Audit Driven Evaluation of Carrier Style Memory Malware Detection Under Obfuscation and Adversarial Attacks
DOI:
https://doi.org/10.33050/dp3mdf65Keywords:
Memory Forensic, Cross-Collection, Malware Detection, Leakage-aware, ASRAbstract
This study evaluates Carrier-style memory malware detection under obfuscation using a reproducible, audit-driven protocol for verifiable reporting. We reproduce a stacking pipeline (Naive Bayes, Random Forest, Decision Tree with a Logistic Regression meta-learner) and benchmark it against strong single-model baselines. To limit leakage, we apply exact deduplication, train-only preprocessing, and group-disjoint splitting with explicit overlap checks, and we report dataset difficulty diagnostics to interpret near-ceiling results. Transfer is tested via cross-collection evaluation on the shared feature intersection between Obfuscated MalMem2022 and MemMalDet 2024, separating a low-shift validation setting from a higher-shift stress setting to keep generalization claims bounded. Robustness is assessed under a feasibility-preserving feature-space threat model with empirical bounds, non-negativity, and integer rounding, using a coordinate-search attack on the clean-correct subset across L0 budgets B=1,3,5, and 10 with confidence intervals. On obfuscated MalMem2022, Random Forest achieves 99.99% Accuracy, 99.99% F1, and 1.00 AUC, while the Carrier-style stack reaches 99.92% Accuracy, 99.92% F1, and 1.00 AUC, with no meaningful improvement over the best single model. Cross-collection validation yields F1 = 99.98 and AUC = 1.0, consistent with low-shift stability under aligned features rather than broad domain generalization. At B=10, ASR is 0.03 (95% CI: 0.0138–0.0639), and baseline defenses show clean-versus-robust trade-offs without consistent ASR reduction. We release four reusable artifacts an audit table, a leakage ablation matrix, a shift-aware cross-collection report, and robustness curves with confidence intervals.
Downloads
References
[1] C.-H. Van Ouytsel, K. H. T. Dam, and A. Legay, “Analysis of machine learning approaches to packing detection,” Comput. Secur., vol. 136, p. 103536, 2024.
[2] D. Gibert, N. Totosis, C. Patsakis, Q. Le, and G. Zizzo, “Assessing the impact of packing on static machine learning-based malware detection and classification systems,” Comput. Secur., vol. 156, p. 104495, 2025.
[3] H. Safitri, M. H. R. Chakim, and A. Adiwijaya, “Strategy based technology-based startups to drive digital business growth,” Startupreneur Business Digital (SABDA Journal), vol. 2, no. 2, pp. 207–220, 2023.
[4] M. M. Alani, A. Mashatan, and A. Miri, “Xmal: A lightweight memory-based explainable obfuscatedmalware detector,” Comput. Secur., vol. 133, p. 103409, 2023.
[5] Y. Dehfouli and A. H. Lashkari, “Memory analysis for malware detection: A comprehensive survey using the oscar methodology,” vol. 58, no. 4, 2025.
[6] P. Maniriho, A. N. Mahmood, and M. J. M. Chowdhury, “A systematic literature review on windows malware detection: Techniques, research issues, and future directions,” Journal of Systems and Software, vol. 209, 2024.
[7] P., A. N. Mahmood, and M. J. M. Chowdhury, “Memaldet: A memory analysis-based malware detection framework using deep autoencoders and stacked ensemble under temporal evaluations,” Comput. Secur., vol. 142, p. 103864, 2024.
[8] X. Ling et al., “Adversarial attacks against windows pe malware detection: A survey of the state-of-the-art,” Comput. Secur., vol. 128, p. 103134, 2023.
[9] J. Jones, E. Harris, Y. Febriansah, A. Adiwijaya, and I. N. Hikam, “Ai for sustainable development: Applications in natural resource management, agriculture, and waste management,” International Transactions on Artificial Intelligence, vol. 2, no. 2, pp. 143–149, 2024.
[10] S. Yan, J. Ren, W. Wang, L. Sun, W. Zhang, and Q. Yu, “A survey of adversarial attack and defense methods for malware classification in cyber security,” IEEE Communications Surveys & Tutorials, vol. 25, no. 1, pp. 467–496, 2023.
[11] L. Liu, X. Kuang, L. Liu, and L. Zhang, “Defend against adversarial attacks in malware detection through attack space management,” Comput. Secur., vol. 141, p. 103841, 2024.
[12] D. Li, S. Cui, Y. Li, J. Xu, F. Xiao, and S. Xu, “Pad: Towards principled adversarial malware detection against evasion attacks,” IEEE Trans. Dependable Secure Comput., vol. 21, no. 2, pp. 920–936, 2024.
[13] A. Kanivia, H. Hilda, A. Adiwijaya, M. F. Fazri, S. Maulana, and M. Hardini, “The impact of information technology support on the use of e-learning systems at university,” International Journal of Cyber and IT Service Management, vol. 4, no. 2, pp. 122–132, 2024.
[14] T. Carrier, P. Victor, A. Tekeoglu, and A. Habibi Lashkari, “Detecting obfuscated malware using memory feature engineering,” in International Conference on Information Systems Security and Privacy, 2022, pp.177–188.
[15] B. Molina-Coronado, U. Mori, A. Mendiburu, and J. Miguel-Alonso, “Towards a fair comparison and realistic evaluation framework of android malware detectors based on static analysis and machine learning,” Comput. Secur., vol. 124, p. 102996, 2023.
[16] Z. Kan et al., “Tesseract: Eliminating experimental bias in malware classification across space and time (extended version),” 2025.
[17] E. R. Rahayu, A. Aprillia, R. Z. Ikhsan, A. Adiwijaya, and A. Kumara, “Cybersecurity in the age of iot and developing frameworks for securing smart devices and networks,” Journal of Computer Science and Technology Application, vol. 2, no. 1, pp. 46–54, 2025.
[18] G. Liu, D. Caragea, X. Ou, and S. Roy, “The impact of train-test leakage on machine learning-based android malware detection,” 2025, online available: http://arxiv.org/abs/2410.19364.
[19] A. Guerra-Manzanares, M. Luckner, and H. Bahsi, “Concept drift and cross-device behavior: Challenges and implications for effective android malware detection,” Comput. Secur., vol. 120, p. 102757, 2022.
[20] D. Escudero Garc ́ıa, N. DeCastro-Garc ́ıa, and A. L. Munoz Casta ̃ neda, “An effectiveness analysis of ̃ transfer learning for the concept drift problem in malware detection,” Expert Syst. Appl., vol. 212, p. 118724, 2023.
[21] L. Larisang, S. Sanusi, M. A. Bora, and A. Hamid, “Practicality and effectiveness of new technopreneurship incubator model in the digitalization era,” Aptisi Transactions on Technopreneurship (ATT), vol. 7, no. 2, pp. 318–333, 2025.
[22] D. W. Fernando and N. Komninos, “Fesa: Feature selection architecture for ransomware detection under concept drift,” Comput. Secur., vol. 116, p. 102659, 2022.
[23] A. Augello, A. De Paola, and G. Lo Re, “M2fd: Mobile malware federated detection under concept drift,” Comput. Secur., vol. 152, p. 104361, 2025.
[24] University of New Brunswick, “Malware memory analysis (cic-malmem-2022),” 2022, available at: https: //www.unb.ca/cic/datasets/malmem-2022.html.
[25] L. Godoy, “Malware memory analysis / cic-malmem-2022,” 2022, available at: https://www.kaggle.com/datasets/luccagodoy/obfuscated-malware-memory-2022-cic.
[26] R. D. Pertiwi, P. A. Fitria, T. P. Utami, R. A. Pamungkas, R. Pradana, and K. Chamroonsawasdi, “Gold nanoparticle synthesis using quercetin: Innovation in biopreneur,” Aptisi Transactions on Technopreneurship (ATT), vol. 7, no. 1, pp. 294–305, 2025.
[27] L. D’hooge, M. Verkerken, T. Wauters, F. De Turck, and B. Volckaert, “Castles built on sand: Observations from classifying academic cybersecurity datasets with minimalist methods,” in Proceedings of the 8th International Conference on Internet of Things, Big Data and Security. SCITEPRESS - Science and Technology Publications, 2023, pp. 61–72.
[28] D. Arp et al., “Pitfalls in machine learning for computer security,” Commun. ACM, vol. 67, no. 11, pp. 104–112, 2024.
[29] J. Cortellazzi et al., “Intriguing properties of adversarial ml attacks in the problem space [extended version],” ACM Transactions on Privacy and Security, vol. 28, no. 4, pp. 1–37, 2025.
[30] H. A. Winata and F. Simon, “Influence of profitability, audit quality, and corporate governance on earnings management,” APTISI Transactions on Management, vol. 8, no. 2, pp. 93–104, 2024.
[31] S. Vladov, V. Vysotska, V. Varlakhov, M. Nazarkevych, S. Bolvinov, and V. Piadyshev, “Innovative method for detecting malware by analysing api request sequences based on a hybrid recurrent neural network for applied forensic auditing,” Applied System Innovation, vol. 8, no. 5, p. 156, 2025.
[32] A. Tiwari, N. S. Chaudhari et al., “Obfuscated memory malware detection,” arXiv preprint arXiv:2408.12866, 2024.
[33] M. Adela and M. Tuti, “Increasing customer repurchase intention: The significance of product quality, viral marketing, and customer experience,” APTISI Transactions on Management, vol. 8, no. 2, pp. 105–114, 2024.
[34] K. Aryal, M. Gupta, M. Abdelsalam, P. Kunwar, and B. Thuraisingham, “A survey on adversarial attacks for malware analysis,” IEEE Access, vol. 13, pp. 428–459, 2024.
[35] Z. Gu, J. Guo, J. Xu, Y. Sun, and W. Liang, “Domain knowledge-driven method for threat source detection and localization in the power internet of things,” Electronics, vol. 14, no. 13, p. 2725, 2025.
[36] OECD, Developing a data-driven corruption risk model to strengthen integrity in Belgium: Practical considerations for the Federal Internal Audit. Paris: OECD Publishing, 2025. [Online]. Available: https://doi.org/10.1787/e85587eb-en
[37] A. Hernandez-Suarez, G. Sanchez-Perez, L. K. Toscano-Medina, J. Olivares-Mercado, J. Portillo-Portilo, J.-G. Avalos, and L. J. Garcia Villalba, “Detecting cryptojacking web threats: An approach with autoencoders and deep dense neural networks,” Applied Sciences, vol. 12, no. 7, p. 3234, 2022.
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Syamsu Hidayat, Kusrini Kusrini, Ema Utami, Arief Setyanto, Kristina Vaher
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
.png)
