MemBERT: Foundation model for memory forensics

MemBERT: Foundation model for memory forensics

연구 분야: Analysis

학회: SAC '25: Proceedings of the 40th ACM/SIGAPP Symposium on Applied Computing

Foundation models have demonstrated significant advancements in natural language processing and computer vision, yet their potential in cybersecurity is unexplored. Current memory forensics tools and machine learning models often need more versatility and adaptability, presenting a crucial research gap. To address this, we introduce MemBERT, a foundation model designed explicitly for memory forensics. MemBERT is trained on extensive process dump data, with and without metadata inclusion, to capture intricate patterns present in main memory. Its potential impact on cybersecurity practices could be significantly similar to the effects of foundation models in natural language processing. We aim to streamline memory forensics by reducing the manual effort and coding traditionally required by cybersecurity practitioners. Through comprehensive experimentation, we demonstrate MemBERT's efficiency in a downstream task of extracting OpenSSH encryption keys and other memory structures from raw process dumps. The results reveal that the robust embeddings generated significantly help identify structures within memory. Additionally, we demonstrate that our model's embeddings can be compressed with minimal loss of accuracy, further highlighting its efficiency. Our findings with MemBERT go beyond just its performance in a specific task. The findings also indicate MemBERT substantially advances memory forensics, providing a versatile and powerful tool for cybersecurity professionals. This research addresses the limitations of the current forensics process model and sets the stage for the broader application of foundation models in the cybersecurity domain. Our results, code and models are available at HuggingFace and https://anonymous.4open.science/r/memBERT-EF87/README.md.