MemInspect: Memory Forensics for investigating Fileless Attacks.

Traditional security solutions focus on identifying threats that leave traces on the system’s hard drive. However, fileless attacks have become increasingly popular among cybercriminals due to their ability to evade detection and persist undetected for prolonged periods. In response, memory forensics facilitates the extraction of system memory activities, presenting an opportunity to detect fileless attacks executed directly in memory. This paper presents MemInspect, a specialized memory forensics approach designed to extract features and accurately identify and locate suspicious memory regions, effectively aiding analysts in investigating fileless malware attacks. Specifically, By Utilizing virtual address descriptor nodes as samples, MemInspect constructs a comprehensive set of 42 features to detect code injection, script-based attacks, and living off the land attacks. Subsequently, these features are employed for classification using ensemble learning algorithms. In this study, we meticulously designed comprehensive attack experiments, accurately simulating three prevalent types of fileless attacks. Through rigorous analysis and extensive training on the experimental data, MemInspect demonstrates remarkable performance, achieving an impressive Area Under the Curve (AUC) value of 98%. Additionally, the paper provides two detailed analysis cases of attack investigations, furnishing concrete evidence of MemInspect’s efficacy in detecting fileless attacks.