{"id":"https://openalex.org/W7131376554","doi":"https://doi.org/10.1109/ojcoms.2026.3667851","title":"Extending Memory-Based Obfuscated Malware Detection With Network Behavior","display_name":"Extending Memory-Based Obfuscated Malware Detection With Network Behavior","publication_year":2026,"publication_date":"2026-01-01","ids":{"openalex":"https://openalex.org/W7131376554","doi":"https://doi.org/10.1109/ojcoms.2026.3667851"},"language":"en","primary_location":{"id":"doi:10.1109/ojcoms.2026.3667851","is_oa":true,"landing_page_url":"https://doi.org/10.1109/ojcoms.2026.3667851","pdf_url":null,"source":{"id":"https://openalex.org/S4210202420","display_name":"IEEE Open Journal of the Communications Society","issn_l":"2644-125X","issn":["2644-125X"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310316002","host_organization_name":"IEEE Communications Society","host_organization_lineage":["https://openalex.org/P4310316002","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Communications Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Open Journal of the Communications Society","raw_type":"journal-article"},"type":"article","indexed_in":["crossref","doaj"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1109/ojcoms.2026.3667851","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5126838700","display_name":"Jhon F. Mercado","orcid":null},"institutions":[{"id":"https://openalex.org/I35961687","display_name":"Universidad de Antioquia","ror":"https://ror.org/03bp5hc83","country_code":"CO","type":"education","lineage":["https://openalex.org/I35961687"]}],"countries":["CO"],"is_corresponding":true,"raw_author_name":"Jhon F. Mercado","raw_affiliation_strings":["Electronics Engineering Department, GITA-Lab, Universidad de Antioquia, Medellin, Antioquia, Colombia"],"affiliations":[{"raw_affiliation_string":"Electronics Engineering Department, GITA-Lab, Universidad de Antioquia, Medellin, Antioquia, Colombia","institution_ids":["https://openalex.org/I35961687"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5065551389","display_name":"Josue Genaro Almaraz-Rivera","orcid":"https://orcid.org/0000-0001-8343-4530"},"institutions":[{"id":"https://openalex.org/I98461037","display_name":"Tecnol\u00f3gico de Monterrey","ror":"https://ror.org/03ayjn504","country_code":"MX","type":"education","lineage":["https://openalex.org/I98461037"]}],"countries":["MX"],"is_corresponding":false,"raw_author_name":"Josue Genaro Almaraz-Rivera","raw_affiliation_strings":["School of Engineering and Sciences, Tecnologico de Monterrey, Monterrey, Nuevo Leon, Mexico"],"affiliations":[{"raw_affiliation_string":"School of Engineering and Sciences, Tecnologico de Monterrey, Monterrey, Nuevo Leon, Mexico","institution_ids":["https://openalex.org/I98461037"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5126812614","display_name":"Sergio Armando Gutierrez","orcid":null},"institutions":[{"id":"https://openalex.org/I35961687","display_name":"Universidad de Antioquia","ror":"https://ror.org/03bp5hc83","country_code":"CO","type":"education","lineage":["https://openalex.org/I35961687"]}],"countries":["CO"],"is_corresponding":false,"raw_author_name":"Sergio Armando Gutierrez","raw_affiliation_strings":["Electronics Engineering Department, GITA-Lab, Universidad de Antioquia, Medellin, Antioquia, Colombia"],"affiliations":[{"raw_affiliation_string":"Electronics Engineering Department, GITA-Lab, Universidad de Antioquia, Medellin, Antioquia, Colombia","institution_ids":["https://openalex.org/I35961687"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Jesus Arturo Perez-Diaz","orcid":"https://orcid.org/0000-0002-7678-5487"},"institutions":[{"id":"https://openalex.org/I98461037","display_name":"Tecnol\u00f3gico de Monterrey","ror":"https://ror.org/03ayjn504","country_code":"MX","type":"education","lineage":["https://openalex.org/I98461037"]}],"countries":["MX"],"is_corresponding":false,"raw_author_name":"Jesus Arturo Perez-Diaz","raw_affiliation_strings":["School of Engineering and Sciences, Tecnologico de Monterrey, Monterrey, Nuevo Leon, Mexico"],"affiliations":[{"raw_affiliation_string":"School of Engineering and Sciences, Tecnologico de Monterrey, Monterrey, Nuevo Leon, Mexico","institution_ids":["https://openalex.org/I98461037"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5121676015","display_name":"Luis Fletscher","orcid":null},"institutions":[{"id":"https://openalex.org/I35961687","display_name":"Universidad de Antioquia","ror":"https://ror.org/03bp5hc83","country_code":"CO","type":"education","lineage":["https://openalex.org/I35961687"]}],"countries":["CO"],"is_corresponding":false,"raw_author_name":"Luis A. Fletscher","raw_affiliation_strings":["Electronics Engineering Department, GITA-Lab, Universidad de Antioquia, Medellin, Antioquia, Colombia"],"affiliations":[{"raw_affiliation_string":"Electronics Engineering Department, GITA-Lab, Universidad de Antioquia, Medellin, Antioquia, Colombia","institution_ids":["https://openalex.org/I35961687"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5121487965","display_name":"Jose Antonio Cantoral-Ceballos","orcid":null},"institutions":[{"id":"https://openalex.org/I98461037","display_name":"Tecnol\u00f3gico de Monterrey","ror":"https://ror.org/03ayjn504","country_code":"MX","type":"education","lineage":["https://openalex.org/I98461037"]}],"countries":["MX"],"is_corresponding":false,"raw_author_name":"Jose Antonio Cantoral-Ceballos","raw_affiliation_strings":["School of Engineering and Sciences, Tecnologico de Monterrey, Monterrey, Nuevo Leon, Mexico"],"affiliations":[{"raw_affiliation_string":"School of Engineering and Sciences, Tecnologico de Monterrey, Monterrey, Nuevo Leon, Mexico","institution_ids":["https://openalex.org/I98461037"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5126837448","display_name":"Juan Felipe Botero","orcid":null},"institutions":[{"id":"https://openalex.org/I35961687","display_name":"Universidad de Antioquia","ror":"https://ror.org/03bp5hc83","country_code":"CO","type":"education","lineage":["https://openalex.org/I35961687"]}],"countries":["CO"],"is_corresponding":false,"raw_author_name":"Juan Felipe Botero","raw_affiliation_strings":["Electronics Engineering Department, GITA-Lab, Universidad de Antioquia, Medellin, Antioquia, Colombia"],"affiliations":[{"raw_affiliation_string":"Electronics Engineering Department, GITA-Lab, Universidad de Antioquia, Medellin, Antioquia, Colombia","institution_ids":["https://openalex.org/I35961687"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5126838700"],"corresponding_institution_ids":["https://openalex.org/I35961687"],"apc_list":{"value":1750,"currency":"USD","value_usd":1750},"apc_paid":{"value":1750,"currency":"USD","value_usd":1750},"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.55498557,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"7","issue":null,"first_page":"2385","last_page":"2399"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9470999836921692,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9470999836921692,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.01360000018030405,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.007600000128149986,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.8051000237464905},{"id":"https://openalex.org/keywords/discriminative-model","display_name":"Discriminative model","score":0.7605000138282776},{"id":"https://openalex.org/keywords/feature","display_name":"Feature (linguistics)","score":0.5397999882698059},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.5358999967575073},{"id":"https://openalex.org/keywords/random-forest","display_name":"Random forest","score":0.47620001435279846},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.46889999508857727},{"id":"https://openalex.org/keywords/encryption","display_name":"Encryption","score":0.4603999853134155},{"id":"https://openalex.org/keywords/feature-extraction","display_name":"Feature extraction","score":0.42590001225471497}],"concepts":[{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.8051000237464905},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7709000110626221},{"id":"https://openalex.org/C97931131","wikidata":"https://www.wikidata.org/wiki/Q5282087","display_name":"Discriminative model","level":2,"score":0.7605000138282776},{"id":"https://openalex.org/C2776401178","wikidata":"https://www.wikidata.org/wiki/Q12050496","display_name":"Feature (linguistics)","level":2,"score":0.5397999882698059},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.5358999967575073},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5185999870300293},{"id":"https://openalex.org/C169258074","wikidata":"https://www.wikidata.org/wiki/Q245748","display_name":"Random forest","level":2,"score":0.47620001435279846},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.46889999508857727},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.4603999853134155},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.43950000405311584},{"id":"https://openalex.org/C52622490","wikidata":"https://www.wikidata.org/wiki/Q1026626","display_name":"Feature extraction","level":2,"score":0.42590001225471497},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.41819998621940613},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.3986999988555908},{"id":"https://openalex.org/C12267149","wikidata":"https://www.wikidata.org/wiki/Q282453","display_name":"Support vector machine","level":2,"score":0.35510000586509705},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.34860000014305115},{"id":"https://openalex.org/C40305131","wikidata":"https://www.wikidata.org/wiki/Q2616305","display_name":"Obfuscation","level":2,"score":0.3416999876499176},{"id":"https://openalex.org/C153180895","wikidata":"https://www.wikidata.org/wiki/Q7148389","display_name":"Pattern recognition (psychology)","level":2,"score":0.33480000495910645},{"id":"https://openalex.org/C50644808","wikidata":"https://www.wikidata.org/wiki/Q192776","display_name":"Artificial neural network","level":2,"score":0.3084999918937683},{"id":"https://openalex.org/C125411270","wikidata":"https://www.wikidata.org/wiki/Q18653","display_name":"Encoding (memory)","level":2,"score":0.30000001192092896},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.29840001463890076},{"id":"https://openalex.org/C137822555","wikidata":"https://www.wikidata.org/wiki/Q2587068","display_name":"Information sensitivity","level":2,"score":0.2806999981403351}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1109/ojcoms.2026.3667851","is_oa":true,"landing_page_url":"https://doi.org/10.1109/ojcoms.2026.3667851","pdf_url":null,"source":{"id":"https://openalex.org/S4210202420","display_name":"IEEE Open Journal of the Communications Society","issn_l":"2644-125X","issn":["2644-125X"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310316002","host_organization_name":"IEEE Communications Society","host_organization_lineage":["https://openalex.org/P4310316002","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Communications Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Open Journal of the Communications Society","raw_type":"journal-article"},{"id":"pmh:oai:doaj.org/article:93fd3d2953c2471da5ad53356bb189f8","is_oa":true,"landing_page_url":"https://doaj.org/article/93fd3d2953c2471da5ad53356bb189f8","pdf_url":null,"source":{"id":"https://openalex.org/S112646816","display_name":"SHILAP Revista de lepidopterolog\u00eda","issn_l":"0300-5267","issn":["0300-5267","2340-4078"],"is_oa":true,"is_in_doaj":true,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"IEEE Open Journal of the Communications Society, Vol 7, Pp 2385-2399 (2026)","raw_type":"article"}],"best_oa_location":{"id":"doi:10.1109/ojcoms.2026.3667851","is_oa":true,"landing_page_url":"https://doi.org/10.1109/ojcoms.2026.3667851","pdf_url":null,"source":{"id":"https://openalex.org/S4210202420","display_name":"IEEE Open Journal of the Communications Society","issn_l":"2644-125X","issn":["2644-125X"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310316002","host_organization_name":"IEEE Communications Society","host_organization_lineage":["https://openalex.org/P4310316002","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Communications Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Open Journal of the Communications Society","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Obfuscated":[0],"and":[1,14,22,71,82,88,98,121,144,153],"fileless":[2],"malware":[3,93,156],"families":[4],"evade":[5],"traditional":[6,129],"detection":[7,27,94,124,157],"systems":[8,158],"by":[9,49],"residing":[10],"exclusively":[11],"in":[12,113,139],"memory":[13,64,114,140],"employing":[15],"stealthy":[16],"techniques":[17],"such":[18],"as":[19],"process":[20],"injection":[21],"encrypted":[23],"communication.":[24],"Although":[25],"memory-based":[26,155],"methods":[28],"have":[29],"demonstrated":[30],"strong":[31],"performance":[32,125],"using":[33,95],"host-based":[34],"features":[35],"alone,":[36],"the":[37,51,149],"contribution":[38,91],"of":[39,61,80,151,160],"network-level":[40],"information":[41],"remains":[42],"underexplored.":[43],"This":[44],"study":[45],"addresses":[46],"this":[47],"gap":[48],"leveraging":[50],"recently":[52],"released":[53],"WinMal25":[54],"dataset,":[55],"which":[56],"comprises":[57],"approximately":[58],"2":[59],"TB":[60],"ground-truth":[62],"Windows":[63],"dumps":[65],"collected":[66],"under":[67,101,162],"realistic":[68],"benign":[69],"activity":[70],"obfuscated":[72],"malicious":[73],"execution.":[74],"We":[75],"extract":[76],"a":[77,142],"small":[78],"set":[79],"socket-":[81],"connection-level":[83],"variables":[84],"directly":[85],"from":[86],"RAM":[87],"evaluate":[89],"their":[90,119],"to":[92],"Random":[96],"Forest":[97],"XGBoost":[99],"classifiers":[100],"multiple":[102],"feature":[103],"configurations.":[104],"The":[105],"experimental":[106],"results":[107],"show":[108],"that":[109,135],"network-related":[110],"structures":[111,137],"preserved":[112,138],"are":[115],"highly":[116],"discriminative":[117],"on":[118],"own":[120],"further":[122],"enhance":[123],"when":[126],"combined":[127],"with":[128],"system-level":[130],"features.":[131],"These":[132],"findings":[133],"demonstrate":[134],"communication-related":[136],"constitute":[141],"robust":[143],"complementary":[145],"forensic":[146],"signal,":[147],"supporting":[148],"development":[150],"interpretable":[152],"generalizable":[154],"capable":[159],"operating":[161],"heavy":[163],"obfuscation.":[164]},"counts_by_year":[],"updated_date":"2026-03-27T05:58:40.876381","created_date":"2026-02-26T00:00:00"}