Malware detection with dynamic evolving graph convolutional networks

Abstract

Malware detection is a vital task for cybersecurity. For malware dynamic behavior, threats come from a small number of Application Programming Interfaces (APIs) embedded in the API sequences, which are easily ignored or obfuscated in the detection process. Prior works proposed graph-based learning methods to solve this problem using API-level behavior relations. However, the malware detection is still challenging, due to the ignore of the temporal correlation between malicious behaviors. In this study, we model the software behaviors with multiscaled API graph sequences to represent API-level behaviors as well as graph-level temporal behavior correlations. We then propose a novel Dynamic Evolving Graph Convolutional Network (DEGCN) model to capture dynamic evolving pattern of both local API-level and global graph-level software behaviors. In particular, we first extract the API-level (node) representations to capture the directed graph representations for each time slot. We then propose a Graph-encoding-based Gate Recurrent Unit (GGRU) network to capture the graph-level evolving features and their evolving status. The graph features of different time slots and different graph scales are concatenated to detect whether the software is benign or malicious. Our evaluation with two public benchmarks reports that DEGCN achieves the best performance compared with state-of-the-art algorithms.