Few-Shot Learning With Prototypical Networks for Improved Memory Forensics
Securing computer systems requires effective methods for malware detection. Memory forensics analyzes memory dumps to identify malicious activity, but faces challenges including large and complex datasets, constantly evolving malware threats, and limited labeled data for training algorithms among ot...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2025-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/10980249/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850144669279715328 |
|---|---|
| author | Muhammad Fahad Malik Ammara Gul Ayesha Saadia Faeiz M. Alserhani |
| author_facet | Muhammad Fahad Malik Ammara Gul Ayesha Saadia Faeiz M. Alserhani |
| author_sort | Muhammad Fahad Malik |
| collection | DOAJ |
| description | Securing computer systems requires effective methods for malware detection. Memory forensics analyzes memory dumps to identify malicious activity, but faces challenges including large and complex datasets, constantly evolving malware threats, and limited labeled data for training algorithms among others. This research introduces a novel approach for malware detection using memory forensics and prototypical networks. As the first application of prototypical networks to the Dumpware10 dataset (to the best of authors knowledge), our findings highlight the potential of few-shot learning for memory forensics-based malware detection, opening new avenues for research in this domain. Prototypical networks are a type of few-shot learning algorithm that excels at classifying new categories with minimal examples. Utilizing the publicly available Dumpware10 dataset, which includes 10 malware classes and one benign class, we preprocess memory dumps using denoising and A-Hash functions to reduce noise and redundancy. The prototypical network is trained on the first four malware classes and the benign class. It’s then tested on a dataset with one additional class (first five malware classes and the benign class). We progressively increase the number of test classes to eleven. Within each training episode, five training images are used as support samples, with all remaining images designated as query samples. Our goal isn’t to predict exact class labels, but to assess the similarity between query images and prototypes using a distance metric. If the label of a prototype matches the query image and the distance falls below a threshold, it’s considered a true positive. This approach achieves an average accuracy of 92% with eleven classes, the highest across all scenarios and comparable to previous work using machine and deep learning algorithms on this dataset. |
| format | Article |
| id | doaj-art-e323ba3ab3604ae7a340b6809238e9a1 |
| institution | OA Journals |
| issn | 2169-3536 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj-art-e323ba3ab3604ae7a340b6809238e9a12025-08-20T02:28:18ZengIEEEIEEE Access2169-35362025-01-0113793977940910.1109/ACCESS.2025.356580210980249Few-Shot Learning With Prototypical Networks for Improved Memory ForensicsMuhammad Fahad Malik0https://orcid.org/0009-0009-9720-1784Ammara Gul1https://orcid.org/0000-0002-5854-1075Ayesha Saadia2Faeiz M. Alserhani3https://orcid.org/0000-0002-0161-7147Department of Cyber Security, Air University, Islamabad, PakistanFaculty of Computing, Engineering, and Built Environment (CEBE), Birmingham City University, Birmingham, U.K.Department of Computer Science, Air University, Islamabad, PakistanDepartment of Computer Engineering and Networks, College of Computer and Information Sciences, Jouf University, Sakaka, Al Jowf, Saudi ArabiaSecuring computer systems requires effective methods for malware detection. Memory forensics analyzes memory dumps to identify malicious activity, but faces challenges including large and complex datasets, constantly evolving malware threats, and limited labeled data for training algorithms among others. This research introduces a novel approach for malware detection using memory forensics and prototypical networks. As the first application of prototypical networks to the Dumpware10 dataset (to the best of authors knowledge), our findings highlight the potential of few-shot learning for memory forensics-based malware detection, opening new avenues for research in this domain. Prototypical networks are a type of few-shot learning algorithm that excels at classifying new categories with minimal examples. Utilizing the publicly available Dumpware10 dataset, which includes 10 malware classes and one benign class, we preprocess memory dumps using denoising and A-Hash functions to reduce noise and redundancy. The prototypical network is trained on the first four malware classes and the benign class. It’s then tested on a dataset with one additional class (first five malware classes and the benign class). We progressively increase the number of test classes to eleven. Within each training episode, five training images are used as support samples, with all remaining images designated as query samples. Our goal isn’t to predict exact class labels, but to assess the similarity between query images and prototypes using a distance metric. If the label of a prototype matches the query image and the distance falls below a threshold, it’s considered a true positive. This approach achieves an average accuracy of 92% with eleven classes, the highest across all scenarios and comparable to previous work using machine and deep learning algorithms on this dataset.https://ieeexplore.ieee.org/document/10980249/Malware detectionmemory forensicsfew-shot learningprototypical networks |
| spellingShingle | Muhammad Fahad Malik Ammara Gul Ayesha Saadia Faeiz M. Alserhani Few-Shot Learning With Prototypical Networks for Improved Memory Forensics IEEE Access Malware detection memory forensics few-shot learning prototypical networks |
| title | Few-Shot Learning With Prototypical Networks for Improved Memory Forensics |
| title_full | Few-Shot Learning With Prototypical Networks for Improved Memory Forensics |
| title_fullStr | Few-Shot Learning With Prototypical Networks for Improved Memory Forensics |
| title_full_unstemmed | Few-Shot Learning With Prototypical Networks for Improved Memory Forensics |
| title_short | Few-Shot Learning With Prototypical Networks for Improved Memory Forensics |
| title_sort | few shot learning with prototypical networks for improved memory forensics |
| topic | Malware detection memory forensics few-shot learning prototypical networks |
| url | https://ieeexplore.ieee.org/document/10980249/ |
| work_keys_str_mv | AT muhammadfahadmalik fewshotlearningwithprototypicalnetworksforimprovedmemoryforensics AT ammaragul fewshotlearningwithprototypicalnetworksforimprovedmemoryforensics AT ayeshasaadia fewshotlearningwithprototypicalnetworksforimprovedmemoryforensics AT faeizmalserhani fewshotlearningwithprototypicalnetworksforimprovedmemoryforensics |