Malware Detection Based on Deep Learning of Behavior Graphs

Xiao, Fei; Lin, Zhouchen; Sun, Yi; Ma, Yan

doi:10.1155/2019/8195395

Cited by 84 publications

(50 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…e value [27] API call sequence Simple, vulnerable to reorder or irrelevant API calls Lee et al [28] API call sequence Hansen et al [29] API call sequence; arguments; frequency Amin [30,31] Opcode End-to-end learning D'Angelo et al [32] API call sequence-based image Park et al [34] Behavioral graph High dimensional features can bring more calculations Elhadi et al [11] API call graph Nikolopoulos and Polenakis [35] System call dependency graph Fredrikson et al [37] Optimally discriminative specification Simplified representation of behavior graphs Alam et al [40] Control flow graph-based feature Ding et al [41] API dependency graph 4 Mathematical Problems in Engineering 0x0000044c of Handle is used to connect the RegQuer-yValue on line 2. e details of API call graph construction are described in our previous work [43]. It is necessary to extract crucial behaviors from the API call graph for malware classification.…”

Section: Malware Classification Systemmentioning

confidence: 99%

A Novel Malware Classification Method Based on Crucial Behavior

Xiao

Sun

et al. 2020

Mathematical Problems in Engineering

Self Cite

View full text Add to dashboard Cite

Recently, some graph-based methods have been proposed for malware detection. However, current malware is generally characterized by sophisticated behaviors, which makes graph-based malware detection extremely challenging. To address this issue, we propose a graph repartition algorithm by transforming API call graphs into fragment behaviors based on programs’ dynamic execution traces. The proposed algorithm relies on the N-order subgraph (NSG) for constructing the appropriate fragment behavior. Moreover, we improve the term frequency-inverse document frequency- (TF-IDF-) like measure and information gain (IG) to extract the crucial N-order subgraph (CNSG). This novel behavioral representation and improved extraction method can accurately represent crucial behaviors of malware. Experiments on 4,400 samples demonstrate that the proposed method achieves a high accuracy of 99.75% in malware detection and promising performance of 95.27% in malware classification.

show abstract

Section: Malware Classification Systemmentioning

confidence: 99%

A Novel Malware Classification Method Based on Crucial Behavior

Xiao

Sun

et al. 2020

Mathematical Problems in Engineering

Self Cite

View full text Add to dashboard Cite

show abstract

“…In [14], the authors construct behavior graphs to provide efficient information of malware behaviors using extracted API calls. e high-level features of the behavior graphs are then extracted using a neural network-Stacked AutoEncoders.…”

Section: Related Workmentioning

confidence: 99%

“…e CNN model is very effective for learning image features and is very effective for learning data with local features. SVM is a classic traditional machine learning model, but its learning ability is weaker than deep learning models such as Input: sample, length (the length of sample), N (the length of the window), M (threshold for voting), C (a set of all trained model for classification) Output: set (store all API slices to be cut) (1) function SplitWindow (sample, length, N) (2) initial place in the beginning of the sample (3) repeat (4) split the sample with the solid window (5) move the window with a step 1 (6) until move to the end of sample (7) move all API slices into set (8) Remove duplicates (9) return set (10) end function (11) Input: set (generated by Call SplitWindow ()), M (threshold for voting), C (a set of all trained model for classification) Output: category (normal or malicious) (12) function DECISION MAKING (set, m, C) (13) for each s ∈ set do (14) for each f ∈ C do (15) p � f(s) (16) if p > 0.5 then (17) s is belong to normal slice (18) else (19) s is belong to malicious slice (20) end if (21) record the result for s (22) end for (23) end for (24) number � account(s malicious ) (25) total � account(s all ) (26) if number/total > m then (27) return malicious (28) else (29) return normal (30) ALGORITHM 1: Classifying an unknown sample. Security and Communication Networks LSTM and CNN.…”

Section: Ntcreatemut Ant Ntcreatesectionmentioning

confidence: 99%

An API Semantics-Aware Malware Detection Method Based on Deep Learning

Guo

Bai

et al. 2019

Security and Communication Networks

View full text Add to dashboard Cite

The explosive growth of malware variants poses a continuously and deeply evolving challenge to information security. Traditional malware detection methods require a lot of manpower. However, machine learning has played an important role on malware classification and detection, and it is easily spoofed by malware disguising to be benign software by employing self-protection techniques, which leads to poor performance for existing techniques based on the machine learning method. In this paper, we analyze the local maliciousness about malware and implement an anti-interference detection framework based on API fragments, which uses the LSTM model to classify API fragments and employs ensemble learning to determine the final result of the entire API sequence. We present our experimental results on Ali-Tianchi contest API databases. By comparing with the experiments of some common methods, it is proved that our method based on local maliciousness has better performance, which is a higher accuracy rate of 0.9734.

show abstract

“…However, previous studies ignored the diversity of network function resource requirements and the heterogeneity of actual server resource configuration, which can easily result in resource fragmentation and hence low resource utilization [6,12]. Deep learning is a branch of machine learning that attempts to learn high-level features directly from the original data [18]. Inspired by the successful use of deep learning on traffic flow [19], in this paper, we use long short-term memory recurrent neural network (LSTM RNN) to predict the customer service chain requests and the size of the flow in the NFV network.…”

Section: Introductionmentioning

confidence: 99%

Proactive VNF Scaling with Heterogeneous Cloud Resources: Fusing Long Short-Term Memory Prediction and Cooperative Allocation

2020

Mathematical Problems in Engineering

View full text Add to dashboard Cite

Network function virtualization (NFV) is designed to implement network functions by software that replaces proprietary hardware devices in traditional networks. In response to the growing demand of resource-intensive services, for NFV cloud service providers, software-oriented network functions face a number of challenges, such as dynamic deployment of virtual network functions and efficient allocation of multiple resources. This study aims at the dynamic allocation and adjustment of network multiresources and multitype flows for NFV. First, to seek a proactive approach to provision new instances for overloaded VNFs ahead of time, a model called long short-term memory recurrent neural network (LSTM RNN) is proposed to estimate flows in this paper. Then, based on the estimated flow, a cooperative and complementary resource allocation algorithm is designed to reduce resource fragmentation and improve the utilization. The final results demonstrate the advantage of the LSTM model on predicting the network function flow requirements, and our algorithm achieves good results and performance improvement in dynamically expanding network functions and improving resource utilization.

show abstract

Malware Detection Based on Deep Learning of Behavior Graphs

Cited by 84 publications

References 39 publications

A Novel Malware Classification Method Based on Crucial Behavior

A Novel Malware Classification Method Based on Crucial Behavior

An API Semantics-Aware Malware Detection Method Based on Deep Learning

Proactive VNF Scaling with Heterogeneous Cloud Resources: Fusing Long Short-Term Memory Prediction and Cooperative Allocation

Contact Info

Product

Resources

About