Liang Kou, Cheng Qiu, Meiyu Wang, Hua Liu, Yan Du, Jilin Zhang
{"title":"MalDMTP: A Multi-tier Pooling Method for Malware Detection based on Graph Classification","authors":"Liang Kou, Cheng Qiu, Meiyu Wang, Hua Liu, Yan Du, Jilin Zhang","doi":"10.1007/s11036-024-02318-8","DOIUrl":null,"url":null,"abstract":"<p>With the development and adoption of cloud platforms in various fields, malware attacks have become a serious threat to the Internet cloud ecosystem. However, the pooling process of existing graph classification techniques for malware variant detection uses only a serial and single strategy, resulting in localized malicious behaviors of malware that may be overlooked. In this paper, we propose MalDMTP, a malware detection framework based on multilevel graph classification learning, which implements the graph pooling process for malware classification in parallel and performs graph instance-based discrimination. In particular, MalDMTP first constructs an API call graph based on results obtained from dynamic execution of malware. Then it combines multiple graph neural network learning strategies through multi-level pooling to learn the global importance of nodes in the pooled graph and extract node representations from multiple perspectives for heterogeneous graphs. After that, MalDMTP is aggregated into graph representations by the graph-level pooling function GMT based on a multi-head attention mechanism, which goes through a classifier in order to obtain malware prediction labels. Experimental results show that the proposed MalDMTP can achieve 96.53% accuracy on the Alibaba cloud malware dataset, which improves 1.9% 7.6% over the previous single-graph pooling methods on the graph classification task of malware detection.</p>","PeriodicalId":501103,"journal":{"name":"Mobile Networks and Applications","volume":"41 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-04-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Mobile Networks and Applications","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1007/s11036-024-02318-8","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
With the development and adoption of cloud platforms in various fields, malware attacks have become a serious threat to the Internet cloud ecosystem. However, the pooling process of existing graph classification techniques for malware variant detection uses only a serial and single strategy, resulting in localized malicious behaviors of malware that may be overlooked. In this paper, we propose MalDMTP, a malware detection framework based on multilevel graph classification learning, which implements the graph pooling process for malware classification in parallel and performs graph instance-based discrimination. In particular, MalDMTP first constructs an API call graph based on results obtained from dynamic execution of malware. Then it combines multiple graph neural network learning strategies through multi-level pooling to learn the global importance of nodes in the pooled graph and extract node representations from multiple perspectives for heterogeneous graphs. After that, MalDMTP is aggregated into graph representations by the graph-level pooling function GMT based on a multi-head attention mechanism, which goes through a classifier in order to obtain malware prediction labels. Experimental results show that the proposed MalDMTP can achieve 96.53% accuracy on the Alibaba cloud malware dataset, which improves 1.9% 7.6% over the previous single-graph pooling methods on the graph classification task of malware detection.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
