Bo Zhou,Hai Huang,Jun Xia,Donghai Tian

DOI: https://doi.org/10.1007/s11227-023-05556-x

IF: 3.3

2023-08-21

The Journal of Supercomputing

Abstract:Malware is becoming increasingly prevalent in recent years with the widespread deployment of the information system. Many malicious programs pose a great threat to information systems. In the past decade, various malware detection methods are proposed. Particularly, many studies rely on API features for identifying malware. However, the existing methods do not fully make use of the API features. To address these issues, we propose APInspector, a novel dynamic malware detection solution by carefully inspecting API invocations. This method first leverages a dynamic instrumentation tool to hook the target program for collecting the API sequence and argument features. Then, it exploits a HAN (Hierarchical Attention Network) model to analyze the API sequence features. For analyzing the API argument features, we apply an MLP (Multi-Layer Perceptron) model. To fully leverage the API sequence and argument features, we propose a hybrid model, which combines the HAN and MLP models. The evaluation shows that our approach can detect and classify malware effectively and it outperforms the single models.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Ce Li,Qiujian Lv,Ning Li,Yan Wang,Degang Sun,Yuanyuan Qiao

DOI: https://doi.org/10.1016/j.cose.2022.102686

2022-05-01

Abstract:Dynamic malware detection executes the software in a secured virtual environment and monitors its run-time behavior. This technique widely uses API sequence analysis to identify whether the running software is malicious or not. However, existing solutions typically only consider the API name or frequency of API usage, and the feature mining of API sequence is not sufficient, which leads some malware to escape from being detected. In this paper, we propose a novel malware detection framework using deep learning models to capture and combine more meaningful features which are called intrinsic features of the API sequence. Specifically, we first apply embedding and convolutional layers to conduct a joint representation of multiple APIs to represent the software behavior. Secondly, we use the category, action, and operation object of the API to represent the semantic information of each API call. Finally, we use the Bi-LSTM module to mine the relationship information between APIs. Our proposed model achieves an accuracy of 0.9731 and an F1-score of 0.9724 on a large real dataset, which outperforms baselines significantly. We also conduct ablation studies to prove the effectiveness of our intrinsic features.

computer science, information systems

Ce Li,Zijun Cheng,He Zhu,Leiqi Wang,Qiujian Lv,Yan Wang,Ning Li,Degang Sun

DOI: https://doi.org/10.1016/j.cose.2022.102872

2022-11-01

Abstract:Application Programming Interfaces (APIs) are widely considered a useful data source for dynamic malware analysis to understand the behavioral characteristics of malware. However, the accuracy of API-based malware analysis is limited for two reasons. (1) Existing solutions often only consider the API names while ignoring the API arguments, or cannot fully exploit the semantic information from different types of arguments. (2) The relationship between API calls is important to describe the software behavior but is difficult to capture. To overcome the above limitations, we propose DMalNet, a novel malware analysis framework for accurate malware detection and classification. Specifically, we first present a hybrid feature encoder to extract semantic features from API names and arguments. Then, we derive an API call graph from the API call sequence to convert the relationship between API calls into the structural information of the graph. Finally, we design a graph neural network to implement the malware detection and type classification. To evaluate our approach, we use datasets of over 20k benign and 18k malicious samples belonging to 8 malware types. DMalNet achieves 98.43% and 91.42% accuracy on malware detection and malware type classification, respectively. We also conduct ablation studies to assess the impact of API feature engineering and the graph learning model. Further experiments show that DMalNet can effectively detect malware.

computer science, information systems

Zhangjie Zhao,Lin Zhang,Xing Zhang,Ying Wang,Yi Qin

DOI: https://doi.org/10.1007/978-981-19-8285-9_7

2022-01-01

Abstract:The Application Program Interface (API) plays an important role as the channel for data interaction between programs, while the widespread use of APIs has brought security risks that cannot be ignored. The adversary can perform various Web attacks, including SQL Injection and Cross-Site Scripting (XSS), by tampering with the parameters of API. Efficient detection of parameter tampering attacks for API is critical to ensure the system is running in the expected condition, further avoiding data leakage and property loss. Previous works always utilize the rule-based method or simple learning-based method to detect parameter tampering attacks. However, they ignore the contextual information of the API tokens and thus have a poor performance. In this paper, we propose the Context-based Malicious Parameter Detection (CMPD) framework to detect the parameter tampering attacks for APIs. We use a neural network language model to learn the distribution of the parameters, parameter names, and URLs and then use a tree model to detect the malicious query based on the high dimensional API embedding. Experiments show that CMPD outperforms all baseline, including rule-based method, Support Vector Machine (SVM), and Autoencoder, on CSIC 2010 dataset with F-1 value reaching 0.971. CMPD can also achieve a 0.895 F-1 value when training data is reduced to 20% and can achieve a 0.910 F-1 value when negative examples are reduced to 1%.

Tianshi Mu,Huajun Chen,Jinran Du,Aidong Xu

DOI: https://doi.org/10.1109/imcec46724.2019.8983860

2019-01-01

Abstract:With the in-depth development of the Internet industry, the mobile Internet has been effectively integrated into daily work. However, Android has many extremely serious security issues. In our work, we apply text classification technology to the detection of Android malware, based on the deep learning. We extract the Android malware API sequence based on the Cuckoo sandbox, and use the text processing technology to solve the detection problem of Android malware. To evaluating the performance of our system, we compared it with Dalvik based on the Bi-LSTM. The accuracy of API extraction method using Cuckoo is higher than Dalvik, reaching the accuracy of 96.74%. To further verify the effects of different models, we compared it with GRU, BGRU and LSTM using Cuckoo Sandbox as API extraction method. The result demonstrate the Bi-LSTM has the highest accuracy.

Liping Qian,Lin Cong

DOI: https://doi.org/10.3390/s24020580

IF: 3.9

2024-01-18

Sensors

Abstract:Malicious software (malware), in various forms and variants, continues to pose significant threats to user information security. Researchers have identified the effectiveness of utilizing API call sequences to identify malware. However, the evasion techniques employed by malware, such as obfuscation and complex API call sequences, challenge existing detection methods. This research addresses this issue by introducing CAFTrans, a novel transformer-based model for malware detection. We enhance the traditional transformer encoder with a one-dimensional channel attention module (1D-CAM) to improve the correlation between API call vector features, thereby enhancing feature embedding. A word frequency reinforcement module is also implemented to refine API features by preserving low-frequency API features. To capture subtle relationships between APIs and achieve more accurate identification of features for different types of malware, we leverage convolutional neural networks (CNNs) and long short-term memory (LSTM) networks. Experimental results demonstrate the effectiveness of CAFTrans, achieving state-of-the-art performance on the mal-api-2019 dataset with an F1 score of 0.65252 and an AUC of 0.8913. The findings suggest that CAFTrans improves accuracy in distinguishing between various types of malware and exhibits enhanced recognition capabilities for unknown samples and adversarial attacks.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Xingyuan Wei,Ce Li,Qiujian Lv,Ning Li,Degang Sun,Yan Wang

2024-08-03

Abstract:In dynamic Windows malware detection, deep learning models are extensively deployed to analyze API sequences. Methods based on API sequences play a crucial role in malware prevention. However, due to the continuous updates of APIs and the changes in API sequence calls leading to the constant evolution of malware variants, the detection capability of API sequence-based malware detection models significantly diminishes over time. We observe that the API sequences of malware samples before and after evolution usually have similar malicious semantics. Specifically, compared to the original samples, evolved malware samples often use the API sequences of the pre-evolution samples to achieve similar malicious behaviors. For instance, they access similar sensitive system resources and extend new malicious functions based on the original functionalities. In this paper, we propose a frame(MME), a framework that can enhance existing API sequence-based malware detectors and mitigate the adverse effects of malware evolution. To help detection models capture the similar semantics of these post-evolution API sequences, our framework represents API sequences using API knowledge graphs and system resource encodings and applies contrastive learning to enhance the model's encoder. Results indicate that, compared to Regular Text-CNN, our framework can significantly reduce the false positive rate by 13.10% and improve the F1-Score by 8.47% on five years of data, achieving the best experimental results. Additionally, evaluations show that our framework can save on the human costs required for model maintenance. We only need 1% of the budget per month to reduce the false positive rate by 11.16% and improve the F1-Score by 6.44%.

Cryptography and Security

Chao Jing,Chaoyuan Cui,Yun Wu

DOI: https://doi.org/10.1109/tifs.2024.3407655

IF: 7.231

2024-06-14

IEEE Transactions on Information Forensics and Security

Abstract:API call sequence-based approaches are proven to have significant superiority in malware detection but generally overlook or evade two core issues: ( ) ignoring parameters and return values that contain more fine-grained security semantic sensitive information (SSSI) and ( ) handling lengthy API call sequences roughly, causing the poor interpretability and incompleteness of program behavior semantics. To effectively overcome these issues, we propose SIa-CBc, a sensitive intent-assisted and crucial behavior-cognized malware detection method leveraging human brain cognitive theory, which consists of two key modules. ( ) SIa divides the vast and heterogeneous SSSI space into a few categories, meanwhile representing the sensitive intents to assist API calls. ( ) CBc extracts crucial snippets from lengthy API call sequences via judgment and multi-step reasoning and further obtains their representations. The embedding representations from the previous two modules are concatenated as the input of ten representative baseline networks. Our experimental results indicate that SIa-CBc achieves an enhancement in malware detection accuracy ranging from 14.08% to 28.01%, reduces the average detection time per sample by 0.28 to 16.29 ms, and improves the defense against adversarial sample attacks by 4.86% to 55.04%. Moreover, SIa-CBc demonstrates outstanding performance compared to recent methods, not only limited to detection but also encompassing enhanced resilience to intricate adversarial tactics, thereby ensuring reliable protection without the need for frequent re-training. This underscores the model's innovative approach in leveraging human brain cognitive theory-based techniques for heightened security efficacy.

computer science, theory & methods,engineering, electrical & electronic

Sanfeng Zhang,Jiahao Wu,Mengzhe Zhang,Wang Yang

DOI: https://doi.org/10.3390/app13116526

2023-05-26

Applied Sciences

Abstract:The existing dynamic malware detection methods based on API call sequences ignore the semantic information of functions. Simply mapping API to numerical values does not reflect whether a function has performed a query or modification operation, whether it is related to network communication, the file system, or other factors. Additionally, the detection performance is limited when the size of the API call sequence is too large. To address this issue, we propose Mal-ASSF, a novel malware detection model that fuses the semantic and sequence features of the API calls. The API2Vec embedding method is used to obtain the dimensionality reduction representation of the API function. To capture the behavioral features of sequential segments, Balts is used to extract the features. To leverage the implicit semantic information of the API functions, the operation and the type of resource operated by the API functions are extracted. These semantic and sequential features are then fused and processed by the attention-related modules. In comparison with the existing methods, Mal-ASSF boasts superior capabilities in terms of semantic representation and recognition of critical sequences within API call sequences. According to the evaluation with a dataset of malware families, the experimental results show that Mal-ASSF outperforms existing solutions by 3% to 5% in detection accuracy.

materials science, multidisciplinary,engineering,chemistry,physics, applied

Xiaohui Chen,Zhiyu Hao,Lun Li,Lei Cui,Yiran Zhu,Zhenquan Ding,Yongji Liu

DOI: https://doi.org/10.1109/tifs.2022.3152360

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Learning on execution behaviour, i.e., sequences of API calls, is proven to be effective in malware detection. In this paper, we present CruParamer, a deep neural network based malware detection approach for Windows platform that performs learning on sequences of parameter-augmented APIs. It first employs rule-based and clustering-based classification to assess the sensitivity of a parameter to malicious behaviour, and further labels the API following the run-time parameters with varying degrees of sensitivities. Then, it encodes the APIs by concatenating the native embedding and the sensitive embedding of labelled APIs, for characterizing the relationship between successive labelled APIs and their correspondence in terms of security semantics. Finally, it feeds the sequences of API embedding into the deep neural network for training a binary classifier to detect malware. In addition to presenting the design, we have implemented CruParamer and evaluated it on two datasets. The results demonstrate that CruParamer outperforms naïve models when taking raw APIs as input, proving the effectiveness of CruParamer. Moreover, we have evaluated the impact of mimicry and adversarial attacks on our model, and the results verify the robustness of CruParamer.

computer science, theory & methods,engineering, electrical & electronic

Youngjoon Ki,Eunjin Kim,Huy Kang Kim

DOI: https://doi.org/10.1155/2015/659101

IF: 1.938

2015-06-01

International Journal of Distributed Sensor Networks

Abstract:In the era of ubiquitous sensors and smart devices, detecting malware is becoming an endless battle between ever-evolving malware and antivirus programs that need to process ever-increasing security related data. For malware detection, various approaches have been proposed. Among them, dynamic analysis is known to be effective in terms of providing behavioral information. As malware authors increasingly use obfuscation techniques, it becomes more important to monitor how malware behaves for its detection. In this paper, we propose a novel approach for dynamic analysis of malware. We adopt DNA sequence alignment algorithms and extract common API call sequence patterns of malicious function from malware in different categories. We find that certain malicious functions are commonly included in malware even in different categories. From checking the existence of certain functions or API call sequence patterns matched, we can even detect new unknown malware. The result of our experiment shows high enough F-measure and accuracy. API call sequence can be extracted from most of the modern devices; therefore, we believe that our method can detect the malware for all types of the ubiquitous devices.

computer science, information systems,telecommunications

Slaviša Ilić,Milan Gnjatović,Ivan Tot,Boriša Jovanović,Nemanja Maček,Marijana Gavrilović Božović

DOI: https://doi.org/10.3390/electronics13173553

IF: 2.9

2024-09-07

Electronics

Abstract:Automated sandbox-based analysis systems are dominantly focused on sequences of API calls, which are widely acknowledged as discriminative and easily extracted features. In this paper, we argue that an extension of the feature set beyond API calls may improve the malware detection performance. For this purpose, we apply the Cuckoo open-source sandbox system, carefully configured for the production of a novel dataset for dynamic malware analysis containing 22,200 annotated samples (11,735 benign and 10,465 malware). Each sample represents a full-featured report generated by the Cuckoo sandbox when a corresponding binary file is submitted for analysis. To support our position that the discriminative power of the full-featured sandbox reports is greater than the discriminative power of just API call sequences, we consider samples obtained from binary files whose execution induced API calls. In addition, we derive an additional dataset from samples in the full-featured dataset, whose samples contain only information on API calls. In a three-way factorial design experiment (considering the feature set, the feature representation technique, and the random forest model hyperparameter settings), we trained and tested a set of random forest models in a two-class classification task. The obtained results demonstrate that resorting to full-featured sandbox reports improves malware detection performance. The accuracy of 95.56 percent obtained for API call sequences was increased to 99.74 percent when full-featured sandbox reports were considered.

engineering, electrical & electronic,computer science, information systems,physics, applied

Dima Rabadi,Sin G. Teo

DOI: https://doi.org/10.1145/3427228.3427242

2020-12-07

Abstract:Application Programming Interfaces (APIs) are still considered the standard accessible data source and core wok of the most widely adopted malware detection and classification techniques. API-based malware detectors highly rely on measuring API’s statistical features, such as calculating the frequency counter of calling specific API calls or finding their malicious sequence pattern (i.e., signature-based detectors). Using simple hooking tools, malware authors would help in failing such detectors by interrupting the sequence and shuffling the API calls or deleting/inserting irrelevant calls (i.e., changing the frequency counter). Moreover, relying on API calls (e.g., function names) alone without taking into account their function parameters is insufficient to understand the purpose of the program. For example, the same API call (e.g., writing on a file) would act in two ways if two different arguments are passed (e.g., writing on a system versus user file). However, because of the heterogeneous nature of API arguments, most of the available API-based malicious behavior detectors would consider only the API calls without taking into account their argument information (e.g., function parameters). Alternatively, other detectors try considering the API arguments in their techniques, but they acquire having proficient knowledge about the API arguments or powerful processors to extract them. Such requirements demand a prohibitive cost and complex operations to deal with the arguments. To overcome the above limitations, with the help of machine learning and without any expert knowledge of the arguments, we propose a light-weight API-based dynamic feature extraction technique, and we use it to implement a malware detection and type classification approach. To evaluate our approach, we use reasonable datasets of 7774 benign and 7105 malicious samples belonging to ten distinct malware types. Experimental results show that our type classification module could achieve an accuracy of , where our malware detection module could reach an accuracy of over , and outperforms many state-of-the-art API-based malware detectors.

Wanyu Li,Hailiang Tang,Hailin Zhu,Wenxiao Zhang,Chen Liu

DOI: https://doi.org/10.1016/j.cose.2024.103752

IF: 5.105

2024-02-14

Computers & Security

Abstract:The cyber ecosystem is facing severe threats from malware attacks, making it imperative to detect malware to safeguard a purified Internet environment. However, current studies primarily concentrate on examining the time-based correlation between APIs for malware detection while neglecting the contextual associations derived from API categories, resulting in inadequate detection performance. In this paper, we present TS-Mal, a novel Mal ware detection model incorporated T emporal and S tructural features learning. Particularly, TS-Mal first designs a temporal vector learning method to automatically capture the evolving representation from the non-repetitive API sequences, which can efficiently pursue the attack preferences of malware. Then TS-Mal introduces heterogeneous graphs to model the interactive relationships between APIs and presents a dense-interactive structural embedding approach to generate the fine-grained API structural representation, which is capable of utilizing API category interaction information to boost detection effectiveness. Finally, TS-Mal simultaneously integrates temporal and structural attack features to accurately identify the unknown malware, effectively defending against new malware attacks. Experimental results on real-world datasets demonstrate that our proposed TS-Mal model outperforms existing state-of-the-art methods.

computer science, information systems

Eslam Amer,Ivan Zelinka

DOI: https://doi.org/10.1016/j.cose.2020.101760

2020-05-01

Abstract:Malware API call graph derived from API call sequences is considered as a representative technique to understand the malware behavioral characteristics. However, it is troublesome in practice to build a behavioral graph for each malware. To resolve this issue, we examine how to generate a simple behavioral graph that characterizes malware. In this paper, we introduce the use of word embedding to understand the contextual relationship that exists between API functions in malware call sequences. We also propose a method that segregating individual functions that have similar contextual traits into clusters. Our experimental results prove that there is a significant distinction between malware and goodware call sequences. Based on this distinction, we introduce a new method to detect and predict malware based on the Markov chain. Through modeling the behavior of malware and goodware API call sequences, we generate a semantic transition matrix which depicts the actual relation between API functions. Our models return an average detection precision of 0.990, with a false positive rate of 0.010. We also propose a prediction methodology that predicts whether an API call sequence is malicious or not from the initial API calling functions. Our model returns an average accuracy for the prediction of 0.997. Therefore, we propose an approach that can block malicious payloads instead of detecting them after their post-execution and avoid repairing the damage.

computer science, information systems

Zhaoxuan Li,Ziming Zhao,Rui Zhang,Haoyang Lu,Wenhao Li,Fan Zhang,Siqi Lu,Rui Xue

DOI: https://doi.org/10.1016/j.comnet.2024.110563

IF: 5.493

2024-01-01

Computer Networks

Abstract:The continuous emergence of malware has threatened to the Android platform and user privacy. With the evolution of the Android system and malware, it is challenging to design a method that can accurately identify the categories of sophisticated malware, including known and unknown families, as well as their obfuscated variants, given that they may be newly emerging and lack available detection knowledge. Although some methods try to use anomaly detection and zero-shot technology to identify unseen applications, they are limited to binary classification or lack the robustness, stability, universality, and interpretability in multi-class identification. To this end, we first propose a generic meta-features mining algorithm, which can discover the potential relationships between samples belonging to the same category. Then we present metaNet, a novel method leveraging meta-features to identify sophisticated Android malware. Specifically, metaNet is mainly powered by four components: (i) mExtractor is a feature collector to obtain the static and dynamic features. (ii) mProcessor is taking unique meta-features of each category from extracted features. (iii) mLearner is a machine learning suite that leverages features and meta-features to design and train a classifier called HSU-Net. (iv) mEnforcer is a flexible deployer that identifies categories of malware families in the real world. We implement a prototype of metaNet with 15K lines of Python code and compare it with state-of-the-art (SOTA) methods. The results show that it can not only achieve superior performance in terms of known families (99.52% of accuracy) and unknown families (99.31% of accuracy trained with 80% known families) for binary classification, but also perform well in multi-class identification, i.e., 99.05% and 93.45% of accuracy for known and unknown families, respectively. Furthermore, we deploy and evaluate metaNet in the real world. It can identify applications over an acceptable time and memory overheads, i.e., average of 11.8s and 56MB per sample with a size of 8MB. Also, the few-shot detection and feature perturbation experiments reflect its robustness and stability benefiting from meta-features. Finally, we collect the traffic of 112 decentralized applications (DApps) belonging to 16 categories, such as finance and health, and evaluated metaNet in DApp identification. The results illustrate its applicability across various tasks. That is, it can accurately classify 94.6% and 81.36% of DApp flows in all-known and 80%-known DApp scenarios, respectively, outperforming the SOTA methods.

Pei Yan,Shunquan Tan,Miaohui Wang,Jiwu Huang

DOI: https://doi.org/10.1109/lsp.2024.3475354

2024-10-19

IEEE Signal Processing Letters

Abstract:Malware detection is an effective way to prevent the intrusion of malware into computer systems, and the API-based dynamic analysis method can effectively detect obfuscated and packaged malware. However, existing methods still suffer from limited detection accuracy and weak generalization. To address this issue, this paper presents a gradient attack-based malware dynamic analysis method. Through exerting adversarial noise into the embedding layer, the malware detection model can learn more robust representations of API sequences during training, achieving broader coverage of sample representations. The strategy of normalizing attack noise and recovering attacked representation is designed, which controls the strength of the gradient attack within a reasonable range and prevents a negative impact on the model's detection performance. The proposed method can be applied to existing API-based malware detection models to enhance their detection performance, indicating the strong generality of the proposed method. Experimental results on two benchmark datasets (i.e., Aliyun and Catak) demonstrate the effectiveness of the proposed gradient attack method, which further improves the detection performance of the mainstream API-based models, with an average accuracy increase of 2.80% and 3.66% on these two datasets, respectively.

engineering, electrical & electronic

Angelo Cannarile,Vincenzo Dentamaro,Stefano Galantucci,Andrea Iannacone,Donato Impedovo,Giuseppe Pirlo

DOI: https://doi.org/10.3390/app12031645

2022-02-04

Applied Sciences

Abstract:Recognition of malware is critical in cybersecurity as it allows for avoiding execution and the downloading of malware. One of the possible approaches is to analyze the executable’s Application Programming Interface (API) calls, which can be done using tools that work in sandboxes, such as Cuckoo or CAPEv2. This chain of calls can then be used to classify if the considered file is benign or malware. This work aims to compare six modern shallow learning and deep learning techniques based on tabular data, using two datasets of API calls containing malware and goodware, where the corresponding chain of API calls is expressed for each instance. The results show the quality of shallow learning approaches based on tree ensembles, such as CatBoost, both in terms of F1-macro score and Area Under the ROC curve (AUC ROC), and training time, making them optimal for making inferences on Edge AI solutions. The results are then analyzed with the explainable AI SHAP technique, identifying the API calls that most influence the process, i.e., those that are particularly afferent to malware and goodware.

Binayak Panda,Sudhanshu Shekhar Bisoyi,Sidhanta Panigrahy

DOI: https://doi.org/10.7717/peerj-cs.1677

2023-11-14

Abstract:Dependence on the internet and computer programs demonstrates the significance of computer programs in our day-to-day lives. Such demands motivate malware developers to create more malware, both in terms of quantity and variety. Researchers are constantly faced with hurdles while attempting to protect themselves from potential hazards and risks due to malware authors' usage of code obfuscation techniques. Metamorphic and polymorphic variations are easily able to elude the widely utilized signature-based detection procedures. Researchers are more interested in deep learning approaches than machine learning techniques to analyze the behavior of such a vast number of virus variants. Researchers have been drawn to the categorization of malware within itself in addition to the classification of malware against benign programs to examine the behavioral differences between them. In order to investigate the relationship between the application programming interface (API) calls throughout API sequences and classify them, this work uses the one-dimensional convolutional neural network (1D-CNN) model to solve a multiclass classification problem. On API sequences, feature vectors for distinctive APIs are created using the Word2Vec word embedding approach and the skip-gram model. The one-vs.-rest approach is used to train 1D-CNN models to categorize malware, and all of them are then combined with a suggested ModifiedSoftVoting algorithm to improve classification. On the open benchmark dataset Mal-API-2019, the suggested ensembled 1D-CNN architecture captures improved evaluation scores with an accuracy of 0.90, a weighted average F1-score of 0.90, and an AUC score of more than 0.96 for all classes of malware.

Pascal Maniriho,Abdun Naser Mahmood,Mohammad Jabed Morshed Chowdhury

2024-07-18

Abstract:In this work, we propose EarlyMalDetect, a novel approach for early Windows malware detection based on sequences of API calls. Our approach leverages generative transformer models and attention-guided deep recurrent neural networks to accurately identify and detect patterns of malicious behaviors in the early stage of malware execution. By analyzing the sequences of API calls invoked during execution, the proposed approach can classify executable files (programs) as malware or benign by predicting their behaviors based on a few shots (initial API calls) invoked during execution. EarlyMalDetect can predict and reveal what a malware program is going to perform on the target system before it occurs, which can help to stop it before executing its malicious payload and infecting the system. Specifically, EarlyMalDetect relies on a fine-tuned transformer model based on API calls which has the potential to predict the next API call functions to be used by a malware or benign executable program. Our extensive experimental evaluations show that the proposed approach is highly effective in predicting malware behaviors and can be used as a preventive measure against zero-day threats in Windows systems.

Cryptography and Security