CTIMD: Cyber threat intelligence enhanced malware detection using API call sequences with parameters

Abstract

Dynamic malware analysis that monitors the sequences of API calls of the program in a sandbox has been proven to be effective against code obfuscation and unknown malware. However, most existing works ignore the run-time parameters by only considering the API names, or lack an effective way to capture the correlations between parameter values and malicious activities. In this paper, we propose CTIMD, a deep learning based dynamic malware detection method, which integrates the threat knowledge from CTIs (Cyber Threat Intelligences) into the learning on API call sequences with run-time parameters. It first extracts IOCs (Indicators of Compromise) from CTIs and uses IOCs to assist the identification of the security-sensitive levels of API calls. Then, it embeds API calls and the associated security-sensitive levels into a unified feature space. Finally, it feeds the feature vector sequences into deep neural networks to train the malware detection model. We conducted experiments on two datasets. The experiment results show that CTIMD significantly outperforms existing methods depending on raw API call sequences (F1-score is improved by 4.0 %∼41.3 %), and also has advantage over existing state-of-the-art methods that consider both API calls and run-time parameters (F1-score is improved by 1.2 %∼6.5 %).