[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-31802":3,"doc-seo-31802":27},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"file_id":15,"file_url":16,"file_type":17,"file_size":18,"view_count":4,"is_deleted":4,"is_public":19,"is_downloadable":19,"audit_status":19,"page_count":20,"language":21,"language_code":22,"table_of_contents":23,"faqs":24,"seo_title":13,"seo_description":14,"update_tm":25,"read_time":26},31802,4398048950312,"Violet","https://ap-avatar.wpscdn.com/avatar/400002538284de19e3c?_k=1778320343897328908",8,"Research & Report","MemInspect Memory Forensics for Investigating Fileless Attacks","Traditional security measures often target malware traces left on disk, while fileless attacks evade detection by operating directly in memory and persisting undetected for long periods. MemInspect proposes a specialized memory-forensics approach to extract memory-activity evidence and support investigators. It leverages virtual address descriptor nodes as samples to build 42 features for detecting code injection, script-based attacks, and living-off-the-land techniques, and then applies ensemble learning for accurate classification and localization.","cbCaim4xanlPQ9S6","https://ap.wps.com/l/cbCaim4xanlPQ9S6","pdf",1462541,1,10,"English","en","# Introduction\n## Fileless malware and research background\n## Related memory-forensics approaches\n# Contributions and proposed MemInspect approach\n## Feature extraction using VAD samples","[{\"question\":\"What problem does MemInspect target?\",\"answer\":\"MemInspect targets fileless malware that injects malicious code into main memory without leaving disk traces, making conventional disk-based defenses ineffective.\"},{\"question\":\"How does MemInspect extract evidence from memory?\",\"answer\":\"MemInspect uses virtual address descriptor (VAD) nodes as samples to construct a comprehensive set of 42 memory features for detecting suspicious memory regions.\"},{\"question\":\"Which fileless attack types does MemInspect aim to detect?\",\"answer\":\"It focuses on code injection, script-based attacks, and living-off-the-land attacks, using the extracted features for classification and localization.\"}]",1780174843,25,{"code":4,"msg":28,"data":29},"ok",{"site_id":30,"language":22,"slug":31,"title":13,"keywords":32,"description":14,"schema_data":33,"social_meta":84,"head_meta":86,"extra_data":88,"updated_unix":25},105,"meminspect-memory-forensics-for-investigating-fileless-attacks","",{"@graph":34,"@context":83},[35,52,66],{"@type":36,"itemListElement":37},"BreadcrumbList",[38,42,46,49],{"item":39,"name":40,"@type":41,"position":19},"https://docshare.wps.com","Home","ListItem",{"item":43,"name":44,"@type":41,"position":45},"https://docshare.wps.com/document/","Document",2,{"item":47,"name":12,"@type":41,"position":48},"https://docshare.wps.com/document/research-report/",3,{"item":50,"name":13,"@type":41,"position":51},"https://docshare.wps.com/document/meminspect-memory-forensics-for-investigating-fileless-attacks/31802/",4,{"url":50,"name":13,"@type":53,"author":54,"headline":13,"publisher":56,"fileFormat":59,"description":14,"dateModified":60,"datePublished":60,"encodingFormat":59,"isAccessibleForFree":61,"interactionStatistic":62},"DigitalDocument",{"name":9,"@type":55},"Person",{"url":39,"name":57,"@type":58},"DocShare","Organization","application/pdf","2026-05-30",true,{"@type":63,"interactionType":64,"userInteractionCount":4},"InteractionCounter",{"@type":65},"ViewAction",{"@type":67,"mainEntity":68},"FAQPage",[69,75,79],{"name":70,"@type":71,"acceptedAnswer":72},"What problem does MemInspect target?","Question",{"text":73,"@type":74},"MemInspect targets fileless malware that injects malicious code into main memory without leaving disk traces, making conventional disk-based defenses ineffective.","Answer",{"name":76,"@type":71,"acceptedAnswer":77},"How does MemInspect extract evidence from memory?",{"text":78,"@type":74},"MemInspect uses virtual address descriptor (VAD) nodes as samples to construct a comprehensive set of 42 memory features for detecting suspicious memory regions.",{"name":80,"@type":71,"acceptedAnswer":81},"Which fileless attack types does MemInspect aim to detect?",{"text":82,"@type":74},"It focuses on code injection, script-based attacks, and living-off-the-land attacks, using the extracted features for classification and localization.","https://schema.org",{"og:url":50,"og:type":85,"og:title":13,"og:site_name":57,"og:description":14},"article",{"robots":87,"canonical":50},"index,follow",{"doc_id":7,"site_id":30}]