An Explainable Memory Forensics Approach for Malware Analysis

• URL: http://arxiv.org/abs/2602.19831v1
• Date: Mon, 23 Feb 2026 13:30:04 GMT
• Title: An Explainable Memory Forensics Approach for Malware Analysis
• Authors: Silvia Lucia Sanna, Davide Maiorca, Giorgio Giacinto,
• Abstract summary: Memory forensics is an effective methodology for analyzing living-off-the-land malware.<n>In this paper, we propose an explainable, AI-assisted memory forensics approach.<n>We apply the proposed methodology to both Windows and Android malware.
• Score: 1.2744523252873352
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Memory forensics is an effective methodology for analyzing living-off-the-land malware, including threats that employ evasion, obfuscation, anti-analysis, and steganographic techniques. By capturing volatile system state, memory analysis enables the recovery of transient artifacts such as decrypted payloads, executed commands, credentials, and cryptographic keys that are often inaccessible through static or traditional dynamic analysis. While several automated models have been proposed for malware detection from memory, their outputs typically lack interpretability, and memory analysis still relies heavily on expert-driven inspection of complex tool outputs, such as those produced by Volatility. In this paper, we propose an explainable, AI-assisted memory forensics approach that leverages general-purpose large language models (LLMs) to interpret memory analysis outputs in a human-readable form and to automatically extract meaningful Indicators of Compromise (IoCs), in some circumstances detecting more IoCs than current state-of-the-art tools. We apply the proposed methodology to both Windows and Android malware, comparing full RAM acquisition with target-process memory dumping and highlighting their complementary forensic value. Furthermore, we demonstrate how LLMs can support both expert and non-expert analysts by explaining analysis results, correlating artifacts, and justifying malware classifications. Finally, we show that a human-in-the-loop workflow, assisted by LLMs during kernel-assisted setup and analysis, improves reproducibility and reduces operational complexity, thereby reinforcing the practical applicability of AI-driven memory forensics for modern malware investigations.

Related papers

• InspectCoder: Dynamic Analysis-Enabled Self Repair through interactive LLM-Debugger Collaboration [71.18377595277018]
  Large Language Models (LLMs) frequently generate buggy code with complex logic errors that are challenging to diagnose.<n>We present InspectCoder, the first agentic program repair system that empowers LLMs to actively conduct dynamic analysis via interactive debugger control.
  arXiv  Detail & Related papers  (2025-10-21T06:26:29Z)
• ForenX: Towards Explainable AI-Generated Image Detection with Multimodal Large Language Models [82.04858317800097]
  We present ForenX, a novel method that not only identifies the authenticity of images but also provides explanations that resonate with human thoughts.<n>ForenX employs the powerful multimodal large language models (MLLMs) to analyze and interpret forensic cues.<n>We introduce ForgReason, a dataset dedicated to descriptions of forgery evidences in AI-generated images.
  arXiv  Detail & Related papers  (2025-08-02T15:21:26Z)
• Enhancing Android Malware Detection with Retrieval-Augmented Generation [1.413488665073795]
  In this work, we focus on a Machine Learning-based method utilizing static features.<n>To mitigate hallucinations, which are a known vulnerability of LLM, we integrated Retrieval-Augmented Generation.<n>Using carefully designed prompts, we guide the LLM to produce coherent function summaries, which are then analyzed using a transformer-based model.
  arXiv  Detail & Related papers  (2025-06-28T04:36:31Z)
• Semantic Preprocessing for LLM-based Malware Analysis [0.0]
  We propose a new preprocessing method which creates reports for Portable Executable files.<n>The purpose of this preprocessing is to gather a semantic representation of binary files, understandable by malware analysts.<n>Using this preprocessing to train a Large Language Model for Malware classification, we achieve a weighted-average F1-score of 0.94 on a complex dataset.
  arXiv  Detail & Related papers  (2025-06-13T13:39:00Z)
• Illusion or Algorithm? Investigating Memorization, Emergence, and Symbolic Processing in In-Context Learning [50.53703102032562]
  Large-scale Transformer language models (LMs) trained solely on next-token prediction with web-scale data can solve a wide range of tasks.<n>The mechanism behind this capability, known as in-context learning (ICL), remains both controversial and poorly understood.
  arXiv  Detail & Related papers  (2025-05-16T08:50:42Z)
• Detecting LLM Hallucination Through Layer-wise Information Deficiency: Analysis of Ambiguous Prompts and Unanswerable Questions [60.31496362993982]
  Large language models (LLMs) frequently generate confident yet inaccurate responses.<n>We present a novel, test-time approach to detecting model hallucination through systematic analysis of information flow.
  arXiv  Detail & Related papers  (2024-12-13T16:14:49Z)
• SLIFER: Investigating Performance and Robustness of Malware Detection Pipelines [12.940071285118451]
  academia focuses on combining static and dynamic analysis within a single or ensemble of models.<n>In this paper, we investigate the properties of malware detectors built with multiple and different types of analysis.<n>As far as we know, we are the first to investigate the properties of sequential malware detectors, shedding light on their behavior in real production environment.
  arXiv  Detail & Related papers  (2024-05-23T12:06:10Z)
• Semantic Data Representation for Explainable Windows Malware Detection Models [0.0]
  We propose PE Malware Ontology that offers a reusable semantic schema for Portable Executable (PE - the Windows binary format) malware files.<n>This ontology is inspired by the structure of the EMBER dataset, which focuses on the static malware analysis of PE files.<n>We also publish semantically treated EMBER data, including fractional datasets, to support experiments on EMBER.
  arXiv  Detail & Related papers  (2024-03-18T11:17:27Z)
• LLM Inference Unveiled: Survey and Roofline Model Insights [62.92811060490876]
  Large Language Model (LLM) inference is rapidly evolving, presenting a unique blend of opportunities and challenges. Our survey stands out from traditional literature reviews by not only summarizing the current state of research but also by introducing a framework based on roofline model. This framework identifies the bottlenecks when deploying LLMs on hardware devices and provides a clear understanding of practical problems.
  arXiv  Detail & Related papers  (2024-02-26T07:33:05Z)
• Analyzing Adversarial Inputs in Deep Reinforcement Learning [53.3760591018817]
  We present a comprehensive analysis of the characterization of adversarial inputs, through the lens of formal verification. We introduce a novel metric, the Adversarial Rate, to classify models based on their susceptibility to such perturbations. Our analysis empirically demonstrates how adversarial inputs can affect the safety of a given DRL system with respect to such perturbations.
  arXiv  Detail & Related papers  (2024-02-07T21:58:40Z)
• Towards an Automated Pipeline for Detecting and Classifying Malware through Machine Learning [0.0]
  We propose a malware taxonomic classification pipeline able to classify Windows Portable Executable files (PEs) Given an input PE sample, it is first classified as either malicious or benign. If malicious, the pipeline further analyzes it in order to establish its threat type, family, and behavior(s)
  arXiv  Detail & Related papers  (2021-06-10T10:07:50Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.