计算机科学
恶意软件
文档
应用程序编程接口
恶意软件分析
图形
人工智能
操作系统
理论计算机科学
作者
Pengbin Feng,Le Gai,Li Yang,Qin Wang,Teng Li,Ning Xi,Jianfeng Ma
标识
DOI:10.1016/j.cose.2024.103788
摘要
Application Program Interface (API) calls are widely used in dynamic Windows malware analysis to characterize the run-time behavior of malware. Researchers have proposed various approaches to mine semantic information from API calls to improve the performance of malware analysis. However, with increasingly sophisticated malware, the exploration of new semantic dimensions for API calls is never-ending. In this paper, we find that the official Windows API documentation is an unexplored information source in malware detection. Therefore, we propose a novel documentation-augmented Windows malware detection framework DawnGNN using the pre-trained semantic enhanced mechanism and graph neural network. First, it converts the API sequences into API graphs for further contextual information extraction. Next, we crawl API documentation from the official website and employ the pre-trained Bidirectional Encoder Representations from Transformers (BERT) model to encode functionality descriptions as API embeddings. Finally, it feeds the API graphs with API node attributes into the Graph Attention Network (GAT) classifier to perform Windows malware detection. Moreover, we verify the effectiveness of DawnGNN on three public datasets. Experimental results demonstrate the effectiveness of DawnGNN. Semantic information from the official API documentation is promising in the Windows malware detection domain.
科研通智能强力驱动
Strongly Powered by AbleSci AI