber-secure critical infrastructure", MDPI. URL: https://www.mdpi.com/1424-8220/23/8/4060 (Last accessed: 29.10.2025).
S. Kumar, et al., "Malware classification using machine learning models", Procedia Computer Science, vol. 235, pp. 1419–1428, 2024. DOI: 10.1016/j.procs.2024.04.133.
Q. Li, et al., "MDGraph: a novel malware detection method based on memory dump and graph neural network", Expert Systems with Applications, p. 124776, 2024. DOI: 10.1016/j.eswa.2024.124776.
Гайдук О., Звєрєв В. Аналіз кіберзагроз в умовах стрімкого розвитку інформаційних технологій. Кібербезпека: освіта, наука, техніка. 2024. Т. 3, № 23. С. 225–236. URL: https://csecurity.kubg.edu.ua/index.php/journal/article/view/552.
Aljabri M., Al. E. Ransomware detection based on machine learning using memory features. Egyptian informatics journal. 2024. Vol. 25. P. 100445. URL: https://doi.org/10.1016/j.eij.2024.100445.
Canadian Institute for Cybersecurity. Malware memory analysis. URL: https://www.unb.ca/cic/datasets/malmem-2022.html.
Dhanya K. A., Al. E. Detection of network attacks using machine learning and deep learning models. Procedia computer science. 2023. Vol. 218. P. 57–66. URL: https://doi.org/10.1016/j.procs.2022.12.401.
Géron A. Hands-On machine learning with scikit-learn, keras, and tensorflow: concepts, tools, and techniques to build intelligent systems. O'Reilly Media, Incorporated, 2022. 483 p.
Impact, vulnerabilities, and mitigation strategies for cyber-secure critical infrastructure / H. Riggs et al. MDPI. URL: https://www.mdpi.com/1424-8220/23/8/4060 (Last accessed: 29.10.2025).
Kumar S., Al. E. Malware classification using machine learning models. Procedia computer science. 2024. Vol. 235. P. 1419–1428. URL: https://doi.org/10.1016/j.procs.2024.04.133.
Li Q., Al E. MDGraph: a novel malware detection method based on memory dump and graph neural network. Expert systems with applications. 2024. P. 124776. URL: https://doi.org/10.1016/j.eswa.2024.124776.
